In the dynamic realm of cybersecurity, staying updated on the latest vulnerabilities is imperative.
This edition of the AppSecWorld's CVE Daily Digest provides a snapshot of the vulnerabilities published in National Vulnerability Database between April 06-07, 2025.
During this period, The National Vulnerability Database published 28, and these new Common Vulnerabilities and Exposures (CVEs) are classified as follows:
Critical: 0
High: 1
Medium: 21
Low: 0
Severity Not Assigned: 6
Identifying and understanding these vulnerabilities are pivotal steps towards enhancing security measures and creating a safer digital environment.
Now, let's delve deeper into AppSecWorld's CVE Daily Digest, spotlighting the Critical and High Severity vulnerabilities that demand immediate attention.
1. CVE-2025-32370
Base Score: 7.2
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 2.7
Description: Kentico Xperience before 13.0.178 has a specific set of allowed ContentUploader file extensions for unauthenticated uploads; however, because .zip is processed through TryZipProviderSafe, there is additional functionality to create files with other extensions. NOTE: this is a separate issue not necessarily related to SVG or XSS.
References: https://devnet.kentico.com/download/hotfixes
https://labs.watchtowr.com/xss-to-rce-by-abusing-custom-file-handlers-kentico-xperience-cms-cve-2025-2748/
CWE-ID: CWE-912
Common Platform Enumerations (CPE): Not Found
This edition of the AppSecWorld's CVE Daily Digest provides a snapshot of the vulnerabilities published in National Vulnerability Database between April 06-07, 2025.
During this period, The National Vulnerability Database published 28, and these new Common Vulnerabilities and Exposures (CVEs) are classified as follows:
Critical: 0
High: 1
Medium: 21
Low: 0
Severity Not Assigned: 6
Identifying and understanding these vulnerabilities are pivotal steps towards enhancing security measures and creating a safer digital environment.
Now, let's delve deeper into AppSecWorld's CVE Daily Digest, spotlighting the Critical and High Severity vulnerabilities that demand immediate attention.
1. CVE-2025-32370
Base Score: 7.2
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 2.7
Description: Kentico Xperience before 13.0.178 has a specific set of allowed ContentUploader file extensions for unauthenticated uploads; however, because .zip is processed through TryZipProviderSafe, there is additional functionality to create files with other extensions. NOTE: this is a separate issue not necessarily related to SVG or XSS.
References: https://devnet.kentico.com/download/hotfixes
https://labs.watchtowr.com/xss-to-rce-by-abusing-custom-file-handlers-kentico-xperience-cms-cve-2025-2748/
CWE-ID: CWE-912
Common Platform Enumerations (CPE): Not Found