Security Vulnerabilities - CVEs Published In February 2025
A SQL injection vulnerability in the JoomShopping component versions 1.0.0-1.4.3 for Joomla allows authenticated attackers (administrator) to execute arbitrary SQL commands in the country management area in backend.
CVSS Score
3.4
EPSS Score
0.0
Published
2025-02-25
matrix-appservice-irc is a Node.js IRC bridge for Matrix. The matrix-appservice-irc bridge up to version 3.0.3 contains a vulnerability which can lead to arbitrary IRC command execution as the puppeted user. The attacker can only inject commands executed as their own IRC user. The vulnerability has been patched in matrix-appservice-irc version 3.0.4.
CVSS Score
2.7
EPSS Score
0.001
Published
2025-02-25
Libmodsecurity is one component of the ModSecurity v3 project. The library codebase serves as an interface to ModSecurity Connectors taking in web traffic and applying traditional ModSecurity processing. A bug that exists only in Libmodsecurity3 version 3.0.13 means that, in 3.0.13, Libmodsecurity3 can't decode encoded HTML entities if they contains leading zeroes. Version 3.0.14 contains a fix. No known workarounds are available.
CVSS Score
7.5
EPSS Score
0.001
Published
2025-02-25
Combodo iTop is a web based IT service management tool. Versions prior to 2.7.12, 3.1.2, and 3.2.0 are vulnerable to cross-site scripting when the preferences page is opened. Versions 2.7.12, 3.1.2, and 3.2.0 fix the issue.
CVSS Score
6.8
EPSS Score
0.0
Published
2025-02-25
LocalSend is a free, open-source app that allows users to securely share files and messages with nearby devices over their local network without needing an internet connection. Prior to version 1.17.0, due to the missing sanitization of the path in the `POST /api/localsend/v2/prepare-upload` and the `POST /api/localsend/v2/upload` endpoint, a malicious file transfer request can write files to the arbitrary location on the system, resulting in the remote command execution. A malicious file transfer request sent by nearby devices can write files into an arbitrary directory. This usually allows command execution via the startup folder on Windows or Bash-related files on Linux. If the user enables the `Quick Save` feature, it will silently write files without explicit user interaction. Version 1.17.0 fixes this issue.
CVSS Score
8.8
EPSS Score
0.003
Published
2025-02-25
Uncontrolled resource consumption in the installer for some Zoom apps for macOS before version 6.1.5 may allow a privileged user to conduct a disclosure of information via local access.
CVSS Score
6.0
EPSS Score
0.0
Published
2025-02-25
Symlink following in the installer for some Zoom apps for macOS before version 6.1.5 may allow an authenticated user to conduct an escalation of privilege via network access.
CVSS Score
5.4
EPSS Score
0.0
Published
2025-02-25
Buffer overflow in some Zoom Apps may allow an authenticated user to conduct an escalation of privilege via network access.
CVSS Score
8.5
EPSS Score
0.001
Published
2025-02-25
Business logic error in some Zoom Workplace Apps may allow an unauthenticated user to conduct a disclosure of information via network access.
CVSS Score
5.3
EPSS Score
0.001
Published
2025-02-25
Incorrect user management in some Zoom Workplace Apps may allow a privileged user to conduct an information disclosure via network access.
CVSS Score
4.9
EPSS Score
0.0
Published
2025-02-25