Security Vulnerabilities - CVEs Published In January 2025
A SQL Injection vulnerability exists in the login form of Online Food Ordering System v1.0. The vulnerability arises because the input fields username and password are not properly sanitized, allowing attackers to inject malicious SQL queries to bypass authentication and gain unauthorized access.
CVSS Score
9.8
EPSS Score
0.002
Published
2025-01-23
gpac 2.4 contains a heap-buffer-overflow at isomedia/sample_descs.c:1799 in gf_isom_new_mpha_description in gpac/MP4Box.
CVSS Score
7.8
EPSS Score
0.0
Published
2025-01-23
gpac 2.4 contains a SEGV at src/isomedia/drm_sample.c:1562:96 in isom_cenc_get_sai_by_saiz_saio in MP4Box.
CVSS Score
5.5
EPSS Score
0.0
Published
2025-01-23
KWHotel 0.47 is vulnerable to CSV Formula Injection in the add guest function.
CVSS Score
9.8
EPSS Score
0.001
Published
2025-01-23
KWHotel 0.47 is vulnerable to CSV Formula Injection in the invoice adding function.
CVSS Score
9.8
EPSS Score
0.002
Published
2025-01-23
Fedora Repository 3.8.1 allows path traversal when extracting uploaded archives ("Zip Slip"). A remote, authenticated attacker can upload a specially crafted archive that will extract an arbitrary JSP file to a location that can be executed by an unauthenticated GET request. Fedora Repository 3.8.1 was released on 2015-06-11 and is no longer maintained. Migrate to a currently supported version (6.5.1 as of 2025-01-23).
CVSS Score
8.8
EPSS Score
0.007
Published
2025-01-23
Fedora Repository 3.8.x includes a service account (fedoraIntCallUser) with default credentials and privileges to read read local files by manipulating datastreams. Fedora Repository 3.8.1 was released on 2015-06-11 and is no longer maintained. Migrate to a currently supported version (6.5.1 as of 2025-01-23).
CVSS Score
7.5
EPSS Score
0.002
Published
2025-01-23
IBM Tivoli Application Dependency Discovery Manager 7.3.0.0 through 7.3.0.11 is vulnerable to stored cross-site scripting. This vulnerability allows authenticated users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
CVSS Score
6.4
EPSS Score
0.001
Published
2025-01-23
Directus is a real-time API and App dashboard for managing SQL database content. Prior to version 11.2.0, when sharing an item, a typical user can specify an arbitrary role. It allows the user to use a higher-privileged role to see fields that otherwise the user should not be able to see. Instances that are impacted are those that use the share feature and have specific roles hierarchy and fields that are not visible for certain roles. Version 11.2.0 contains a patch the issue.
CVSS Score
5.0
EPSS Score
0.002
Published
2025-01-23
A mail spoofing vulnerability in Xerox Workplace Suite allows attackers to forge email headers, making it appear as though messages are sent from trusted sources.
CVSS Score
5.3
EPSS Score
0.001
Published
2025-01-23