Security Vulnerabilities - CVEs Published In May 2025
An insecure file system permissions vulnerability in MSP360 Backup 4.3.1.115 allows a low privileged user to execute commands with root privileges in the 'Online Backup' folder. Upgrade to MSP360 Backup 4.4 (released on 2025-04-22).
CVSS Score
8.5
EPSS Score
0.007
Published
2025-05-01
A vulnerability has been found in PHPGurukul Blood Bank & Donor Management System 2.4 and classified as critical. This vulnerability affects unknown code of the file /admin/request-received-bydonar.php. The manipulation of the argument searchdata leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.
CVSS Score
6.9
EPSS Score
0.001
Published
2025-05-01
IBM MQ Container when used with the IBM MQ Operator LTS 2.0.0 through 2.0.29, MQ Operator CD 3.0.0, 3.0.1, 3.1.0 through 3.1.3, 3.3.0, 3.4.0, 3.4.1, 3.5.0, 3.5.1, and MQ Operator SC2 3.2.0 through 3.2.10 and configured with Cloud Pak for Integration Keycloak could disclose sensitive information to a privileged user.
CVSS Score
6.0
EPSS Score
0.002
Published
2025-05-01
Sematell ReplyOne 7.4.3.0 has Insecure Permissions for the /rest/sessions endpoint.
CVSS Score
9.1
EPSS Score
0.004
Published
2025-05-01
Sematell ReplyOne 7.4.3.0 allows XSS via a ReplyDesk e-mail attachment name.
CVSS Score
6.1
EPSS Score
0.003
Published
2025-05-01
Sematell ReplyOne 7.4.3.0 allows SSRF via the application server API.
CVSS Score
7.5
EPSS Score
0.006
Published
2025-05-01
Improper access controls in the web management portal of the Tenda RX2 Pro 16.03.30.14 allows an unauthenticated remote attacker to enable telnet access to the router's OS by sending a /goform/telnet web request.
CVSS Score
6.5
EPSS Score
0.031
Published
2025-05-01
Initialization vector (IV) reuse in the web management portal of the Tenda RX2 Pro 16.03.30.14 may allow an attacker to discern information about or more easily decrypt encrypted messages between client and server.
CVSS Score
6.5
EPSS Score
0.003
Published
2025-05-01
Cleartext transmission of sensitive information in the web management portal of the Tenda RX2 Pro 16.03.30.14 allows an attacker to decrypt traffic between the client and server by collecting the symmetric AES key from collected and/or observed traffic. The AES key in sent in cleartext in response to successful authentication. The IV is always EU5H62G9ICGRNI43.
CVSS Score
8.2
EPSS Score
0.002
Published
2025-05-01
Cleartext transmission of sensitive information in the web management portal of the Tenda RX2 Pro 16.03.30.14 may allow an unauthenticated attacker to authenticate to the web management portal by collecting credentials from observed/collected traffic. It implements encryption, but not until after the user has transmitted the hash of their password in cleartext. The hash can be replayed to authenticate.
CVSS Score
8.2
EPSS Score
0.003
Published
2025-05-01