Security Vulnerabilities - CVEs Published In February 2025
decNumberCopy in decNumber.c in jq through 1.7.1 does not properly consider that NaN is interpreted as numeric, which has a resultant stack-based buffer overflow and out-of-bounds write, as demonstrated by use of --slurp with subtraction, such as a filter of .-. when the input has a certain form of digit string with NaN (e.g., "1 NaN123" immediately followed by many more digits).
CVSS Score
8.1
EPSS Score
0.0
Published
2025-02-26
A SQL Injection vulnerability was found in /admin/add-propertytype.php in PHPGurukul Land Record System Project in PHP v1.0 allows remote attackers to execute arbitrary code via the propertytype POST request parameter.
CVSS Score
5.5
EPSS Score
0.002
Published
2025-02-26
A stored cross site scripting (XSS) vulnerability in HelpDeskZ < v2.0.2 allows remote attackers to execute arbitrary JavaScript in the administration panel by including a malicious payload into the file name and upload file function when creating a new ticket.
CVSS Score
4.8
EPSS Score
0.001
Published
2025-02-26
SeaCMS v13.3 was discovered to contain a remote code execution (RCE) vulnerability via the component admin_ip.php.
CVSS Score
5.1
EPSS Score
0.001
Published
2025-02-26
SeaCMS v13.3 was discovered to contain a remote code execution (RCE) vulnerability via the component admin_files.php.
CVSS Score
5.1
EPSS Score
0.001
Published
2025-02-26
A cross-site scripting (XSS) vulnerability in Emlog Pro v2.5.4 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the postStrVar function at article_save.php.
CVSS Score
5.1
EPSS Score
0.0
Published
2025-02-26
A cross-site scripting (XSS) vulnerability in Emlog Pro v2.5.4 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the article header at /admin/article.php.
CVSS Score
7.3
EPSS Score
0.0
Published
2025-02-26
A cross-site scripting (XSS) vulnerability in Emlog Pro v2.5.4 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Titile in the article category section.
CVSS Score
7.1
EPSS Score
0.0
Published
2025-02-26
A Server-Side Request Forgery (SSRF) in the component sort.php of Emlog Pro v2.5.4 allows attackers to scan local and internal ports via supplying a crafted URL.
CVSS Score
6.8
EPSS Score
0.0
Published
2025-02-26
An arbitrary file upload vulnerability in the plugin installation feature of YZNCMS v2.0.1 allows attackers to execute arbitrary code via uploading a crafted Zip file.
CVSS Score
4.4
EPSS Score
0.0
Published
2025-02-26