Security Vulnerabilities
A vulnerability was determined in ChurchCRM up to 5.18.0. This issue affects some unknown processing of the file src/ChurchCRM/Backup/RestoreJob.php of the component Backup Restore Handler. Executing manipulation of the argument restoreFile can lead to path traversal. The attack may be launched remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Score
4.7
EPSS Score
0.002
Published
2025-10-19
A vulnerability was found in ChurchCRM up to 5.18.0. This vulnerability affects unknown code of the file setup/routes/setup.php. Performing manipulation of the argument DB_PASSWORD/ROOT_PATH/URL results in deserialization. The attack may be initiated remotely. The attack's complexity is rated as high. It is stated that the exploitability is difficult. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Score
5.6
EPSS Score
0.0
Published
2025-10-19
Apache Geode is vulnerable to CSRF attacks through GET requests to the Management and Monitoring REST API that could allow an attacker who has tricked a user into giving up their Geode session credentials to submit malicious commands on the target system on behalf of the authenticated user.
This issue affects Apache Geode: versions 1.10 through 1.15.1
Users are recommended to upgrade to version 1.15.2, which fixes the issue.
CVSS Score
8.8
EPSS Score
0.0
Published
2025-10-18
The Restaurant Brands International (RBI) assistant platform through 2025-09-06 relies on client-side authentication for submission of equipment orders.
CVSS Score
5.8
EPSS Score
0.001
Published
2025-10-17
The Restaurant Brands International (RBI) assistant platform through 2025-09-06 relies on client-side authentication for use of the diagnostic screen.
CVSS Score
8.3
EPSS Score
0.001
Published
2025-10-17
The Restaurant Brands International (RBI) assistant platform through 2025-09-06 does not implement access control for the bathroom rating interface.
CVSS Score
6.5
EPSS Score
0.0
Published
2025-10-17
The Restaurant Brands International (RBI) assistant platform through 2025-09-06 transmits passwords of user accounts in cleartext e-mail messages.
CVSS Score
3.4
EPSS Score
0.0
Published
2025-10-17
The Restaurant Brands International (RBI) assistant platform through 2025-09-06 has a Global Store Directory that shares personal information among authenticated users.
CVSS Score
5.0
EPSS Score
0.0
Published
2025-10-17
The Restaurant Brands International (RBI) assistant platform through 2025-09-06 allows remote attackers to review the stored audio of conversations between associates and Drive Thru customers.
CVSS Score
5.0
EPSS Score
0.0
Published
2025-10-17
The Restaurant Brands International (RBI) assistant platform through 2025-09-06 provides the functionality of returning a JWT that can be used to call an API to return a signed AWS upload URL, for any store's path.
CVSS Score
5.0
EPSS Score
0.0
Published
2025-10-17