Security Vulnerabilities - CVEs Published In April 2025
Incorrect access control in JMBroadcast JMB0150 Firmware v1.0 allows attackers to access hardcoded administrator credentials.
CVSS Score
9.1
EPSS Score
0.001
Published
2025-04-18
Incorrect access control in the HOME.php endpoint of JMBroadcast JMB0150 Firmware v1.0 allows attackers to access the Admin panel without authentication.
CVSS Score
9.1
EPSS Score
0.001
Published
2025-04-18
TOTOLINK X18 v9.1.0cu.2024_B20220329 has an unauthorized arbitrary command execution in the enable parameter' of the sub_41105C function of cstecgi .cgi.
CVSS Score
9.8
EPSS Score
0.007
Published
2025-04-18
A buffer overflow vulnerability in Astrolog v7.70 allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via an overly long environment variable passed to FileOpen function.
CVSS Score
7.8
EPSS Score
0.0
Published
2025-04-18
IBM i 7.3, 7.4, 7.5, and 7.5 is vulnerable to a host header injection attack caused by improper neutralization of HTTP header content by IBM Navigator for i. An authenticated user can manipulate the host header in HTTP requests to change domain/IP address which may lead to unexpected behavior.
CVSS Score
5.4
EPSS Score
0.0
Published
2025-04-18
An issue in croogo v.3.0.2 allows an attacker to perform Host header injection via the feed.rss component.
CVSS Score
9.1
EPSS Score
0.001
Published
2025-04-18
Dify is an open-source LLM app development platform. In versions 0.6.8 and prior, a vulnerability was identified in the DIFY AI where normal users are improperly granted permissions to export APP DSL. The feature in '/export' should only allow administrator users to export DSL. A workaround for this vulnerability involves updating the access control mechanisms to enforce stricter user role permissions and implementing role-based access controls (RBAC) to ensure that only users with admin privileges can export the APP DSL. This vulnerability is fixed in 0.6.13.
CVSS Score
6.3
EPSS Score
0.0
Published
2025-04-18
74cms <=3.33 is vulnerable to remote code execution (RCE) in the background interface apiadmin.
CVSS Score
6.3
EPSS Score
0.004
Published
2025-04-18
IBM Sterling Connect:Direct Web Services 6.1.0, 6.2.0, and 6.3.0 could allow an authenticated user to spoof the identity of another user due to improper authorization which could allow the user to bypass access restrictions.
CVSS Score
6.3
EPSS Score
0.0
Published
2025-04-18
IBM Sterling Connect:Direct Web Services 6.1.0, 6.2.0, and 6.3.0
does not invalidate session after a browser closure which could allow an authenticated user to impersonate another user on the system.
CVSS Score
6.3
EPSS Score
0.0
Published
2025-04-18