Security Vulnerabilities - CVEs Published In February 2025
A vulnerability classified as critical was found in hzmanyun Education and Training System 3.1.1. This vulnerability affects the function saveImage. The manipulation of the argument file leads to unrestricted upload. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Score
6.9
EPSS Score
0.0
Published
2025-02-21
Totolink X5000R V9.1.0u.6369_B20230113 is vulnerable to command injection via the vif_disable function in mtkwifi.lua.
CVSS Score
6.5
EPSS Score
0.017
Published
2025-02-21
Totolink X5000R V9.1.0u.6369_B20230113 is vulnerable to command injection via the apcli_wps_gen_pincode function in mtkwifi.lua.
CVSS Score
6.5
EPSS Score
0.017
Published
2025-02-21
A vertical privilege escalation vulnerability in the component /controller/UserController.java of MRCMS v3.1.2 allows attackers to arbitrarily delete users via a crafted request.
CVSS Score
4.8
EPSS Score
0.001
Published
2025-02-21
MRCMS v3.1.2 was discovered to contain a server-side template injection (SSTI) vulnerability in the component \servlet\DispatcherServlet.java. This vulnerability allows attackers to execute arbitrary code via a crafted payload.
CVSS Score
5.4
EPSS Score
0.0
Published
2025-02-21
Wangmarket v4.10 to v5.0 was discovered to contain a Cross-Site Request Forgery (CSRF) via the component /controller/UserController.java.
CVSS Score
8.0
EPSS Score
0.001
Published
2025-02-21
Wangmarket v4.10 to v5.0 was discovered to contain a Cross-Site Request Forgery (CSRF) via the component /agency/AgencyUserController.java.
CVSS Score
6.8
EPSS Score
0.001
Published
2025-02-21
A Cross-Site Request Forgery (CSRF) in the component /back/UserController.java of Jspxcms v9.0 to v9.5 allows attackers to arbitrarily add Administrator accounts via a crafted request.
CVSS Score
5.1
EPSS Score
0.0
Published
2025-02-21
SQL Injection vulnerability in PbootCMS 1.4.1 in parsing if statements in templates, resulting in a malicious user's ability to contaminate template content by searching for page contamination URLs, thus triggering vulnerabilities when the program uses eval statements to parse templates.
CVSS Score
5.1
EPSS Score
0.0
Published
2025-02-21
A vulnerability was found in ITSourcecode Simple ChatBox up to 1.0. This vulnerability affects unknown code of the file /delete.php. The attack can use SQL injection to obtain sensitive data.
CVSS Score
7.2
EPSS Score
0.001
Published
2025-02-21