Security Vulnerabilities - CVEs Published In April 2025
NETSCOUT nGeniusONE before 6.4.0 b2350 has Hardcoded Credentials that can be obtained from JAR files.
CVSS Score
9.8
EPSS Score
0.001
Published
2025-04-25
NETSCOUT nGeniusONE before 6.4.0 b2350 has a Sensitive File Accessible Without Proper Authentication to an endpoint.
CVSS Score
7.5
EPSS Score
0.001
Published
2025-04-25
NETSCOUT nGeniusONE before 6.4.0 b2350 allows Arbitrary File Creation by authenticated users.
CVSS Score
6.5
EPSS Score
0.0
Published
2025-04-25
An issue in Mytel Telecom Online Account System v1.0 allows attackers to bypass the OTP verification process via a crafted request.
CVSS Score
7.0
EPSS Score
0.001
Published
2025-04-25
CVE-2025-3935
ScreenConnect versions 25.2.3 and earlier versions may be susceptible to a ViewState code injection attack. ASP.NET Web Forms use ViewState to preserve page and control state, with data encoded using Base64 protected by machine keys.
It is important to note that to obtain these machine keys, privileged system level access must be obtained.
If these machine keys are compromised, attackers could create and send a malicious ViewState to the website, potentially leading to remote code execution on the server.
The risk does not originate from a vulnerability introduced by ScreenConnect, but from platform level behavior. This had no direct impact to ScreenConnect Client. ScreenConnect 2025.4 patch disables ViewState and removes any dependency on it.
Known exploited
CVSS Score
8.1
EPSS Score
0.201
Published
2025-04-25
Codeastro Bus Ticket Booking System v1.0 is vulnerable to SQL injection via the kodetiket parameter in /BusTicket-CI/tiket/cekorder.
CVSS Score
9.8
EPSS Score
0.0
Published
2025-04-25
CVE-2025-3928
Commvault Web Server has an unspecified vulnerability that can be exploited by a remote, authenticated attacker. According to the Commvault advisory: "Webservers can be compromised through bad actors creating and executing webshells." Fixed in version 11.36.46, 11.32.89, 11.28.141, and 11.20.217 for Windows and Linux platforms. This vulnerability was added to the CISA Known Exploited Vulnerabilities (KEV) Catalog on 2025-04-28.
Known exploited
CVSS Score
8.8
EPSS Score
0.144
Published
2025-04-25
In JetBrains TeamCity before 2025.03.1 base64-encoded credentials could be exposed in build logs
CVSS Score
4.3
EPSS Score
0.0
Published
2025-04-25
In JetBrains TeamCity before 2025.03.1 improper path validation in loggingPreset parameter was possible
CVSS Score
4.9
EPSS Score
0.0
Published
2025-04-25
In JetBrains TeamCity before 2025.03.1 stored XSS was possible on Data Directory tab
CVSS Score
3.5
EPSS Score
0.0
Published
2025-04-25