Security Vulnerabilities - CVEs Published In April 2025
A buffer overflow vulnerability in Astrolog v7.70 allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via an overly long environment variable passed to FileOpen function.
CVSS Score
7.8
EPSS Score
0.001
Published
2025-04-18
IBM i 7.3, 7.4, 7.5, and 7.5 is vulnerable to a host header injection attack caused by improper neutralization of HTTP header content by IBM Navigator for i. An authenticated user can manipulate the host header in HTTP requests to change domain/IP address which may lead to unexpected behavior.
CVSS Score
5.4
EPSS Score
0.002
Published
2025-04-18
An issue in croogo v.3.0.2 allows an attacker to perform Host header injection via the feed.rss component.
CVSS Score
9.1
EPSS Score
0.004
Published
2025-04-18
In the Linux kernel, the following vulnerability has been resolved:
io_uring: fix io_req_prep_async with provided buffers
io_req_prep_async() can import provided buffers, commit the ring state
by giving up on that before, it'll be reimported later if needed.
CVSS Score
7.8
EPSS Score
0.001
Published
2025-04-18
Dify is an open-source LLM app development platform. In versions 0.6.8 and prior, a vulnerability was identified in the DIFY AI where normal users are improperly granted permissions to export APP DSL. The feature in '/export' should only allow administrator users to export DSL. A workaround for this vulnerability involves updating the access control mechanisms to enforce stricter user role permissions and implementing role-based access controls (RBAC) to ensure that only users with admin privileges can export the APP DSL. This vulnerability is fixed in 0.6.13.
CVSS Score
6.3
EPSS Score
0.002
Published
2025-04-18
A vulnerability was found in baseweb JSite 1.0. It has been rated as problematic. Affected by this issue is some unknown functionality of the file /a/sys/area/save. The manipulation of the argument Name leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.
CVSS Score
5.1
EPSS Score
0.002
Published
2025-04-18
A vulnerability classified as critical has been found in baseweb JSite 1.0. This affects an unknown part of the file /druid/index.html of the component Apache Druid Monitoring Console. The manipulation leads to improper access controls. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
CVSS Score
6.9
EPSS Score
0.002
Published
2025-04-18
74cms <=3.33 is vulnerable to remote code execution (RCE) in the background interface apiadmin.
CVSS Score
6.3
EPSS Score
0.02
Published
2025-04-18
IBM Sterling Connect:Direct Web Services 6.1.0, 6.2.0, and 6.3.0 could allow an authenticated user to spoof the identity of another user due to improper authorization which could allow the user to bypass access restrictions.
CVSS Score
6.3
EPSS Score
0.001
Published
2025-04-18
IBM Sterling Connect:Direct Web Services 6.1.0, 6.2.0, and 6.3.0
does not invalidate session after a browser closure which could allow an authenticated user to impersonate another user on the system.
CVSS Score
6.3
EPSS Score
0.001
Published
2025-04-18