Search criteria
66 vulnerabilities found for pmb by sigb
FKIE_CVE-2025-61167
Vulnerability from fkie_nvd - Published: 2025-11-25 19:15 - Updated: 2025-12-01 14:20
Severity ?
Summary
SIGB PMB v8.0.1.14 was discovered to contain multiple SQL injection vulnerabilities in the /opac_css/ajax_selector.php component via the id and datas parameters.
References
| URL | Tags | ||
|---|---|---|---|
| cve@mitre.org | http://pmb.com | Not Applicable | |
| cve@mitre.org | http://sigb.com | Product | |
| cve@mitre.org | https://forge.sigb.net/projects/pmb/wiki/Changelog_801#S%C3%A9curit%C3%A9-2 | Release Notes | |
| cve@mitre.org | https://gist.github.com/ZanyMonk/ed12e265f777152c33aeb806a644850e | Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sigb:pmb:8.0.1.14:*:*:*:*:*:*:*",
"matchCriteriaId": "98BC8F88-A54A-4323-8B11-8B7A16B88BE5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "SIGB PMB v8.0.1.14 was discovered to contain multiple SQL injection vulnerabilities in the /opac_css/ajax_selector.php component via the id and datas parameters."
}
],
"id": "CVE-2025-61167",
"lastModified": "2025-12-01T14:20:07.163",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 2.5,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2025-11-25T19:15:50.027",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Not Applicable"
],
"url": "http://pmb.com"
},
{
"source": "cve@mitre.org",
"tags": [
"Product"
],
"url": "http://sigb.com"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes"
],
"url": "https://forge.sigb.net/projects/pmb/wiki/Changelog_801#S%C3%A9curit%C3%A9-2"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://gist.github.com/ZanyMonk/ed12e265f777152c33aeb806a644850e"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
FKIE_CVE-2025-61168
Vulnerability from fkie_nvd - Published: 2025-11-25 19:15 - Updated: 2025-12-01 14:21
Severity ?
Summary
An issue in the cms_rest.php component of SIGB PMB v8.0.1.14 allows attackers to execute arbitrary code via unserializing an arbitrary file.
References
| URL | Tags | ||
|---|---|---|---|
| cve@mitre.org | http://pmb.com | Not Applicable | |
| cve@mitre.org | http://sigb.com | Product | |
| cve@mitre.org | https://forge.sigb.net/projects/pmb/wiki/Changelog_801#S%C3%A9curit%C3%A9-2 | Release Notes | |
| cve@mitre.org | https://gist.github.com/ZanyMonk/446f6875a2ceb3decef5ff1176428f9e | Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sigb:pmb:8.0.1.14:*:*:*:*:*:*:*",
"matchCriteriaId": "98BC8F88-A54A-4323-8B11-8B7A16B88BE5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue in the cms_rest.php component of SIGB PMB v8.0.1.14 allows attackers to execute arbitrary code via unserializing an arbitrary file."
}
],
"id": "CVE-2025-61168",
"lastModified": "2025-12-01T14:21:40.760",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2025-11-25T19:15:50.180",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Not Applicable"
],
"url": "http://pmb.com"
},
{
"source": "cve@mitre.org",
"tags": [
"Product"
],
"url": "http://sigb.com"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes"
],
"url": "https://forge.sigb.net/projects/pmb/wiki/Changelog_801#S%C3%A9curit%C3%A9-2"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://gist.github.com/ZanyMonk/446f6875a2ceb3decef5ff1176428f9e"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-502"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
FKIE_CVE-2025-48742
Vulnerability from fkie_nvd - Published: 2025-05-27 04:15 - Updated: 2025-11-26 17:06
Severity ?
5.4 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
The installer in SIGB PMB before and fixed in v.8.0.1.2 allows remote code execution.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sigb:pmb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "556A8FE3-0EC8-42E8-B1E0-9B512C169824",
"versionEndExcluding": "8.0.1.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The installer in SIGB PMB before and fixed in v.8.0.1.2 allows remote code execution."
},
{
"lang": "es",
"value": "El instalador de SIGB PMB anterior a 8.0.1.2 permite la ejecuci\u00f3n remota de c\u00f3digo."
}
],
"id": "CVE-2025-48742",
"lastModified": "2025-11-26T17:06:47.313",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.2,
"impactScore": 2.7,
"source": "cve@mitre.org",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2025-05-27T04:15:36.750",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Release Notes"
],
"url": "https://forge.sigb.net/projects/pmb/wiki/Changelog_801#CHANGE-LOG-8012-2025-03-03"
},
{
"source": "cve@mitre.org",
"tags": [
"Product"
],
"url": "https://www.sigb.net/index.php?lvl=cmspage\u0026pageid=6\u0026id_rubrique=553\u0026opac_view=1"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-306"
}
],
"source": "cve@mitre.org",
"type": "Secondary"
}
]
}
FKIE_CVE-2025-48744
Vulnerability from fkie_nvd - Published: 2025-05-27 03:15 - Updated: 2025-06-09 18:50
Severity ?
6.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
In SIGB PMB before 8.0.1.2, attackers can achieve Local File Inclusion and remote code execution.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sigb:pmb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "556A8FE3-0EC8-42E8-B1E0-9B512C169824",
"versionEndExcluding": "8.0.1.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In SIGB PMB before 8.0.1.2, attackers can achieve Local File Inclusion and remote code execution."
},
{
"lang": "es",
"value": "En SIGB PMB anterior a 8.0.1.2, los atacantes pueden lograr la inclusi\u00f3n de archivos locales y la ejecuci\u00f3n remota de c\u00f3digo."
}
],
"id": "CVE-2025-48744",
"lastModified": "2025-06-09T18:50:58.620",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.1,
"impactScore": 2.7,
"source": "cve@mitre.org",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2025-05-27T03:15:23.707",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Release Notes"
],
"url": "https://forge.sigb.net/projects/pmb/wiki/Changelog_801#CHANGE-LOG-8012-2025-03-03"
},
{
"source": "cve@mitre.org",
"tags": [
"Product"
],
"url": "https://www.sigb.net/index.php?lvl=cmspage\u0026pageid=6\u0026id_rubrique=553\u0026opac_view=1"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "cve@mitre.org",
"type": "Primary"
}
]
}
FKIE_CVE-2025-48743
Vulnerability from fkie_nvd - Published: 2025-05-27 03:15 - Updated: 2025-06-09 18:50
Severity ?
