Source: Ministry of education information & communication security contingency platform
| Publication Number | TACERT-ANA-2025040103042424 | Publication Time | 2025/04/01 15:29 |
| Incident Type | ANA-Vulnerability Alert | Discovery Time | 2025/04/01 15:29 |
| Impact Level | Low | ||
| [Subject] 【Vulnerability Alert】CISA Adds 4 New Exploited Vulnerabilities to KEV Catalog (2025/03/24 - 2025/03/30) |
|||
| [Content] Forwarded from TWCERTCC-200-202504-00000001 [CVE-2025-30154] reviewdog/action-setup GitHub Action Embedded Malicious Code Vulnerability (CVSS v3.1: 8.6) Ransomware Involvement: Unknown A vulnerability in the reviewdog action-setup GitHub Action involves embedded malicious code that stores leaked information into the GitHub Actions workflow logs. [Affected Platforms] Please refer to the affected versions listed in the official advisory: https://github.com/reviewdog/reviewdog/security/advisories/GHSA-qmg3-hpqr-gqvc [CVE-2019-9875] Sitecore CMS and Experience Platform (XP) Deserialization Vulnerability (CVSS v3.1: 8.8) Ransomware Involvement: Unknown A deserialization vulnerability exists in the Sitecore.Security.AntiCSRF module of Sitecore CMS and Experience Platform (XP), allowing authenticated attackers to execute arbitrary code by sending a serialized .NET object via the HTTP POST parameter __CSRFTOKEN. [Affected Platforms] Please refer to the affected versions listed in the official advisory: https://support.sitecore.com/kb?id=kb_search [CVE-2019-9874] Sitecore CMS and Experience Platform (XP) Deserialization Vulnerability (CVSS v3.1: 9.8) Ransomware Involvement: Unknown A deserialization vulnerability exists in the Sitecore.Security.AntiCSRF module of Sitecore CMS and Experience Platform (XP), allowing unauthenticated attackers to execute arbitrary code by sending a serialized .NET object via the HTTP POST parameter __CSRFTOKEN. [Affected Platforms] Please refer to the affected versions listed in the official advisory: https://kb.sitecore.net/articles/334035 [CVE-2025-2783] Google Chromium Mojo Sandbox Escape Vulnerability (CVSS v3.1: 8.3) Ransomware Involvement: Unknown A sandbox escape vulnerability exists in Google Chromium Mojo on Windows due to a logic error, which provides incorrect handles under unspecified circumstances. This may affect several Chromium-based browsers including Google Chrome, Microsoft Edge, and Opera. [Affected Platforms] Please refer to the affected versions listed in the official advisory: https://chromereleases.googleblog.com/2025/03/stable-channel-update-for-desktop_25.html Information Sharing Level: WHITE (Information content can be publicly disclosed) |
|||
| [Affected Platform] Please refer to the affected platforms listed in the “Content Description” section above. |
|||
| [Recommended Actions] [CVE-2025-30154] A patch has been released by the official source. Please update to the relevant version: https://github.com/reviewdog/reviewdog/security/advisories/GHSA-qmg3-hpqr-gqvc [CVE-2019-9875] A patch has been released by the official source. Please update to the relevant version: https://support.sitecore.com/kb?id=kb_search [CVE-2019-9874] A patch has been released by the official source. Please update to the relevant version: https://kb.sitecore.net/articles/334035 [CVE-2025-2783] A patch has been released by the official source. Please update to the relevant version: https://chromereleases.googleblog.com/2025/03/stable-channel-update-for-desktop_25.html |
|||
| [Reference] | |||