2025-07-26 Daily Vulns
NEW:
| CVE | vendor-product | description | metric | Referenceurl | title | GithubURL | |
|---|---|---|---|---|---|---|---|
| CVE-2024-48729 | n/a - n/a | An issue in ETSI Open-Source MANO (OSM) v.14.x, v.15.x allows a remote attacker to escalate privileges via the /osm/admin/v1/users component | CNA n/a CVSS3.1: 7.1 - HIGH | 0 1 2 | Exploitation: pocAutomatable: noTechnical Impact: total | undefined | github |
| CVE-2020-36850 | Sitecore - JSS React Sample Application | An information disclosure vulnerability exits in Sitecore JSS React Sample Application 11.0.0 - 14.0.1 that may cause page content intended for one user to be shown to another user. | CVSS4.0: 8.7 - HIGH | 0 1 2 | Exploitation: noneAutomatable: yesTechnical Impact: partial | Sitecore JSS React Sample Application 11.0.0 - 14.0.1 Information Disclosure | github |
| CVE-2013-10032 | GetSimple CMS Project - GetSimple CMS | An authenticated remote code execution vulnerability exists in GetSimpleCMS version 3.2.1. The application’s upload.php endpoint allows authenticated users to upload arbitrary files without proper validation of MIME types or extensions. By uploading a .pht file containing PHP code, an attacker can bypass blacklist-based restrictions and place executable code within the web root. A crafted request using a polyglot or disguised extension allows the attacker to execute the payload by accessing the file directly via the web server. This vulnerability exists due to the use of a blacklist for filtering file types instead of a whitelist. | CVSS4.0: 8.7 - HIGH | 0 1 2 3 4 5 | Exploitation: pocAutomatable: noTechnical Impact: total | GetSimple CMS 3.2.1 Authenticated RCE via Arbitrary PHP File Upload | github |
| CVE-2019-25224 | databasebackup - WP Database Backup – Unlimited Database & Files Backup by Backup for WP | The WP Database Backup plugin for WordPress is vulnerable to OS Command Injection in versions before 5.2 via the mysqldump function. This vulnerability allows unauthenticated attackers to execute arbitrary commands on the host operating system. | CVSS3.1: 9.8 - CRITICAL | 0 1 2 3 4 5 | Exploitation: noneAutomatable: yesTechnical Impact: total | WP Database Backup < 5.2 - Unauthenticated OS Command Injection | github |
| CVE-2025-0249 | HCL Software - IEM | HCL IEM is affected by an improper invalidation of access or JWT token vulnerability. A token was not invalidated which may allow attackers to access sensitive data without authorization. | CVSS3.1: 3.3 - LOW | 0 | Exploitation: noneAutomatable: noTechnical Impact: partial | HCL IEM is affected by an improper invalidation of access or JWT token vulnerability | github |
| CVE-2023-7306 | nmedia - Frontend File Manager Plugin | The Frontend File Manager Plugin plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the wpfm_delete_multiple_files() function in all versions up to, and including, 21.5. This makes it possible for unauthenticated attackers to delete arbitrary posts. | CVSS3.1: 7.5 - HIGH | 0 1 | Exploitation: noneAutomatable: yesTechnical Impact: partial | Frontend File Manager <= 21.5 - Missing Authorization to Unauthenticated Arbitrary Post Deletion | github |
| CVE-2025-5253 | Kron Technologies - Kron PAM | Allocation of Resources Without Limits or Throttling vulnerability in Kron Technologies Kron PAM allows HTTP DoS.This issue affects Kron PAM: before 3.7. | CVSS3.1: 6.5 - MEDIUM | 0 | Exploitation: noneAutomatable: noTechnical Impact: partial | DoS in Kron Technologies’ Kron PAM | github |
This post is licensed under CC BY 4.0 by the author.