Aggregator

Submit #496010 / VDB-295961

Submit #495965 / VDB-295960

A vulnerability, which was classified as problematic, was found in PMWeb 7.2.0. This affects an unknown part of the component Setting Handler. The manipulation leads to weak password requirements. This vulnerability is uniquely identified as CVE-2025-1341. It is possible to initiate the attack remotely. Furthermore, there is an exploit available. The vendor was contacted early about this disclosure but did not respond in any way. It is recommended to change the configuration settings. The vendor was contacted early about this disclosure but did not respond in any way.

A vulnerability, which was classified as problematic, has been found in Hirsch Enterphone MESH up to 2024. Affected by this issue is some unknown functionality of the component mesh.webadmin.MESHAdminServlet. The manipulation leads to use of default credentials. This vulnerability is handled as CVE-2025-26793. The attack may be launched remotely. There is no exploit available.

A vulnerability classified as critical was found in cyberchimps Responsive Plus Plugin up to 3.1.4 on WordPress. Affected by this vulnerability is the function remote_request of the component Setting Handler. The manipulation leads to server-side request forgery. This vulnerability is known as CVE-2024-13834. The attack can be launched remotely. There is no exploit available.

Submit #495635 / VDB-295959

A vulnerability classified as critical has been found in TOTOLINK X18 9.1.0cu.2024_B20220329. Affected is the function setPasswordCfg of the file /cgi-bin/cstecgi.cgi. The manipulation as part of String leads to stack-based buffer overflow. This vulnerability is traded as CVE-2025-1340. It is possible to launch the attack remotely. Furthermore, there is an exploit available. The vendor was contacted early about this disclosure but did not respond in any way. The vendor was contacted early about this disclosure but did not respond in any way.

A vulnerability was found in TOTOLINK X18 9.1.0cu.2024_B20220329. It has been rated as critical. This issue affects the function setL2tpdConfig of the file /cgi-bin/cstecgi.cgi. The manipulation of the argument enable leads to os command injection. The identification of this vulnerability is CVE-2025-1339. The attack may be initiated remotely. Furthermore, there is an exploit available. The vendor was contacted early about this disclosure but did not respond in any way. The vendor was contacted early about this disclosure but did not respond in any way.

Submit #495368 / VDB-295956

Submit #495367 / VDB-295955

A vulnerability was found in NUUO Camera up to 20250203. It has been declared as critical. This vulnerability affects the function print_file of the file /handle_config.php. The manipulation of the argument log leads to command injection. This vulnerability was named CVE-2025-1338. The attack can be initiated remotely. Furthermore, there is an exploit available. The vendor was contacted early about this disclosure but did not respond in any way. It is recommended to apply restrictive firewalling. The vendor was contacted early about this disclosure but did not respond in any way.

A vulnerability was found in Eastnets PaymentSafe 2.5.26.0. It has been classified as problematic. This affects an unknown part of the component BIC Search. The manipulation leads to cross site scripting. This vulnerability is uniquely identified as CVE-2025-1337. It is possible to initiate the attack remotely. There is no exploit available. The vendor was contacted early about this disclosure but did not respond in any way. The vendor was contacted early about this disclosure but did not respond in any way.

Submit #493912 / VDB-295954

A vulnerability was found in bitpressadmin Chat Widget Plugin up to 1.5.2 on WordPress and classified as problematic. Affected by this issue is some unknown functionality. The manipulation of the argument fileID leads to relative path traversal. This vulnerability is handled as CVE-2025-0822. The attack may be launched remotely. There is no exploit available.

A vulnerability has been found in CmsEasy 7.7.7.9 and classified as problematic. Affected by this vulnerability is the function deleteimg_action in the library lib/admin/image_admin.php. The manipulation of the argument imgname leads to path traversal. This vulnerability is known as CVE-2025-1336. The attack can be launched remotely. Furthermore, there is an exploit available. The vendor was contacted early about this disclosure but did not respond in any way. The vendor was contacted early about this disclosure but did not respond in any way.

A vulnerability, which was classified as problematic, was found in CmsEasy 7.7.7.9. Affected is the function deleteimg_action in the library lib/admin/file_admin.php. The manipulation of the argument imgname leads to path traversal. This vulnerability is traded as CVE-2025-1335. It is possible to launch the attack remotely. Furthermore, there is an exploit available. The vendor was contacted early about this disclosure but did not respond in any way. The vendor was contacted early about this disclosure but did not respond in any way.

Submit #493686 / VDB-295953

日本游戏开发商 Square Enix（SE）以无法修复的 bug 为由从苹果应用商店下架了 iOS 版本的《最终幻想水晶编年史重制版》。SE 表示如果客户在 2024 年 1 月或之后有过游戏内购，则有资格联系苹果客服要求退款。SE 没有从 Android、PS 和 Nintendo Switch 上下架该游戏，因此问题被怀疑与苹果平台内购有关联。SE 声称问题始于今年 1 月 24 日，那么这天发生了什么？有用户指出这天游戏使用的 SHA-1 证书过期了。2020 年发布的《最终幻想水晶编年史》依赖于设备验证游戏内购，在苹果设备上，游戏依靠 App Store 提供的购买凭据解锁内购物品，购买凭据在 2023 年前使用了 SHA-1 证书签名，之后迁移到 SHA-256 证书，在今年 1 月前两种证书都可用，但 1 月 24 日 SHA-1 证书过期了，SE 需要更新游戏以支持 SHA-256 证书。但 SE 选择了不更新游戏，可能认为代价过高。

Submit #493685 / VDB-295951

Submit #493682 / VDB-295950