Security Vulnerabilities - CVEs Published In February 2025
A stored cross-site scripting (XSS) vulnerability in PHPJabbers Cinema Booking System v2.0 exists due to unsanitized input in file upload fields (event_img, seat_maps) and seat number configurations (number[new_X] in pjActionCreate). Attackers can inject persistent JavaScript, leading to phishing, malware injection, and session hijacking.
CVSS Score
9.3
EPSS Score
0.02
Published
2025-02-06
A cross-site request forgery (CSRF) vulnerability in the pjActionUpdate function of PHPJabbers Cinema Booking System v2.0 allows remote attackers to escalate privileges by tricking an authenticated admin into submitting an unauthorized request.
CVSS Score
5.4
EPSS Score
0.009
Published
2025-02-06
An SQL injection vulnerability in the pjActionGetUser function of PHPJabbers Cinema Booking System v2.0 allows attackers to manipulate database queries via the column parameter. Exploiting this flaw can lead to unauthorized information disclosure, privilege escalation, or database manipulation.
CVSS Score
9.8
EPSS Score
0.009
Published
2025-02-06
Cross Site Scripting vulnerability in DouPHP v.1.8 Release 20231203 allows attackers to execute arbitrary code via a crafted payload injected into the description parameter in /admin/article.php
CVSS Score
4.8
EPSS Score
0.001
Published
2025-02-06
An information disclosure vulnerability exists in the Vault API functionality of ClearML Enterprise Server 3.22.5-1533. A specially crafted HTTP request can lead to reading vaults that have been previously disabled, possibly leaking sensitive credentials. An attacker can send a series of HTTP requests to trigger this vulnerability.
CVSS Score
7.7
EPSS Score
0.003
Published
2025-02-06
A cross-site scripting (xss) vulnerability exists in the dataset upload functionality of ClearML Enterprise Server 3.22.5-1533. A specially crafted HTTP request can lead to an arbitrary html code. An attacker can send a series of HTTP requests to trigger this vulnerability.
CVSS Score
9.0
EPSS Score
0.006
Published
2025-02-06
Tiny File Manager v2.4.7 and below was discovered to contain a Cross Site Scripting (XSS) vulnerability. This vulnerability allows attackers to execute arbitrary code via a crafted payload injected into the name of an uploaded or already existing file.
CVSS Score
4.8
EPSS Score
0.002
Published
2025-02-06
Tiny File Manager v2.4.7 and below is vulnerable to session fixation.
CVSS Score
9.8
EPSS Score
0.006
Published
2025-02-06
CVE-2025-0994
Trimble Cityworks versions prior to 15.8.9 and Cityworks with office companion versions prior to 23.10 are vulnerable to a deserialization vulnerability. This could allow an authenticated user to perform a remote code execution attack against a customer’s Microsoft Internet Information Services (IIS) web server.
Known exploited
CVSS Score
8.6
EPSS Score
0.749
Published
2025-02-06
The Lite UI of Apache ShardingSphere ElasticJob-UI allows an attacker to perform RCE by constructing a special JDBC URL of H2 database. This issue affects Apache ShardingSphere ElasticJob-UI version 3.0.1 and prior versions. This vulnerability has been fixed in ElasticJob-UI 3.0.2.
The premise of this attack is that the attacker has obtained the account and password. Otherwise, the attacker cannot perform this attack.
CVSS Score
8.5
EPSS Score
0.001
Published
2025-02-06