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
SIGB PMB before 8.0.1.2 allows SQL injection.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sigb:pmb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "556A8FE3-0EC8-42E8-B1E0-9B512C169824",
"versionEndExcluding": "8.0.1.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "SIGB PMB before 8.0.1.2 allows SQL injection."
},
{
"lang": "es",
"value": "SIGB PMB anterior a 8.0.1.2 permite la inyecci\u00f3n de SQL."
}
],
"id": "CVE-2025-48743",
"lastModified": "2025-06-09T18:50:50.927",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "cve@mitre.org",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2025-05-27T03:15:23.487",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Release Notes"
],
"url": "https://forge.sigb.net/projects/pmb/wiki/Changelog_801#CHANGE-LOG-8012-2025-03-03"
},
{
"source": "cve@mitre.org",
"tags": [
"Product"
],
"url": "https://www.sigb.net/index.php?lvl=cmspage\u0026pageid=6\u0026id_rubrique=553\u0026opac_view=1"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "cve@mitre.org",
"type": "Primary"
}
]
}
FKIE_CVE-2025-0472
Vulnerability from fkie_nvd - Published: 2025-01-16 13:15 - Updated: 2025-05-07 16:24
Severity ?
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Summary
Information exposure in the PMB platform affecting versions 4.2.13 and earlier. This vulnerability allows an attacker to upload a file to the environment and enumerate the internal files of a machine by looking at the request response.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sigb:pmb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "71D3AF47-1FBB-4F4D-B487-DDE3AB1FB5BB",
"versionEndIncluding": "4.2.13",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Information exposure in the PMB platform affecting versions 4.2.13 and earlier. This vulnerability allows an attacker to upload a file to the environment and enumerate the internal files of a machine by looking at the request response."
},
{
"lang": "es",
"value": "Exposici\u00f3n de informaci\u00f3n en la plataforma PMB que afecta a las versiones 4.2.13 y anteriores. Esta vulnerabilidad permite a un atacante cargar un archivo al entorno y enumerar los archivos internos de una m\u00e1quina observando la respuesta de la solicitud."
}
],
"id": "CVE-2025-0472",
"lastModified": "2025-05-07T16:24:03.337",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "cve-coordination@incibe.es",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2025-01-16T13:15:07.353",
"references": [
{
"source": "cve-coordination@incibe.es",
"tags": [
"Third Party Advisory"
],
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-pmb-platform"
}
],
"sourceIdentifier": "cve-coordination@incibe.es",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "cve-coordination@incibe.es",
"type": "Primary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-434"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2025-0473
Vulnerability from fkie_nvd - Published: 2025-01-16 13:15 - Updated: 2025-05-07 16:23
Severity ?
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Summary
Vulnerability in the PMB platform that allows an attacker to persist temporary files on the server, affecting versions 4.0.10 and above. This vulnerability exists in the file upload functionality on the ‘/pmb/authorities/import/iimport_authorities’ endpoint. When a file is uploaded via this resource, the server will create a temporary file that will be deleted after the client sends a POST request to ‘/pmb/authorities/import/iimport_authorities’. This workflow is automated by the web client, however an attacker can trap and launch the second POST request to prevent the temporary file from being deleted.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sigb:pmb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A6401CB3-4434-4086-AA89-E1326CED5673",
"versionStartIncluding": "4.0.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Vulnerability in the PMB platform that allows an attacker to persist temporary files on the server, affecting versions 4.0.10 and above. This vulnerability exists in the file upload functionality on the \u2018/pmb/authorities/import/iimport_authorities\u2019 endpoint. When a file is uploaded via this resource, the server will create a temporary file that will be deleted after the client sends a POST request to \u2018/pmb/authorities/import/iimport_authorities\u2019. This workflow is automated by the web client, however an attacker can trap and launch the second POST request to prevent the temporary file from being deleted."
},
{
"lang": "es",
"value": "Vulnerabilidad en la plataforma PMB que permite a un atacante conservar archivos temporales en el servidor, afectando a las versiones 4.0.10 y posteriores. Esta vulnerabilidad existe en la funcionalidad de carga de archivos en el endpoint \u2018/pmb/authorities/import/iimport_authorities\u2019. Cuando se carga un archivo a trav\u00e9s de este recurso, el servidor crear\u00e1 un archivo temporal que se eliminar\u00e1 despu\u00e9s de que el cliente env\u00ede una solicitud POST a \u2018/pmb/authorities/import/iimport_authorities\u2019. Este workflow est\u00e1 automatizado por el cliente web, sin embargo, un atacante puede atrapar y lanzar la segunda solicitud POST para evitar que se elimine el archivo temporal."
}
],
"id": "CVE-2025-0473",
"lastModified": "2025-05-07T16:23:45.040",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "cve-coordination@incibe.es",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2025-01-16T13:15:07.540",
"references": [
{
"source": "cve-coordination@incibe.es",
"tags": [
"Third Party Advisory"
],
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-pmb-platform"
}
],
"sourceIdentifier": "cve-coordination@incibe.es",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-459"
}
],
"source": "cve-coordination@incibe.es",
"type": "Primary"
}
]
}
FKIE_CVE-2025-0471
Vulnerability from fkie_nvd - Published: 2025-01-16 13:15 - Updated: 2025-05-07 16:24
Severity ?
9.9 (Critical) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
Unrestricted file upload vulnerability in the PMB platform, affecting versions 4.0.10 and above. This vulnerability could allow an attacker to upload a file to gain remote access to the machine, being able to access, modify and execute commands freely.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sigb:pmb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A6401CB3-4434-4086-AA89-E1326CED5673",
"versionStartIncluding": "4.0.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Unrestricted file upload vulnerability in the PMB platform, affecting versions 4.0.10 and above. This vulnerability could allow an attacker to upload a file to gain remote access to the machine, being able to access, modify and execute commands freely."
},
{
"lang": "es",
"value": "Vulnerabilidad de subida de archivos sin restricciones en la plataforma PMB, que afecta a las versiones 4.0.10 y superiores. Esta vulnerabilidad podr\u00eda permitir a un atacante subir un archivo para obtener acceso remoto a la m\u00e1quina, pudiendo acceder, modificar y ejecutar comandos libremente."
