Security Vulnerabilities - CVEs Published In February 2025
An information disclosure vulnerability exists in the Vault API functionality of ClearML Enterprise Server 3.22.5-1533. A specially crafted HTTP request can lead to reading vaults that have been previously disabled, possibly leaking sensitive credentials. An attacker can send a series of HTTP requests to trigger this vulnerability.
CVSS Score
7.7
EPSS Score
0.0
Published
2025-02-06
A cross-site scripting (xss) vulnerability exists in the dataset upload functionality of ClearML Enterprise Server 3.22.5-1533. A specially crafted HTTP request can lead to an arbitrary html code. An attacker can send a series of HTTP requests to trigger this vulnerability.
CVSS Score
9.0
EPSS Score
0.001
Published
2025-02-06
Tiny File Manager v2.4.7 and below was discovered to contain a Cross Site Scripting (XSS) vulnerability. This vulnerability allows attackers to execute arbitrary code via a crafted payload injected into the name of an uploaded or already existing file.
CVSS Score
4.8
EPSS Score
0.001
Published
2025-02-06
Tiny File Manager v2.4.7 and below is vulnerable to session fixation.
CVSS Score
9.8
EPSS Score
0.004
Published
2025-02-06
CVE-2025-0994
Trimble Cityworks versions prior to 15.8.9 and Cityworks with office companion versions prior to 23.10 are vulnerable to a deserialization vulnerability. This could allow an authenticated user to perform a remote code execution attack against a customer’s Microsoft Internet Information Services (IIS) web server.
Known exploited
CVSS Score
8.8
EPSS Score
0.759
Published
2025-02-06
The Lite UI of Apache ShardingSphere ElasticJob-UI allows an attacker to perform RCE by constructing a special JDBC URL of H2 database. This issue affects Apache ShardingSphere ElasticJob-UI version 3.0.1 and prior versions. This vulnerability has been fixed in ElasticJob-UI 3.0.2.
The premise of this attack is that the attacker has obtained the account and password. Otherwise, the attacker cannot perform this attack.
CVSS Score
8.5
EPSS Score
0.001
Published
2025-02-06
A vulnerability, which was classified as problematic, was found in Webkul QloApps 1.6.1. Affected is the function logout of the file /en/?mylogout of the component URL Handler. The manipulation leads to cross-site request forgery. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure. They are aware about it and are working on resolving it.
CVSS Score
4.3
EPSS Score
0.001
Published
2025-02-06
Out-of-bounds array read vulnerability in the FFRT module
Impact: Successful exploitation of this vulnerability may cause features to perform abnormally.
CVSS Score
5.7
EPSS Score
0.0
Published
2025-02-06
Use-After-Free (UAF) vulnerability in the display module
Impact: Successful exploitation of this vulnerability may cause features to perform abnormally.
CVSS Score
6.1
EPSS Score
0.0
Published
2025-02-06
Input verification vulnerability in the ExternalStorageProvider module
Impact: Successful exploitation of this vulnerability may affect service confidentiality.
CVSS Score
7.7
EPSS Score
0.0
Published
2025-02-06