Security Vulnerabilities - CVEs Published In January 2025
A vulnerability classified as critical was found in code-projects Online Book Shop 1.0. Affected by this vulnerability is an unknown functionality of the file /subcat.php. The manipulation of the argument cat leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.
CVSS Score
5.3
EPSS Score
0.001
Published
2025-01-07
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in hashthemes Hash Elements hash-elements.This issue affects Hash Elements: from n/a through <= 1.5.0.
CVSS Score
6.5
EPSS Score
0.001
Published
2025-01-07
A vulnerability classified as critical has been found in code-projects Online Book Shop 1.0. Affected is an unknown function of the file /search_result.php. The manipulation of the argument s leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.
CVSS Score
5.3
EPSS Score
0.001
Published
2025-01-07
Various module chromes didn't properly process inputs, leading to XSS vectors.
CVSS Score
6.1
EPSS Score
0.001
Published
2025-01-07
Lack of output escaping in the id attribute of menu lists.
CVSS Score
7.5
EPSS Score
0.0
Published
2025-01-07
Improper Access Controls allows access to protected views.
CVSS Score
7.5
EPSS Score
0.0
Published
2025-01-07
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in M Bilal M Urdu Formatter – Shamil urdu-formatter-shamil allows Stored XSS.This issue affects Urdu Formatter – Shamil: from n/a through <= 0.1.
CVSS Score
6.5
EPSS Score
0.001
Published
2025-01-07
A vulnerability was found in code-projects Online Book Shop 1.0. It has been rated as critical. This issue affects some unknown processing of the file /process_login.php. The manipulation of the argument usernm leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.
CVSS Score
5.3
EPSS Score
0.001
Published
2025-01-07
ClipBucket V5 provides open source video hosting with PHP. During the user avatar upload workflow, a user can choose to upload and change their avatar at any time. During deletion, ClipBucket checks for the avatar_url as a filepath within the avatars subdirectory. If the URL path exists within the avatars directory, ClipBucket will delete it. There is no check for path traversal sequences in the provided user input (stored in the DB as avatar_url) therefore the final $file variable could be tainted with path traversal sequences. This leads to file deletion outside of the intended scope of the avatars folder. This vulnerability is fixed in 5.5.1 - 237.
CVSS Score
7.5
EPSS Score
0.013
Published
2025-01-07
ClipBucket V5 provides open source video hosting with PHP. Prior to 5.5.1 - 238, ClipBucket V5 allows unauthenticated attackers to change the template directory via a directory traversal, which results in a denial of service.
CVSS Score
7.5
EPSS Score
0.014
Published
2025-01-07