}
],
"id": "CVE-2025-0471",
"lastModified": "2025-05-07T16:24:19.490",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.1,
"impactScore": 6.0,
"source": "cve-coordination@incibe.es",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2025-01-16T13:15:06.973",
"references": [
{
"source": "cve-coordination@incibe.es",
"tags": [
"Third Party Advisory"
],
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-pmb-platform"
}
],
"sourceIdentifier": "cve-coordination@incibe.es",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-434"
}
],
"source": "cve-coordination@incibe.es",
"type": "Primary"
}
]
}
FKIE_CVE-2024-26289
Vulnerability from fkie_nvd - Published: 2024-05-27 07:15 - Updated: 2025-04-04 16:39
Severity ?
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
Deserialization of Untrusted Data vulnerability in PMB Services PMB allows Remote Code Inclusion.This issue affects PMB: from 7.5.1 before 7.5.6-2, from 7.4.1 before 7.4.9, from 7.3.1 before 7.3.18.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sigb:pmb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F1B8DE5B-25FD-4597-9593-CBA4D002C3EB",
"versionEndExcluding": "7.3.18",
"versionStartIncluding": "7.3.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sigb:pmb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "DD281040-EE29-4128-847E-D7AC0396B713",
"versionEndExcluding": "7.4.9",
"versionStartIncluding": "7.4.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sigb:pmb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "EC312B4B-5755-495F-A057-E9923865EF71",
"versionEndExcluding": "7.5.6-2",
"versionStartIncluding": "7.5.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Deserialization of Untrusted Data vulnerability in PMB Services PMB allows Remote Code Inclusion.This issue affects PMB: from 7.5.1 before 7.5.6-2, from 7.4.1 before 7.4.9, from 7.3.1 before 7.3.18."
},
{
"lang": "es",
"value": "Vulnerabilidad de deserializaci\u00f3n de datos no confiables en PMB Services PMB permite la inclusi\u00f3n remota de c\u00f3digo. Este problema afecta a PMB: desde 7.5.1 anterior a 7.5.6-2, desde 7.4.1 anterior a 7.4.9, desde 7.3.1 anterior a 7.3.18."
}
],
"id": "CVE-2024-26289",
"lastModified": "2025-04-04T16:39:47.977",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "a6d3dc9e-0591-4a13-bce7-0f5b31ff6158",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-05-27T07:15:08.807",
"references": [
{
"source": "a6d3dc9e-0591-4a13-bce7-0f5b31ff6158",
"tags": [
"Product"
],
"url": "https://forge.sigb.net/projects/pmb/files"
},
{
"source": "a6d3dc9e-0591-4a13-bce7-0f5b31ff6158",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/enisaeu/CNW/blob/main/advisories/2024/CNW-2024-A-12.md"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product"
],
"url": "https://forge.sigb.net/projects/pmb/files"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/enisaeu/CNW/blob/main/advisories/2024/CNW-2024-A-12.md"
}
],
"sourceIdentifier": "a6d3dc9e-0591-4a13-bce7-0f5b31ff6158",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-502"
}
],
"source": "a6d3dc9e-0591-4a13-bce7-0f5b31ff6158",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-502"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2023-52155
Vulnerability from fkie_nvd - Published: 2024-02-21 22:15 - Updated: 2025-03-25 16:53
Severity ?
Summary
A SQL Injection vulnerability in /admin/sauvegarde/run.php in PMB 7.4.7 and earlier allows remote authenticated attackers to execute arbitrary SQL commands via the sauvegardes variable through the /admin/sauvegarde/run.php endpoint.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sigb:pmb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "01ED7E0A-E373-47DC-BB74-2DCC5288A628",
"versionEndIncluding": "7.4.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A SQL Injection vulnerability in /admin/sauvegarde/run.php in PMB 7.4.7 and earlier allows remote authenticated attackers to execute arbitrary SQL commands via the sauvegardes variable through the /admin/sauvegarde/run.php endpoint."
},
{
"lang": "es",
"value": "Una vulnerabilidad de inyecci\u00f3n SQL en /admin/sauvegarde/run.php en PMB 7.4.7 y anteriores permite a atacantes remotos autenticados ejecutar comandos SQL de su elecci\u00f3n a trav\u00e9s de la variable sauvegardes a trav\u00e9s del endpoint /admin/sauvegarde/run.php."
}
],
"id": "CVE-2023-52155",
"lastModified": "2025-03-25T16:53:20.547",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 5.9,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2024-02-21T22:15:49.117",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://nexacybersecurity.blogspot.com/2024/02/journey-finding-vulnerabilities-in-pmb-library-management-system.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://nexacybersecurity.blogspot.com/2024/02/journey-finding-vulnerabilities-in-pmb-library-management-system.html"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
FKIE_CVE-2023-52153
Vulnerability from fkie_nvd - Published: 2024-02-21 22:15 - Updated: 2025-03-25 16:53
Severity ?
Summary
A SQL Injection vulnerability in /pmb/opac_css/includes/sessions.inc.php in PMB 7.4.7 and earlier allows remote unauthenticated attackers to inject arbitrary SQL commands via the PmbOpac-LOGIN cookie value.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sigb:pmb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "01ED7E0A-E373-47DC-BB74-2DCC5288A628",
"versionEndIncluding": "7.4.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A SQL Injection vulnerability in /pmb/opac_css/includes/sessions.inc.php in PMB 7.4.7 and earlier allows remote unauthenticated attackers to inject arbitrary SQL commands via the PmbOpac-LOGIN cookie value."
},
{
"lang": "es",
"value": "Una vulnerabilidad de inyecci\u00f3n SQL en /pmb/opac_css/includes/sessions.inc.php en PMB 7.4.7 y versiones anteriores permite a atacantes remotos no autenticados inyectar comandos SQL arbitrarios a trav\u00e9s del valor de cookie PmbOpac-LOGIN."
}
],
"id": "CVE-2023-52153",
"lastModified": "2025-03-25T16:53:09.960",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2024-02-21T22:15:49.023",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://nexacybersecurity.blogspot.com/2024/02/journey-finding-vulnerabilities-in-pmb-library-management-system.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://nexacybersecurity.blogspot.com/2024/02/journey-finding-vulnerabilities-in-pmb-library-management-system.html"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
FKIE_CVE-2023-52154
Vulnerability from fkie_nvd - Published: 2024-02-21 22:15 - Updated: 2025-03-25 16:53
Severity ?
