Security Vulnerabilities - CVEs Published In February 2025
A Cross-Protocol Scripting vulnerability is found in Apache Kvrocks.
Since Kvrocks didn't detect if "Host:" or "POST" appears in RESP requests,
a valid HTTP request can also be sent to Kvrocks as a valid RESP request
and trigger some database operations, which can be dangerous when
it is chained with SSRF.
It is similiar to CVE-2016-10517 in Redis.
This issue affects Apache Kvrocks: from the initial version to the latest version 2.11.0.
Users are recommended to upgrade to version 2.11.1, which fixes the issue.
CVSS Score
6.5
EPSS Score
0.008
Published
2025-02-07
Cross-Site Request Forgery (CSRF) vulnerability in gabrieldarezzo InLocation inlocation allows Stored XSS.This issue affects InLocation: from n/a through <= 1.8.
CVSS Score
7.1
EPSS Score
0.001
Published
2025-02-07
Missing Authorization vulnerability in Black and White BookPress – For Book Authors book-press allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects BookPress – For Book Authors: from n/a through <= 1.2.7.
CVSS Score
8.2
EPSS Score
0.001
Published
2025-02-07
Cross-Site Request Forgery (CSRF) vulnerability in Black and White BookPress – For Book Authors book-press allows Cross-Site Scripting (XSS).This issue affects BookPress – For Book Authors: from n/a through <= 1.2.7.
CVSS Score
7.1
EPSS Score
0.001
Published
2025-02-07
Cross-Site Request Forgery (CSRF) vulnerability in Mark Barnes Style Tweaker style-tweaker allows Stored XSS.This issue affects Style Tweaker: from n/a through <= 0.11.
CVSS Score
7.1
EPSS Score
0.001
Published
2025-02-07
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Zach Swetz Plugin A/B Image Optimizer images-optimizer allows Path Traversal.This issue affects Plugin A/B Image Optimizer: from n/a through <= 3.3.
CVSS Score
7.5
EPSS Score
0.264
Published
2025-02-07
in OpenHarmony v4.1.2 and prior versions allow a local attacker cause DOS through integer overflow.
CVSS Score
5.5
EPSS Score
0.001
Published
2025-02-07
in OpenHarmony v4.1.2 and prior versions allow a local attacker cause the common permission is upgraded to root and sensitive information leak through buffer overflow.
CVSS Score
8.8
EPSS Score
0.001
Published
2025-02-07
in OpenHarmony v4.1.2 and prior versions allow a local attacker cause the common permission is upgraded to root and sensitive information leak through use after free.
CVSS Score
8.8
EPSS Score
0.001
Published
2025-02-07
Delta Electronics CNCSoft-G2 lacks proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. If a target visits a malicious page or opens a malicious file an attacker can leverage this vulnerability to execute code in the context of the current process.
CVSS Score
7.8
EPSS Score
0.001
Published
2025-02-07