Security Vulnerabilities - CVEs Published In April 2025
A vulnerability, which was classified as critical, was found in TOTOLINK A3700R 9.1.2u.5822_B20200513. Affected is the function setWiFiEasyGuestCfg of the file /cgi-bin/cstecgi.cgi. The manipulation leads to improper access controls. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Score
6.9
EPSS Score
0.003
Published
2025-04-16
Dell Alienware Command Center 6.x, versions prior to 6.7.37.0 contain an Improper Access Control Vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Elevation of privileges.
CVSS Score
6.7
EPSS Score
0.0
Published
2025-04-16
EspoCRM is an Open Source Customer Relationship Management software. Prior to 9.0.5, Iframe dashlet allows user to display iframes with arbitrary URLs. As the sandbox attribute is not included in the iframe, the remote page can open popups outside of the iframe, potentially tricking users and creating a phishing risk. The iframe URL is user-defined, so an attacker would need to trick the user into specifying a malicious URL. The missing sandbox attribute also allows the remote page to send messages to the parent frame. However, EspoCRM does not make use of these messages. This vulnerability is fixed in 9.0.5.
CVSS Score
5.3
EPSS Score
0.002
Published
2025-04-16
RE11S v1.11 was discovered to contain a stack overflow via the rootAPmac parameter in the formiNICbasicREP function.
CVSS Score
5.6
EPSS Score
0.003
Published
2025-04-15
Tenda AC10 V4.0si_V16.03.10.20 is vulnerable to Buffer Overflow in AdvSetMacMtuWan via serviceName2.
CVSS Score
4.6
EPSS Score
0.002
Published
2025-04-15
Tenda AC10 V4.0si_V16.03.10.20 is vulnerable to Buffer Overflow in AdvSetMacMtuWan via serverName2.
CVSS Score
4.6
EPSS Score
0.002
Published
2025-04-15
Hydra is a Continuous Integration service for Nix based projects. Evaluation of untrusted non-flake nix code could potentially access secrets that are accessible by the hydra user/group. This should not affect the signing keys, that are owned by the hydra-queue-runner and hydra-www users respectively.
CVSS Score
2.6
EPSS Score
0.002
Published
2025-04-15
Unauthenticated attackers can query information about total energy consumed by EV chargers of arbitrary users.
CVSS Score
6.9
EPSS Score
0.003
Published
2025-04-15
Unauthenticated attackers can trigger device actions associated with specific "scenes" of arbitrary users.
CVSS Score
6.9
EPSS Score
0.005
Published
2025-04-15
An attacker can get information about the groups of the smart home devices for arbitrary users (i.e., "rooms").
CVSS Score
6.9
EPSS Score
0.002
Published
2025-04-15