Security Vulnerabilities - CVEs Published In April 2025
A vulnerability, which was classified as critical, was found in PHPGurukul Old Age Home Management System 1.0. Affected is an unknown function of the file /admin/rules.php. The manipulation of the argument pagetitle leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.
CVSS Score
7.3
EPSS Score
0.001
Published
2025-04-28
A vulnerability, which was classified as critical, has been found in PHPGurukul Nipah Virus Testing Management System 1.0. This issue affects some unknown processing of the file /profile.php. The manipulation of the argument adminname/mobilenumber leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.
CVSS Score
7.3
EPSS Score
0.001
Published
2025-04-28
DIFY is an open-source LLM app development platform. Prior to version 1.3.0, a clickjacking vulnerability was found in the default setup of the DIFY application, allowing malicious actors to trick users into clicking on elements of the web page without their knowledge or consent. This can lead to unauthorized actions being performed, potentially compromising the security and privacy of users. This issue has been fixed in version 1.3.0.
CVSS Score
6.1
EPSS Score
0.0
Published
2025-04-28
Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Prior to versions 0.5.7, 0.4.20, 0.3.9, and 0.2.5, there is a possibility for denial of service by memory exhaustion when net-imap reads server responses. At any time while the client is connected, a malicious server can send can send a "literal" byte count, which is automatically read by the client's receiver thread. The response reader immediately allocates memory for the number of bytes indicated by the server response. This should not be an issue when securely connecting to trusted IMAP servers that are well-behaved. It can affect insecure connections and buggy, untrusted, or compromised servers (for example, connecting to a user supplied hostname). This issue has been patched in versions 0.5.7, 0.4.20, 0.3.9, and 0.2.5.
CVSS Score
7.5
EPSS Score
0.001
Published
2025-04-28
DevExpress before 23.1.3 allows arbitrary TypeConverter conversion.
CVSS Score
3.5
EPSS Score
0.002
Published
2025-04-28
DevExpress before 23.1.3 allows AsyncDownloader SSRF.
CVSS Score
5.0
EPSS Score
0.001
Published
2025-04-28
DevExpress before 23.1.3 does not properly protect XtraReport serialized data in ASP.NET web forms.
CVSS Score
3.5
EPSS Score
0.003
Published
2025-04-28
DevExpress before 23.1.3 has a data-source protection mechanism bypass during deserialization on XML data.
CVSS Score
3.5
EPSS Score
0.001
Published
2025-04-28
SEPPmail through 12.1.17 allows command injection within the Admin Portal. An authenticated attacker is able to execute arbitrary code in the context of the user root.
CVSS Score
6.0
EPSS Score
0.004
Published
2025-04-28
The TheCartPress boot-store (aka Boot Store) theme 1.6.4 for WordPress allows header.php tcp_register_error XSS. NOTE: CVE-2015-4582 is not assigned to any Oracle product.
CVSS Score
7.2
EPSS Score
0.001
Published
2025-04-28