Summary
File Upload vulnerability in pmb/camera_upload.php in PMB 7.4.7 and earlier allows attackers to run arbitrary code via upload of crafted PHTML files.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sigb:pmb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "01ED7E0A-E373-47DC-BB74-2DCC5288A628",
"versionEndIncluding": "7.4.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "File Upload vulnerability in pmb/camera_upload.php in PMB 7.4.7 and earlier allows attackers to run arbitrary code via upload of crafted PHTML files."
},
{
"lang": "es",
"value": "Vulnerabilidad de carga de archivos en pmb/camera_upload.php en PMB 7.4.7 y versiones anteriores permite a los atacantes ejecutar c\u00f3digo arbitrario mediante la carga de archivos PHTML manipulados."
}
],
"id": "CVE-2023-52154",
"lastModified": "2025-03-25T16:53:16.827",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 5.9,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2024-02-21T22:15:49.073",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://nexacybersecurity.blogspot.com/2024/02/journey-finding-vulnerabilities-in-pmb-library-management-system.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://nexacybersecurity.blogspot.com/2024/02/journey-finding-vulnerabilities-in-pmb-library-management-system.html"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-434"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
CVE-2025-61167 (GCVE-0-2025-61167)
Vulnerability from cvelistv5 – Published: 2025-11-25 00:00 – Updated: 2025-11-25 19:36
VLAI?
Summary
SIGB PMB v8.0.1.14 was discovered to contain multiple SQL injection vulnerabilities in the /opac_css/ajax_selector.php component via the id and datas parameters.
Severity ?
6.5 (Medium)
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-61167",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-25T19:36:27.489561Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-25T19:36:49.219Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SIGB PMB v8.0.1.14 was discovered to contain multiple SQL injection vulnerabilities in the /opac_css/ajax_selector.php component via the id and datas parameters."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-25T18:42:59.535Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "http://pmb.com"
},
{
"url": "http://sigb.com"
},
{
"url": "https://forge.sigb.net/projects/pmb/wiki/Changelog_801#S%C3%A9curit%C3%A9-2"
},
{
"url": "https://gist.github.com/ZanyMonk/ed12e265f777152c33aeb806a644850e"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2025-61167",
"datePublished": "2025-11-25T00:00:00.000Z",
"dateReserved": "2025-09-26T00:00:00.000Z",
"dateUpdated": "2025-11-25T19:36:49.219Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-61168 (GCVE-0-2025-61168)
Vulnerability from cvelistv5 – Published: 2025-11-25 00:00 – Updated: 2025-11-25 20:28
VLAI?
Summary
An issue in the cms_rest.php component of SIGB PMB v8.0.1.14 allows attackers to execute arbitrary code via unserializing an arbitrary file.
Severity ?
9.8 (Critical)
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-61168",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-25T20:28:39.941662Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502 Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-25T20:28:42.777Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue in the cms_rest.php component of SIGB PMB v8.0.1.14 allows attackers to execute arbitrary code via unserializing an arbitrary file."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-25T18:38:12.182Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "http://pmb.com"
},
{
"url": "http://sigb.com"
},
{
"url": "https://gist.github.com/ZanyMonk/446f6875a2ceb3decef5ff1176428f9e"
},
{
"url": "https://forge.sigb.net/projects/pmb/wiki/Changelog_801#S%C3%A9curit%C3%A9-2"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2025-61168",
"datePublished": "2025-11-25T00:00:00.000Z",
"dateReserved": "2025-09-26T00:00:00.000Z",
"dateUpdated": "2025-11-25T20:28:42.777Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-48744 (GCVE-0-2025-48744)
Vulnerability from cvelistv5 – Published: 2025-05-27 00:00 – Updated: 2025-05-27 14:08
VLAI?
Summary
In SIGB PMB before 8.0.1.2, attackers can achieve Local File Inclusion and remote code execution.
Severity ?
6.4 (Medium)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-48744",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-27T14:08:16.004119Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-27T14:08:23.205Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "PMB",
"vendor": "SIGB",
"versions": [
{
"lessThan": "8.0.1.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sigb:pmb:*:*:*:*:*:*:*:*",
"versionEndExcluding": "8.0.1.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In SIGB PMB before 8.0.1.2, attackers can achieve Local File Inclusion and remote code execution."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-27T02:48:37.533Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://www.sigb.net/index.php?lvl=cmspage\u0026pageid=6\u0026id_rubrique=553\u0026opac_view=1"
},
{
"url": "https://forge.sigb.net/projects/pmb/wiki/Changelog_801#CHANGE-LOG-8012-2025-03-03"
}
],
"x_generator": {
"engine": "enrichogram 0.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2025-48744",
"datePublished": "2025-05-27T00:00:00.000Z",
"dateReserved": "2025-05-23T00:00:00.000Z",
"dateUpdated": "2025-05-27T14:08:23.205Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-48742 (GCVE-0-2025-48742)
Vulnerability from cvelistv5 – Published: 2025-05-27 00:00 – Updated: 2025-06-03 17:40
VLAI?
Summary
The installer in SIGB PMB before and fixed in v.8.0.1.2 allows remote code execution.
Severity ?
5.4 (Medium)
CWE
- CWE-306 - Missing Authentication for Critical Function
Assigner
References
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-48742",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-03T17:40:12.790116Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-03T17:40:18.320Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "PMB",
"vendor": "SIGB",
"versions": [
{
"lessThan": "8.0.1.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sigb:pmb:*:*:*:*:*:*:*:*",
"versionEndExcluding": "8.0.1.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The installer in SIGB PMB before and fixed in v.8.0.1.2 allows remote code execution."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-306",
"description": "CWE-306 Missing Authentication for Critical Function",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-29T17:03:44.340Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://www.sigb.net/index.php?lvl=cmspage\u0026pageid=6\u0026id_rubrique=553\u0026opac_view=1"
},
{
"url": "https://forge.sigb.net/projects/pmb/wiki/Changelog_801#CHANGE-LOG-8012-2025-03-03"
}
],
"x_generator": {
"engine": "enrichogram 0.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2025-48742",
"datePublished": "2025-05-27T00:00:00.000Z",
"dateReserved": "2025-05-23T00:00:00.000Z",
"dateUpdated": "2025-06-03T17:40:18.320Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-48743 (GCVE-0-2025-48743)
Vulnerability from cvelistv5 – Published: 2025-05-27 00:00 – Updated: 2025-05-27 13:43
VLAI?
