【Vulnerability Alert】CISA Adds 4 New Exploited Vulnerabilities to KEV Catalog (2025/03/24 - 2025/03/30)
publish date :
2025-04-07
update date :
2025-04-07
Source: Ministry of education information & communication security contingency platform
| Publication Number | TACERT-ANA-2025040103042424 | Publication Time | 2025/04/01 15:29 |
| Incident Type | ANA-Vulnerability Alert | Discovery Time | 2025/04/01 15:29 |
| Impact Level | Low | ||
| [Subject] 【Vulnerability Alert】CISA Adds 4 New Exploited Vulnerabilities to KEV Catalog (2025/03/24 - 2025/03/30) |
|||
| [Content] Forwarded from TWCERTCC-200-202504-00000001 [CVE-2025-30154] reviewdog/action-setup GitHub Action Embedded Malicious Code Vulnerability (CVSS v3.1: 8.6) Ransomware Involvement: Unknown A vulnerability in the reviewdog action-setup GitHub Action involves embedded malicious code that stores leaked information into the GitHub Actions workflow logs. [Affected Platforms] Please refer to the affected versions listed in the official advisory: https://github.com/reviewdog/reviewdog/security/advisories/GHSA-qmg3-hpqr-gqvc [CVE-2019-9875] Sitecore CMS and Experience Platform (XP) Deserialization Vulnerability (CVSS v3.1: 8.8) Ransomware Involvement: Unknown A deserialization vulnerability exists in the Sitecore.Security.AntiCSRF module of Sitecore CMS and Experience Platform (XP), allowing authenticated attackers to execute arbitrary code by sending a serialized .NET object via the HTTP POST parameter __CSRFTOKEN. [Affected Platforms] Please refer to the affected versions listed in the official advisory: https://support.sitecore.com/kb?id=kb_search [CVE-2019-9874] Sitecore CMS and Experience Platform (XP) Deserialization Vulnerability (CVSS v3.1: 9.8) Ransomware Involvement: Unknown A deserialization vulnerability exists in the Sitecore.Security.AntiCSRF module of Sitecore CMS and Experience Platform (XP), allowing unauthenticated attackers to execute arbitrary code by sending a serialized .NET object via the HTTP POST parameter __CSRFTOKEN. [Affected Platforms] Please refer to the affected versions listed in the official advisory: https://kb.sitecore.net/articles/334035 [CVE-2025-2783] Google Chromium Mojo Sandbox Escape Vulnerability (CVSS v3.1: 8.3) Ransomware Involvement: Unknown A sandbox escape vulnerability exists in Google Chromium Mojo on Windows due to a logic error, which provides incorrect handles under unspecified circumstances. This may affect several Chromium-based browsers including Google Chrome, Microsoft Edge, and Opera. [Affected Platforms] Please refer to the affected versions listed in the official advisory: https://chromereleases.googleblog.com/2025/03/stable-channel-update-for-desktop_25.html Information Sharing Level: WHITE (Information content can be publicly disclosed) |
|||
| [Affected Platform] Please refer to the affected platforms listed in the “Content Description” section above. |
|||
| [Recommended Actions] [CVE-2025-30154] A patch has been released by the official source. Please update to the relevant version: https://github.com/reviewdog/reviewdog/security/advisories/GHSA-qmg3-hpqr-gqvc [CVE-2019-9875] A patch has been released by the official source. Please update to the relevant version: https://support.sitecore.com/kb?id=kb_search [CVE-2019-9874] A patch has been released by the official source. Please update to the relevant version: https://kb.sitecore.net/articles/334035 [CVE-2025-2783] A patch has been released by the official source. Please update to the relevant version: https://chromereleases.googleblog.com/2025/03/stable-channel-update-for-desktop_25.html |
|||
| [Reference] | |||
(This notification is for informational purposes only and does not constitute a cybersecurity incident).
If you have questions or suggestions regarding this notification, please feel free to contact us.
Ministry of education information & communication security contingency platform
Website: https://info.cert.tanet.edu.tw/
Phone: +886-7-5250211
Internet Phone: 98400000
E-Mail: service@cert.tanet.edu.tw
If you have questions or suggestions regarding this notification, please feel free to contact us.
Ministry of education information & communication security contingency platform
Website: https://info.cert.tanet.edu.tw/
Phone: +886-7-5250211
Internet Phone: 98400000
E-Mail: service@cert.tanet.edu.tw
Organizer:
Computer Center
