Security Vulnerabilities - CVEs Published In March 2025
Incorrect access control in the component /config/WebSecurityConfig.java of yimioa before v2024.07.04 allows unauthorized attackers to arbitrarily modify Administrator passwords.
CVSS Score
7.3
EPSS Score
0.0
Published
2025-03-18
yimioa before v2024.07.04 was discovered to contain a SQL injection vulnerability via the component /mapper/xml/AddressDao.xml.
CVSS Score
6.1
EPSS Score
0.0
Published
2025-03-18
IBM QRadar Advisor 1.0.0 through 2.6.5 is vulnerable to server-side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks.
CVSS Score
4.1
EPSS Score
0.001
Published
2025-03-18
TastyIgniter 3.7.6 contains an Incorrect Access Control vulnerability in the invoice() function within Orders.php which allows unauthorized users to access and generate invoices due to missing permission checks.
CVSS Score
8.1
EPSS Score
0.019
Published
2025-03-18
TastyIgniter 3.7.6 contains an Incorrect Access Control vulnerability in the Orders Management System, allowing unauthorized users to update order statuses. The issue occurs in the index_onUpdateStatus() function within Orders.php, which fails to verify if the user has permission to modify an order's status. This flaw can be exploited remotely, leading to unauthorized order manipulation.
CVSS Score
6.5
EPSS Score
0.001
Published
2025-03-18
A vulnerability was found in Dromara ujcms 9.7.5. It has been rated as problematic. Affected by this issue is the function uploadZip/upload of the file /main/java/com/ujcms/cms/ext/web/backendapi/WebFileUploadController.java of the component File Upload. The manipulation leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.
CVSS Score
2.4
EPSS Score
0.001
Published
2025-03-18
NI FlexLogger usiReg URI File Parsing Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to create arbitrary files on affected installations of NI FlexLogger. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
The specific flaw exists within the parsing of URI files by the usiReg component. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-21805.
CVSS Score
7.8
EPSS Score
0.008
Published
2025-03-18
NI Vision Builder AI VBAI File Processing Missing Warning Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of NI Vision Builder AI. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
The specific flaw exists within the processing of VBAI files. The issue results from allowing the execution of dangerous script without user warning. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-22833.
CVSS Score
7.8
EPSS Score
0.002
Published
2025-03-18
An issue in CosmWasm prior to v2.2.0 allows attackers to bypass capability restrictions in blockchains by exploiting a lack of runtime capability validation. This allows attackers to deploy a contract without capability enforcement, and execute unauthorized actions on the blockchain.
CVSS Score
7.5
EPSS Score
0.006
Published
2025-03-18
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Vestel EVC04 Configuration Interface allows SQL Injection.This issue affects EVC04 Configuration Interface: before V3.187, V4.53.
CVSS Score
9.8
EPSS Score
0.001
Published
2025-03-18