Summary
SIGB PMB before 8.0.1.2 allows SQL injection.
Severity ?
5.3 (Medium)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-48743",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-27T13:43:33.136555Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-27T13:43:47.223Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "PMB",
"vendor": "SIGB",
"versions": [
{
"lessThan": "8.0.1.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sigb:pmb:*:*:*:*:*:*:*:*",
"versionEndExcluding": "8.0.1.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SIGB PMB before 8.0.1.2 allows SQL injection."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-27T02:49:55.088Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://www.sigb.net/index.php?lvl=cmspage\u0026pageid=6\u0026id_rubrique=553\u0026opac_view=1"
},
{
"url": "https://forge.sigb.net/projects/pmb/wiki/Changelog_801#CHANGE-LOG-8012-2025-03-03"
}
],
"x_generator": {
"engine": "enrichogram 0.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2025-48743",
"datePublished": "2025-05-27T00:00:00.000Z",
"dateReserved": "2025-05-23T00:00:00.000Z",
"dateUpdated": "2025-05-27T13:43:47.223Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-0473 (GCVE-0-2025-0473)
Vulnerability from cvelistv5 – Published: 2025-01-16 13:09 – Updated: 2025-01-16 14:09
VLAI?
Summary
Vulnerability in the PMB platform that allows an attacker to persist temporary files on the server, affecting versions 4.0.10 and above. This vulnerability exists in the file upload functionality on the ‘/pmb/authorities/import/iimport_authorities’ endpoint. When a file is uploaded via this resource, the server will create a temporary file that will be deleted after the client sends a POST request to ‘/pmb/authorities/import/iimport_authorities’. This workflow is automated by the web client, however an attacker can trap and launch the second POST request to prevent the temporary file from being deleted.
Severity ?
6.5 (Medium)
CWE
- CWE-459 - Incomplete Cleanup
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| PMB Services | PMB platform |
Affected:
4.0.10
(custom)
|
Credits
Pau Valls Peleteiro
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-0473",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-16T14:09:47.385450Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-16T14:09:54.540Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "PMB platform",
"vendor": "PMB Services",
"versions": [
{
"status": "affected",
"version": "4.0.10",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Pau Valls Peleteiro"
}
],
"datePublic": "2025-01-14T11:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Vulnerability in the PMB platform that allows an attacker to persist temporary files on the server, affecting versions 4.0.10 and above. This vulnerability exists in the file upload functionality on the \u2018/pmb/authorities/import/iimport_authorities\u2019 endpoint. When a file is uploaded via this resource, the server will create a temporary file that will be deleted after the client sends a POST request to \u2018/pmb/authorities/import/iimport_authorities\u2019. This workflow is automated by the web client, however an attacker can trap and launch the second POST request to prevent the temporary file from being deleted."
}
],
"value": "Vulnerability in the PMB platform that allows an attacker to persist temporary files on the server, affecting versions 4.0.10 and above. This vulnerability exists in the file upload functionality on the \u2018/pmb/authorities/import/iimport_authorities\u2019 endpoint. When a file is uploaded via this resource, the server will create a temporary file that will be deleted after the client sends a POST request to \u2018/pmb/authorities/import/iimport_authorities\u2019. This workflow is automated by the web client, however an attacker can trap and launch the second POST request to prevent the temporary file from being deleted."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-459",
"description": "CWE-459 Incomplete Cleanup",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-16T13:09:14.896Z",
"orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
"shortName": "INCIBE"
},
"references": [
{
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-pmb-platform"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Incomplete Cleanup vulnerability in PMB platform",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
"assignerShortName": "INCIBE",
"cveId": "CVE-2025-0473",
"datePublished": "2025-01-16T13:09:14.896Z",
"dateReserved": "2025-01-14T12:44:15.826Z",
"dateUpdated": "2025-01-16T14:09:54.540Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-0472 (GCVE-0-2025-0472)
Vulnerability from cvelistv5 – Published: 2025-01-16 13:03 – Updated: 2025-01-16 14:10
VLAI?
Summary
Information exposure in the PMB platform affecting versions 4.2.13 and earlier. This vulnerability allows an attacker to upload a file to the environment and enumerate the internal files of a machine by looking at the request response.
Severity ?
7.5 (High)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| PMB Services | PMB platform |
Affected:
0 , ≤ 4.2.13
(custom)
|
Credits
Pau Valls Peleteiro
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-0472",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-16T14:10:14.417802Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-16T14:10:21.348Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "PMB platform",
"vendor": "PMB Services",
"versions": [
{
"lessThanOrEqual": "4.2.13",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Pau Valls Peleteiro"
}
],
"datePublic": "2025-01-14T11:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Information exposure in the PMB platform affecting versions 4.2.13 and earlier. This vulnerability allows an attacker to upload a file to the environment and enumerate the internal files of a machine by looking at the request response."
}
],
"value": "Information exposure in the PMB platform affecting versions 4.2.13 and earlier. This vulnerability allows an attacker to upload a file to the environment and enumerate the internal files of a machine by looking at the request response."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-16T13:03:28.285Z",
"orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
"shortName": "INCIBE"
},
"references": [
{
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-pmb-platform"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Information exposure vulnerability in PMB platform",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
"assignerShortName": "INCIBE",
"cveId": "CVE-2025-0472",
"datePublished": "2025-01-16T13:03:28.285Z",
"dateReserved": "2025-01-14T12:44:14.890Z",
"dateUpdated": "2025-01-16T14:10:21.348Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-0471 (GCVE-0-2025-0471)
Vulnerability from cvelistv5 – Published: 2025-01-16 13:02 – Updated: 2025-01-16 14:10
VLAI?
Summary
Unrestricted file upload vulnerability in the PMB platform, affecting versions 4.0.10 and above. This vulnerability could allow an attacker to upload a file to gain remote access to the machine, being able to access, modify and execute commands freely.
Severity ?
