Security Vulnerabilities - CVEs Published In April 2025
A SQL Injection vulnerability in dingfanzuCMS v.1.0 allows a attacker to execute arbitrary code via not filtering the content correctly at the "operateOrder.php" id parameter.
CVSS Score
9.8
EPSS Score
0.001
Published
2025-04-15
code-gen <=2.0.6 is vulnerable to Incorrect Access Control. The project does not have permission control allowing anyone to access such projects.
CVSS Score
4.3
EPSS Score
0.0
Published
2025-04-15
A command injection vulnerability in the Nmap diagnostic tool in the admin web console of Extron SMP 111 <=3.01, SMP 351 <=2.16, SMP 352 <= 2.16, and SME 211 <= 3.02, allows a remote authenticated attacker to execute arbitrary commands as root on the underlying operating system.
CVSS Score
7.2
EPSS Score
0.009
Published
2025-04-15
Uncontrolled search path element in Power Automate allows an authorized attacker to disclose information over a network.
CVSS Score
5.7
EPSS Score
0.002
Published
2025-04-15
A SQL injection vulnerability in Hitout car sale 1.0 allows a remote attacker to obtain sensitive information via the orderBy parameter of the StoreController.java component.
CVSS Score
5.9
EPSS Score
0.001
Published
2025-04-15
In JotUrl 2.0, passwords are sent via HTTP GET-type requests, potentially exposing credentials to eavesdropping or insecure records.
CVSS Score
6.5
EPSS Score
0.001
Published
2025-04-15
In JotUrl 2.0, is possible to bypass security requirements during the password change process.
CVSS Score
6.5
EPSS Score
0.001
Published
2025-04-15
SQL injection vulnerability found in Enricozab CMS v.1.0 allows a remote attacker to execute arbitrary code via /hdo/hdo-view-case.php.
CVSS Score
6.5
EPSS Score
0.001
Published
2025-04-15
Thunderbird processes the X-Mozilla-External-Attachment-URL header to handle attachments which can be hosted externally. When an email is opened, Thunderbird accesses the specified URL to determine file size, and navigates to it when the user clicks the attachment. Because the URL is not validated or sanitized, it can reference internal resources like chrome:// or SMB share file:// links, potentially leading to hashed Windows credential leakage and opening the door to more serious security issues. This vulnerability affects Thunderbird < 137.0.2 and Thunderbird < 128.9.2.
CVSS Score
6.3
EPSS Score
0.001
Published
2025-04-15
When an email contains multiple attachments with external links via the X-Mozilla-External-Attachment-URL header, only the last link is shown when hovering over any attachment. Although the correct link is used on click, the misleading hover text could trick users into downloading content from untrusted sources. This vulnerability affects Thunderbird < 137.0.2 and Thunderbird < 128.9.2.
CVSS Score
6.4
EPSS Score
0.001
Published
2025-04-15