Security Vulnerabilities - CVEs Published In April 2025
In Tenda ac9 v1.0 with firmware V15.03.05.14_multi, the rebootTime parameter of /goform/SetSysAutoRebbotCfg has a stack overflow vulnerability, which can lead to remote arbitrary code execution.
CVSS Score
9.8
EPSS Score
0.004
Published
2025-04-23
D-Link DIR-816 A2V1.1.0B05 was found to contain a command injection in /goform/delRouting.
CVSS Score
6.5
EPSS Score
0.09
Published
2025-04-22
TCPWave DDI 11.34P1C2 allows Remote Code Execution via Unrestricted File Upload (combined with Path Traversal).
CVSS Score
9.8
EPSS Score
0.006
Published
2025-04-22
Codemers KLIMS 1.6.DEV lacks a proper access control mechanism, allowing a normal KLIMS user to perform all the actions that an admin can perform, such as modifying the configuration, creating a user, uploading files, etc.
CVSS Score
7.3
EPSS Score
0.001
Published
2025-04-22
TOTOLINK A830R V4.1.2cu.5182_B20201102, A950RG V4.1.2cu.5161_B20200903, A3000RU V5.9c.5185_B20201128, and A3100R V4.1.2cu.5247_B20211129 were found to contain a buffer overflow vulnerability in cstecgi.cgi
CVSS Score
7.3
EPSS Score
0.001
Published
2025-04-22
TOTOLINK A830R V4.1.2cu.5182_B20201102 was found to contain a pre-auth remote command execution vulnerability in the setNoticeCfg function through the NoticeUrl parameter.
CVSS Score
9.8
EPSS Score
0.037
Published
2025-04-22
TOTOLINK A950RG V4.1.2cu.5161_B20200903 was found to contain a pre-auth remote command execution vulnerability in the setNoticeCfg function through the NoticeUrl parameter.
CVSS Score
9.8
EPSS Score
0.037
Published
2025-04-22
TOTOLINK EX1200T V4.1.2cu.5232_B20210713 was found to contain a pre-auth remote command execution vulnerability in the setWebWlanIdx function through the webWlanIdx parameter.
CVSS Score
9.8
EPSS Score
0.048
Published
2025-04-22
TOTOLINK EX1200T V4.1.2cu.5232_B20210713 was found to contain a pre-auth remote command execution vulnerability in the setUpgradeFW function through the FileName parameter.
CVSS Score
9.8
EPSS Score
0.043
Published
2025-04-22
OctoPrint provides a web interface for controlling consumer 3D printers. In versions up to and including 1.10.3, OctoPrint has a vulnerability that allows an attacker to bypass the login redirect and directly access the rendered HTML of certain frontend pages. The primary risk lies in potential future modifications to the codebase that might incorrectly rely on the vulnerable internal functions for authentication checks, leading to security vulnerabilities. This issue has been patched in version 1.11.0.
CVSS Score
4.3
EPSS Score
0.0
Published
2025-04-22