9.9 (Critical)
CWE
- CWE-434 - Unrestricted Upload of File with Dangerous Type
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| PMB Services | PMB platform |
Affected:
4.0.10
(custom)
|
Credits
Pau Valls Peleteiro
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-0471",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-16T14:10:42.593567Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-16T14:10:49.124Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "PMB platform",
"vendor": "PMB Services",
"versions": [
{
"status": "affected",
"version": "4.0.10",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Pau Valls Peleteiro"
}
],
"datePublic": "2025-01-14T11:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Unrestricted file upload vulnerability in the PMB platform, affecting versions 4.0.10 and above. This vulnerability could allow an attacker to upload a file to gain remote access to the machine, being able to access, modify and execute commands freely."
}
],
"value": "Unrestricted file upload vulnerability in the PMB platform, affecting versions 4.0.10 and above. This vulnerability could allow an attacker to upload a file to gain remote access to the machine, being able to access, modify and execute commands freely."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-434",
"description": "CWE-434 Unrestricted Upload of File with Dangerous Type",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-16T13:02:16.104Z",
"orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
"shortName": "INCIBE"
},
"references": [
{
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-pmb-platform"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Unrestricted Upload of File with Dangerous Type vulnerability in PMB platform",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
"assignerShortName": "INCIBE",
"cveId": "CVE-2025-0471",
"datePublished": "2025-01-16T13:02:16.104Z",
"dateReserved": "2025-01-14T12:44:12.805Z",
"dateUpdated": "2025-01-16T14:10:49.124Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-26289 (GCVE-0-2024-26289)
Vulnerability from cvelistv5 – Published: 2024-05-27 07:01 – Updated: 2024-08-02 00:07
VLAI?
Summary
Deserialization of Untrusted Data vulnerability in PMB Services PMB allows Remote Code Inclusion.This issue affects PMB: from 7.5.1 before 7.5.6-2, from 7.4.1 before 7.4.9, from 7.3.1 before 7.3.18.
Severity ?
9.8 (Critical)
CWE
- CWE-502 - Deserialization of Untrusted Data
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| PMB Services | PMB |
Affected:
7.5.1 , < 7.5.6-2
(semver)
Affected: 7.4.1 , < 7.4.9 (semver) Affected: 7.3.1 , < 7.3.18 (semver) |
Credits
Johan Caluwe from CCB / CERT.be
ANSSI / CERT-FR
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:pmb_services:pmb:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "pmb",
"vendor": "pmb_services",
"versions": [
{
"lessThan": "7.5.6-2",
"status": "affected",
"version": "7.5.1",
"versionType": "custom"
},
{
"lessThan": "7.4.9",
"status": "affected",
"version": "7.4.1",
"versionType": "custom"
},
{
"lessThan": "7.3.18",
"status": "affected",
"version": "7.3.1",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-26289",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-28T15:28:35.280065Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:49:10.606Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T00:07:19.301Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"third-party-advisory",
"x_transferred"
],
"url": "https://github.com/enisaeu/CNW/blob/main/advisories/2024/CNW-2024-A-12.md"
},
{
"tags": [
"product",
"x_transferred"
],
"url": "https://forge.sigb.net/projects/pmb/files"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "PMB",
"vendor": "PMB Services",
"versions": [
{
"lessThan": "7.5.6-2",
"status": "affected",
"version": "7.5.1",
"versionType": "semver"
},
{
"lessThan": "7.4.9",
"status": "affected",
"version": "7.4.1",
"versionType": "semver"
},
{
"lessThan": "7.3.18",
"status": "affected",
"version": "7.3.1",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Johan Caluwe from CCB / CERT.be"
},
{
"lang": "en",
"type": "coordinator",
"value": "ANSSI / CERT-FR"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Deserialization of Untrusted Data vulnerability in PMB Services PMB allows Remote Code Inclusion.\u003cp\u003eThis issue affects PMB: from 7.5.1 before 7.5.6-2, from 7.4.1 before 7.4.9, from 7.3.1 before 7.3.18.\u003c/p\u003e"
}
],
"value": "Deserialization of Untrusted Data vulnerability in PMB Services PMB allows Remote Code Inclusion.This issue affects PMB: from 7.5.1 before 7.5.6-2, from 7.4.1 before 7.4.9, from 7.3.1 before 7.3.18."
}
],
"impacts": [
{
"capecId": "CAPEC-253",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-253 Remote Code Inclusion"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502 Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-27T07:01:52.386Z",
"orgId": "a6d3dc9e-0591-4a13-bce7-0f5b31ff6158",
"shortName": "ENISA"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://github.com/enisaeu/CNW/blob/main/advisories/2024/CNW-2024-A-12.md"
},
{
"tags": [
"product"
],
"url": "https://forge.sigb.net/projects/pmb/files"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Remote Code Inclusion Vulnerability in Multiple PMB Versions",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "a6d3dc9e-0591-4a13-bce7-0f5b31ff6158",
"assignerShortName": "ENISA",
"cveId": "CVE-2024-26289",
"datePublished": "2024-05-27T07:01:52.386Z",
"dateReserved": "2024-02-16T16:12:43.383Z",
"dateUpdated": "2024-08-02T00:07:19.301Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-61167 (GCVE-0-2025-61167)
Vulnerability from nvd – Published: 2025-11-25 00:00 – Updated: 2025-11-25 19:36
VLAI?
Summary
SIGB PMB v8.0.1.14 was discovered to contain multiple SQL injection vulnerabilities in the /opac_css/ajax_selector.php component via the id and datas parameters.
Severity ?
6.5 (Medium)
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-61167",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-25T19:36:27.489561Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-25T19:36:49.219Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SIGB PMB v8.0.1.14 was discovered to contain multiple SQL injection vulnerabilities in the /opac_css/ajax_selector.php component via the id and datas parameters."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-25T18:42:59.535Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "http://pmb.com"
},
{
"url": "http://sigb.com"
},
{
"url": "https://forge.sigb.net/projects/pmb/wiki/Changelog_801#S%C3%A9curit%C3%A9-2"
},
{
"url": "https://gist.github.com/ZanyMonk/ed12e265f777152c33aeb806a644850e"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2025-61167",
"datePublished": "2025-11-25T00:00:00.000Z",
"dateReserved": "2025-09-26T00:00:00.000Z",
"dateUpdated": "2025-11-25T19:36:49.219Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-61168 (GCVE-0-2025-61168)
Vulnerability from nvd – Published: 2025-11-25 00:00 – Updated: 2025-11-25 20:28
VLAI?
Summary
An issue in the cms_rest.php component of SIGB PMB v8.0.1.14 allows attackers to execute arbitrary code via unserializing an arbitrary file.
