Security Vulnerabilities - CVEs Published In February 2025
SeaCMS 13.3 was discovered to contain an arbitrary file read vulnerability in the file_get_contents function at admin_safe.php.
CVSS Score
6.0
EPSS Score
0.0
Published
2025-02-26
SeaCMS 13.3 was discovered to contain an arbitrary file read vulnerability in the file_get_contents function at admin_safe_file.php.
CVSS Score
5.3
EPSS Score
0.002
Published
2025-02-26
An arbitrary file upload vulnerability in the component admin\plugin.php of Emlog Pro v2.5.3 allows attackers to execute arbitrary code via uploading a crafted Zip file.
CVSS Score
9.8
EPSS Score
0.006
Published
2025-02-26
An arbitrary file upload vulnerability in the component \c\TemplateController.php of Jizhicms v2.5.4 allows attackers to execute arbitrary code via uploading a crafted Zip file.
CVSS Score
9.8
EPSS Score
0.007
Published
2025-02-26
JizhiCMS v2.5.4 was discovered to contain a Server-Side Request Forgery (SSRF) via the component \c\PluginsController.php. This vulnerability allows attackers to perform an intranet scan via a crafted request.
CVSS Score
9.1
EPSS Score
0.001
Published
2025-02-26
FoxCMS v1.2.5 was discovered to contain a remote code execution (RCE) vulnerability via the index() method at \controller\Sitemap.php.
CVSS Score
9.8
EPSS Score
0.019
Published
2025-02-26
An arbitrary file upload vulnerability in the component \controller\LocalTemplate.php of FoxCMS v1.2.5 allows attackers to execute arbitrary code via uploading a crafted Zip file.
CVSS Score
9.8
EPSS Score
0.006
Published
2025-02-26
picklescan before 0.0.21 does not treat 'pip' as an unsafe global. An attacker could craft a malicious model that uses Pickle to pull in a malicious PyPI package (hosted, for example, on pypi.org or GitHub) via `pip.main()`. Because pip is not a restricted global, the model, when scanned with picklescan, would pass security checks and appear to be safe, when it could instead prove to be problematic.
CVSS Score
9.8
EPSS Score
0.042
Published
2025-02-26
In the Linux kernel, the following vulnerability has been resolved:
sock: redo the psock vs ULP protection check
Commit 8a59f9d1e3d4 ("sock: Introduce sk->sk_prot->psock_update_sk_prot()")
has moved the inet_csk_has_ulp(sk) check from sk_psock_init() to
the new tcp_bpf_update_proto() function. I'm guessing that this
was done to allow creating psocks for non-inet sockets.
Unfortunately the destruction path for psock includes the ULP
unwind, so we need to fail the sk_psock_init() itself.
Otherwise if ULP is already present we'll notice that later,
and call tcp_update_ulp() with the sk_proto of the ULP
itself, which will most likely result in the ULP looping
its callbacks.
CVSS Score
5.5
EPSS Score
0.0
Published
2025-02-26
IBM Cloud Pak for Data 4.0.0 through 4.8.5 and 5.0.0 is vulnerable to cross-site scripting. This vulnerability allows an unauthenticated attacker to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
CVSS Score
6.1
EPSS Score
0.001
Published
2025-02-26