Security Vulnerabilities - CVEs Published In May 2025
When running in Appliance mode, a command injection vulnerability exists in an undisclosed iControl REST and BIG-IP TMOS Shell (tmsh) command which may allow an authenticated attacker with administrator role privileges to execute arbitrary system commands. A successful exploit can allow the attacker to cross a security boundary. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
CVSS Score
8.5
EPSS Score
0.006
Published
2025-05-07
An admin user can gain unauthorized write access to the /etc/rc.local file on the device, which is executed on a system boot.
CVSS Score
6.1
EPSS Score
0.002
Published
2025-05-07
gnuplot is affected by a heap buffer overflow at function utf8_copy_one.
CVSS Score
5.5
EPSS Score
0.002
Published
2025-05-07
Tenda FH451 V1.0.0.9 has a stack overflow vulnerability in the function.frmL7ImForm.
CVSS Score
6.5
EPSS Score
0.003
Published
2025-05-07
Cross Site Scripting vulnerability in Koillection v.1.6.10 allows a remote attacker to escalate privileges via the collection, Wishlist and album components
CVSS Score
6.1
EPSS Score
0.002
Published
2025-05-07
WeGIA is a web manager for charitable institutions. An unauthenticated SQL Injection vulnerability was identified in versions up to and including 3.3.0 in the endpoint `/html/socio/sistema/get_socios.php`, specifically in the query parameter. This issue allows attackers to inject and execute arbitrary SQL statements against the application's underlying database. As a result, it may lead to data exfiltration, authentication bypass, or complete database compromise. Version 3.3.1 fixes the issue.
CVSS Score
10.0
EPSS Score
0.006
Published
2025-05-07
A vulnerability in Cisco Catalyst Center, formerly Cisco DNA Center, could allow an authenticated, remote attacker to read and modify data in a repository that belongs to an internal service of an affected device.
This vulnerability is due to insufficient enforcement of access control on HTTP requests. An attacker could exploit this vulnerability by submitting a crafted HTTP request to an affected device. A successful exploit could allow the attacker to read and modify data that is handled by an internal service on the affected device.
CVSS Score
4.7
EPSS Score
0.003
Published
2025-05-07
A vulnerability in SMA100 allows a remote authenticated attacker with SSLVPN user privileges to bypass the path traversal checks and delete an arbitrary file potentially resulting in a reboot to factory default settings.
CVSS Score
8.8
EPSS Score
0.009
Published
2025-05-07
A vulnerability in SMA100 allows a remote authenticated attacker with SSLVPN user privileges can inject a path traversal sequence to make any directory on the SMA appliance writable.
CVSS Score
8.8
EPSS Score
0.01
Published
2025-05-07
A vulnerability in SMA100 allows a remote authenticated attacker with SSLVPN admin privileges can with admin privileges can inject shell command arguments to upload a file on the appliance.
CVSS Score
7.2
EPSS Score
0.006
Published
2025-05-07