Severity ?
9.8 (Critical)
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-61168",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-25T20:28:39.941662Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502 Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-25T20:28:42.777Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue in the cms_rest.php component of SIGB PMB v8.0.1.14 allows attackers to execute arbitrary code via unserializing an arbitrary file."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-25T18:38:12.182Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "http://pmb.com"
},
{
"url": "http://sigb.com"
},
{
"url": "https://gist.github.com/ZanyMonk/446f6875a2ceb3decef5ff1176428f9e"
},
{
"url": "https://forge.sigb.net/projects/pmb/wiki/Changelog_801#S%C3%A9curit%C3%A9-2"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2025-61168",
"datePublished": "2025-11-25T00:00:00.000Z",
"dateReserved": "2025-09-26T00:00:00.000Z",
"dateUpdated": "2025-11-25T20:28:42.777Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-48744 (GCVE-0-2025-48744)
Vulnerability from nvd – Published: 2025-05-27 00:00 – Updated: 2025-05-27 14:08
VLAI?
Summary
In SIGB PMB before 8.0.1.2, attackers can achieve Local File Inclusion and remote code execution.
Severity ?
6.4 (Medium)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-48744",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-27T14:08:16.004119Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-27T14:08:23.205Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "PMB",
"vendor": "SIGB",
"versions": [
{
"lessThan": "8.0.1.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sigb:pmb:*:*:*:*:*:*:*:*",
"versionEndExcluding": "8.0.1.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In SIGB PMB before 8.0.1.2, attackers can achieve Local File Inclusion and remote code execution."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-27T02:48:37.533Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://www.sigb.net/index.php?lvl=cmspage\u0026pageid=6\u0026id_rubrique=553\u0026opac_view=1"
},
{
"url": "https://forge.sigb.net/projects/pmb/wiki/Changelog_801#CHANGE-LOG-8012-2025-03-03"
}
],
"x_generator": {
"engine": "enrichogram 0.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2025-48744",
"datePublished": "2025-05-27T00:00:00.000Z",
"dateReserved": "2025-05-23T00:00:00.000Z",
"dateUpdated": "2025-05-27T14:08:23.205Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-48742 (GCVE-0-2025-48742)
Vulnerability from nvd – Published: 2025-05-27 00:00 – Updated: 2025-06-03 17:40
VLAI?
Summary
The installer in SIGB PMB before and fixed in v.8.0.1.2 allows remote code execution.
Severity ?
5.4 (Medium)
CWE
- CWE-306 - Missing Authentication for Critical Function
Assigner
References
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-48742",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-03T17:40:12.790116Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-03T17:40:18.320Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "PMB",
"vendor": "SIGB",
"versions": [
{
"lessThan": "8.0.1.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sigb:pmb:*:*:*:*:*:*:*:*",
"versionEndExcluding": "8.0.1.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The installer in SIGB PMB before and fixed in v.8.0.1.2 allows remote code execution."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-306",
"description": "CWE-306 Missing Authentication for Critical Function",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-29T17:03:44.340Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://www.sigb.net/index.php?lvl=cmspage\u0026pageid=6\u0026id_rubrique=553\u0026opac_view=1"
},
{
"url": "https://forge.sigb.net/projects/pmb/wiki/Changelog_801#CHANGE-LOG-8012-2025-03-03"
}
],
"x_generator": {
"engine": "enrichogram 0.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2025-48742",
"datePublished": "2025-05-27T00:00:00.000Z",
"dateReserved": "2025-05-23T00:00:00.000Z",
"dateUpdated": "2025-06-03T17:40:18.320Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-48743 (GCVE-0-2025-48743)
Vulnerability from nvd – Published: 2025-05-27 00:00 – Updated: 2025-05-27 13:43
VLAI?
Summary
SIGB PMB before 8.0.1.2 allows SQL injection.
Severity ?
5.3 (Medium)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-48743",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-27T13:43:33.136555Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-27T13:43:47.223Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "PMB",
"vendor": "SIGB",
"versions": [
{
"lessThan": "8.0.1.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sigb:pmb:*:*:*:*:*:*:*:*",
"versionEndExcluding": "8.0.1.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SIGB PMB before 8.0.1.2 allows SQL injection."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-27T02:49:55.088Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://www.sigb.net/index.php?lvl=cmspage\u0026pageid=6\u0026id_rubrique=553\u0026opac_view=1"
},
{
"url": "https://forge.sigb.net/projects/pmb/wiki/Changelog_801#CHANGE-LOG-8012-2025-03-03"
}
],
"x_generator": {
"engine": "enrichogram 0.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2025-48743",
"datePublished": "2025-05-27T00:00:00.000Z",
"dateReserved": "2025-05-23T00:00:00.000Z",
"dateUpdated": "2025-05-27T13:43:47.223Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-0473 (GCVE-0-2025-0473)
Vulnerability from nvd – Published: 2025-01-16 13:09 – Updated: 2025-01-16 14:09
VLAI?
Summary
Vulnerability in the PMB platform that allows an attacker to persist temporary files on the server, affecting versions 4.0.10 and above. This vulnerability exists in the file upload functionality on the ‘/pmb/authorities/import/iimport_authorities’ endpoint. When a file is uploaded via this resource, the server will create a temporary file that will be deleted after the client sends a POST request to ‘/pmb/authorities/import/iimport_authorities’. This workflow is automated by the web client, however an attacker can trap and launch the second POST request to prevent the temporary file from being deleted.
Severity ?
6.5 (Medium)
CWE
- CWE-459 - Incomplete Cleanup
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| PMB Services | PMB platform |
Affected:
4.0.10
(custom)
|
Credits
Pau Valls Peleteiro
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-0473",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-16T14:09:47.385450Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-16T14:09:54.540Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "PMB platform",
"vendor": "PMB Services",
"versions": [
{
"status": "affected",
"version": "4.0.10",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Pau Valls Peleteiro"
}
],
"datePublic": "2025-01-14T11:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Vulnerability in the PMB platform that allows an attacker to persist temporary files on the server, affecting versions 4.0.10 and above. This vulnerability exists in the file upload functionality on the \u2018/pmb/authorities/import/iimport_authorities\u2019 endpoint. When a file is uploaded via this resource, the server will create a temporary file that will be deleted after the client sends a POST request to \u2018/pmb/authorities/import/iimport_authorities\u2019. This workflow is automated by the web client, however an attacker can trap and launch the second POST request to prevent the temporary file from being deleted."
