Security Vulnerabilities - CVEs Published In January 2025
An issue was discovered in REDCap 14.9.6. It allows HTML Injection via the Survey field name, exposing users to a redirection to a phishing website. An attacker can exploit this to trick the user that receives the survey into clicking on the field name, which redirects them to a phishing website. Thus, this allows malicious actions to be executed without user consent.
CVSS Score
4.7
EPSS Score
0.0
Published
2025-01-10
An issue was discovered in REDCap 14.9.6. A stored cross-site scripting (XSS) vulnerability allows authenticated users to inject malicious scripts into the Survey field name of Survey. When a user receive the survey, if he clicks on the field name, it triggers the XSS payload.
CVSS Score
6.1
EPSS Score
0.001
Published
2025-01-10
MonicaHQ v4.1.1 was discovered to contain an authenticated Client-Side Injection vulnerability via the entry text field at /journal/entries/ID/edit.
CVSS Score
5.4
EPSS Score
0.001
Published
2025-01-10
MonicaHQ v4.1.2 was discovered to contain an authenticated Client-Side Injection vulnerability via the Reason parameter at /people/h:[id]/debts/create.
CVSS Score
5.4
EPSS Score
0.0
Published
2025-01-10
MonicaHQ v4.1.2 was discovered to contain multiple Client-Side Injection vulnerabilities via the first_name and last_name parameters in the Add a new relationship feature.
CVSS Score
6.5
EPSS Score
0.001
Published
2025-01-10
MonicaHQ v4.1.2 was discovered to contain multiple authenticated Client-Side Injection vulnerabilities via the title and description parameters at /people/ID/reminders/create.
CVSS Score
8.8
EPSS Score
0.001
Published
2025-01-10
Cross Site Scripting vulnerability in Microweber v.2.0.9 allows a remote attacker to execute arbitrary code via the campaign Name (Internal Name) field in the Add new campaign function
CVSS Score
4.7
EPSS Score
0.004
Published
2025-01-10
Microweber Cross Site Scripting vulnerability in Microweber v.2.0.9 allows a remote attacker to execute arbitrary code via the create new backup function in the endpoint /admin/module/view?type=admin__backup
CVSS Score
6.1
EPSS Score
0.001
Published
2025-01-10
Cross Site Scripting vulnerability in Microweber v.2.0.9 allows a remote attacker to execute arbitrary code via the First Name and Last Name parameters in the endpoint /admin/module/view?type=users
CVSS Score
4.7
EPSS Score
0.004
Published
2025-01-10
Linksys E7350 1.1.00.032 was discovered to contain a command injection vulnerability via the ifname parameter in the apcli_wps_gen_pincode function.
CVSS Score
9.8
EPSS Score
0.054
Published
2025-01-10