Security Vulnerabilities - CVEs Published In June 2025
A vulnerability was found in TOTOLINK T10 4.1.8cu.5207. It has been rated as critical. Affected by this issue is the function setWiFiRepeaterCfg of the file /cgi-bin/cstecgi.cgi of the component POST Request Handler. The manipulation of the argument Password leads to buffer overflow. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.
CVSS Score
8.8
EPSS Score
0.002
Published
2025-06-10
CyberData 011209 Intercom could allow an unauthenticated user to gather sensitive information through blind SQL injections.
CVSS Score
5.3
EPSS Score
0.0
Published
2025-06-09
CyberData 011209 Intercom
could allow an authenticated attacker to upload arbitrary files to multiple locations within the system.
CVSS Score
9.8
EPSS Score
0.001
Published
2025-06-09
A vulnerability has been found in TOTOLINK T10 4.1.8cu.5207 and classified as critical. This vulnerability affects the function UploadCustomModule of the file /cgi-bin/cstecgi.cgi of the component POST Request Handler. The manipulation of the argument File leads to buffer overflow. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.
CVSS Score
8.8
EPSS Score
0.002
Published
2025-06-09
A vulnerability was found in TOTOLINK T10 4.1.8cu.5207 and classified as critical. This issue affects the function setUpgradeFW of the file /cgi-bin/cstecgi.cgi of the component POST Request Handler. The manipulation of the argument slaveIpList leads to buffer overflow. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.
CVSS Score
8.8
EPSS Score
0.002
Published
2025-06-09
CyberData
011209
Intercom exposes features that could allow an unauthenticated to gain
access and cause a denial-of-service condition or system disruption.
CVSS Score
7.5
EPSS Score
0.001
Published
2025-06-09
CyberData 011209 Intercom
does not properly store or protect web server admin credentials.
CVSS Score
7.5
EPSS Score
0.0
Published
2025-06-09
A vulnerability, which was classified as problematic, was found in Tenda AC9 15.03.02.13. This affects an unknown part. The manipulation leads to cross-site request forgery. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
CVSS Score
4.3
EPSS Score
0.0
Published
2025-06-09
CyberData 011209 Intercom could allow an unauthenticated user access to the Web Interface through an alternate path.
CVSS Score
9.8
EPSS Score
0.001
Published
2025-06-09
HAX CMS PHP allows users to manage their microsite universe with a PHP backend. Prior to version 11.0.0, an authenticated Local File Inclusion (LFI) vulnerability in the HAXCMS saveOutline endpoint allows a low-privileged user to read arbitrary files on the server by manipulating the location field written into site.json. This enables attackers to exfiltrate sensitive system files such as /etc/passwd, application secrets, or configuration files accessible to the web server (www-data). The vulnerability stems from the way the HAXCMS backend handles the location field in the site's outline. When a user sends a POST request to /system/api/saveOutline, the backend stores the provided location value directly into the site.json file associated with the site, without validating or sanitizing the input. Later the location parameter is interpreted by the CMS to resolve and load the content for a given node. If the location field contains a relative path like `../../../etc/passwd`, the application will attempt to read and render that file. Version 11.0.0 fixes the issue.
CVSS Score
6.5
EPSS Score
0.001
Published
2025-06-09