Security Vulnerabilities - CVEs Published In February 2025
SQL injection vulnerability in the ZimbraSync Service SOAP endpoint in Zimbra Collaboration 10.0.x before 10.0.12 and 10.1.x before 10.1.4 due to insufficient sanitization of a user-supplied parameter. Authenticated attackers can exploit this vulnerability by manipulating a specific parameter in the request, allowing them to inject arbitrary SQL queries that could retrieve email metadata.
CVSS Score
8.8
EPSS Score
0.264
Published
2025-02-03
SSRF vulnerability in the RSS feed parser in Zimbra Collaboration 9.0.0 before Patch 43, 10.0.x before 10.0.12, and 10.1.x before 10.1.4 allows unauthorized redirection to internal network endpoints.
CVSS Score
5.3
EPSS Score
0.002
Published
2025-02-03
CVE-2025-25181
A SQL injection vulnerability in timeoutWarning.asp in Advantive VeraCore through 2025.1.0 allows remote attackers to execute arbitrary SQL commands via the PmSess1 parameter.
Known exploited
CVSS Score
5.8
EPSS Score
0.695
Published
2025-02-03
CVE-2024-57968
Advantive VeraCore before 2024.4.2.1 allows remote authenticated users to upload files to unintended folders (e.g., ones that are accessible during web browsing by other users). upload.aspx can be used for this.
Known exploited
CVSS Score
9.9
EPSS Score
0.155
Published
2025-02-03
eladmin <=2.7 is vulnerable to CSV Injection in the exception log download module.
CVSS Score
9.8
EPSS Score
0.003
Published
2025-02-03
ClassCMS v4.8 has a code execution vulnerability. Attackers can exploit this vulnerability by constructing a payload in the classview parameter of the model management feature, allowing them to execute arbitrary code and potentially take control of the server.
CVSS Score
9.8
EPSS Score
0.007
Published
2025-02-03
ChestnutCMS <=1.5.0 is vulnerable to File Upload via the Create template function.
CVSS Score
9.8
EPSS Score
0.003
Published
2025-02-03
ChestnutCMS <=1.5.0 has an arbitrary file deletion vulnerability in contentcore.controller.FileController, which allows attackers to delete any file and folder.
CVSS Score
7.5
EPSS Score
0.001
Published
2025-02-03
Cross Site Scripting vulnerability in sayski ForestBlog 20241223 allows a remote attacker to escalate privileges via the article editing function.
CVSS Score
4.8
EPSS Score
0.001
Published
2025-02-03
An issue was discovered in Open5gs v2.7.2. InitialUEMessage, Registration request sent at a specific time can crash AMF due to incorrect error handling of gmm_state_exception() function upon receipt of the Nausf_UEAuthentication_Authenticate response.
CVSS Score
7.5
EPSS Score
0.001
Published
2025-02-03