Security Vulnerabilities - CVEs Published In January 2025
In JetBrains TeamCity before 2024.12.1 improper access control allowed to see Projects’ names in the agent pool
CVSS Score
4.3
EPSS Score
0.0
Published
2025-01-21
In JetBrains TeamCity before 2024.12.1 decryption of connection secrets without proper permissions was possible via Test Connection endpoint
CVSS Score
6.5
EPSS Score
0.0
Published
2025-01-21
WeGIA is a Web manager for charitable institutions. An Open Redirect vulnerability was identified in the `control.php` endpoint of versions up to and including 3.2.10 of the WeGIA application. The vulnerability allows the `nextPage` parameter to be manipulated, redirecting authenticated users to arbitrary external URLs without validation. The issue stems from the lack of validation for the `nextPage` parameter, which accepts external URLs as redirection destinations. This vulnerability can be exploited to perform phishing attacks or redirect users to malicious websites. Version 3.2.11 contains a fix for the issue.
CVSS Score
6.1
EPSS Score
0.001
Published
2025-01-21
In JetBrains Hub before 2024.3.55417 privilege escalation was possible via LDAP authentication mapping
CVSS Score
6.7
EPSS Score
0.0
Published
2025-01-21
In JetBrains YouTrack before 2024.3.55417 permanent tokens could be exposed in logs
CVSS Score
5.5
EPSS Score
0.0
Published
2025-01-21
In JetBrains YouTrack before 2024.3.55417 account takeover was possible via spoofed email and Helpdesk integration
CVSS Score
7.1
EPSS Score
0.0
Published
2025-01-21
In JetBrains TeamCity before 2024.12.1 reflected XSS was possible on the Vault Connection page
CVSS Score
4.6
EPSS Score
0.073
Published
2025-01-21
YesWiki is a wiki system written in PHP. In versions up to and including 4.4.5, it is possible for any authenticated user, through the use of the filemanager to delete any file owned by the user running the FastCGI Process Manager (FPM) on the host without any limitation on the filesystem's scope. This vulnerability allows any authenticated user to arbitrarily remove content from the Wiki resulting in partial loss of data and defacement/deterioration of the website. In the context of a container installation of YesWiki without any modification, the `yeswiki` files (for example .php) are not owned by the same user (root) as the one running the FPM process (www-data). However in a standard installation, www-data may also be the owner of the PHP files, allowing a malicious user to completely cut the access to the wiki by deleting all important PHP files (like index.php or core files of YesWiki). Version 4.5.0 contains a patch for this issue.
CVSS Score
7.1
EPSS Score
0.004
Published
2025-01-21
A Cross-Site Request Forgery (CSRF) vulnerability has been found in SpagoBI v3.5.1 in the user administration panel. An authenticated user can lead another user into executing unwanted actions inside the application they are logged in, like adding, editing or deleting users.
CVSS Score
6.1
EPSS Score
0.0
Published
2025-01-21
The script input feature of SpagoBI 3.5.1 allows arbitrary code execution.
CVSS Score
9.1
EPSS Score
0.004
Published
2025-01-21