}
],
"value": "Vulnerability in the PMB platform that allows an attacker to persist temporary files on the server, affecting versions 4.0.10 and above. This vulnerability exists in the file upload functionality on the \u2018/pmb/authorities/import/iimport_authorities\u2019 endpoint. When a file is uploaded via this resource, the server will create a temporary file that will be deleted after the client sends a POST request to \u2018/pmb/authorities/import/iimport_authorities\u2019. This workflow is automated by the web client, however an attacker can trap and launch the second POST request to prevent the temporary file from being deleted."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-459",
"description": "CWE-459 Incomplete Cleanup",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-16T13:09:14.896Z",
"orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
"shortName": "INCIBE"
},
"references": [
{
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-pmb-platform"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Incomplete Cleanup vulnerability in PMB platform",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
"assignerShortName": "INCIBE",
"cveId": "CVE-2025-0473",
"datePublished": "2025-01-16T13:09:14.896Z",
"dateReserved": "2025-01-14T12:44:15.826Z",
"dateUpdated": "2025-01-16T14:09:54.540Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-0472 (GCVE-0-2025-0472)
Vulnerability from nvd – Published: 2025-01-16 13:03 – Updated: 2025-01-16 14:10
VLAI?
Summary
Information exposure in the PMB platform affecting versions 4.2.13 and earlier. This vulnerability allows an attacker to upload a file to the environment and enumerate the internal files of a machine by looking at the request response.
Severity ?
7.5 (High)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| PMB Services | PMB platform |
Affected:
0 , ≤ 4.2.13
(custom)
|
Credits
Pau Valls Peleteiro
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-0472",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-16T14:10:14.417802Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-16T14:10:21.348Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "PMB platform",
"vendor": "PMB Services",
"versions": [
{
"lessThanOrEqual": "4.2.13",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Pau Valls Peleteiro"
}
],
"datePublic": "2025-01-14T11:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Information exposure in the PMB platform affecting versions 4.2.13 and earlier. This vulnerability allows an attacker to upload a file to the environment and enumerate the internal files of a machine by looking at the request response."
}
],
"value": "Information exposure in the PMB platform affecting versions 4.2.13 and earlier. This vulnerability allows an attacker to upload a file to the environment and enumerate the internal files of a machine by looking at the request response."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-16T13:03:28.285Z",
"orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
"shortName": "INCIBE"
},
"references": [
{
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-pmb-platform"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Information exposure vulnerability in PMB platform",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
"assignerShortName": "INCIBE",
"cveId": "CVE-2025-0472",
"datePublished": "2025-01-16T13:03:28.285Z",
"dateReserved": "2025-01-14T12:44:14.890Z",
"dateUpdated": "2025-01-16T14:10:21.348Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-0471 (GCVE-0-2025-0471)
Vulnerability from nvd – Published: 2025-01-16 13:02 – Updated: 2025-01-16 14:10
VLAI?
Summary
Unrestricted file upload vulnerability in the PMB platform, affecting versions 4.0.10 and above. This vulnerability could allow an attacker to upload a file to gain remote access to the machine, being able to access, modify and execute commands freely.
Severity ?
9.9 (Critical)
CWE
- CWE-434 - Unrestricted Upload of File with Dangerous Type
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| PMB Services | PMB platform |
Affected:
4.0.10
(custom)
|
Credits
Pau Valls Peleteiro
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-0471",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-16T14:10:42.593567Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-16T14:10:49.124Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "PMB platform",
"vendor": "PMB Services",
"versions": [
{
"status": "affected",
"version": "4.0.10",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Pau Valls Peleteiro"
}
],
"datePublic": "2025-01-14T11:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Unrestricted file upload vulnerability in the PMB platform, affecting versions 4.0.10 and above. This vulnerability could allow an attacker to upload a file to gain remote access to the machine, being able to access, modify and execute commands freely."
}
],
"value": "Unrestricted file upload vulnerability in the PMB platform, affecting versions 4.0.10 and above. This vulnerability could allow an attacker to upload a file to gain remote access to the machine, being able to access, modify and execute commands freely."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-434",
"description": "CWE-434 Unrestricted Upload of File with Dangerous Type",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-16T13:02:16.104Z",
"orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
"shortName": "INCIBE"
},
"references": [
{
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-pmb-platform"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Unrestricted Upload of File with Dangerous Type vulnerability in PMB platform",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
"assignerShortName": "INCIBE",
"cveId": "CVE-2025-0471",
"datePublished": "2025-01-16T13:02:16.104Z",
"dateReserved": "2025-01-14T12:44:12.805Z",
"dateUpdated": "2025-01-16T14:10:49.124Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-26289 (GCVE-0-2024-26289)
Vulnerability from nvd – Published: 2024-05-27 07:01 – Updated: 2024-08-02 00:07
VLAI?
Summary
Deserialization of Untrusted Data vulnerability in PMB Services PMB allows Remote Code Inclusion.This issue affects PMB: from 7.5.1 before 7.5.6-2, from 7.4.1 before 7.4.9, from 7.3.1 before 7.3.18.
Severity ?
9.8 (Critical)
CWE
- CWE-502 - Deserialization of Untrusted Data
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| PMB Services | PMB |
Affected:
7.5.1 , < 7.5.6-2
(semver)
Affected: 7.4.1 , < 7.4.9 (semver) Affected: 7.3.1 , < 7.3.18 (semver) |
Credits
Johan Caluwe from CCB / CERT.be
ANSSI / CERT-FR
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:pmb_services:pmb:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "pmb",
"vendor": "pmb_services",
"versions": [
{
"lessThan": "7.5.6-2",
"status": "affected",
"version": "7.5.1",
"versionType": "custom"
},
{
"lessThan": "7.4.9",
"status": "affected",
"version": "7.4.1",
"versionType": "custom"
},
{
"lessThan": "7.3.18",
"status": "affected",
"version": "7.3.1",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-26289",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-28T15:28:35.280065Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:49:10.606Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T00:07:19.301Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"third-party-advisory",
"x_transferred"
],
"url": "https://github.com/enisaeu/CNW/blob/main/advisories/2024/CNW-2024-A-12.md"
},
{
"tags": [
"product",
"x_transferred"
],
"url": "https://forge.sigb.net/projects/pmb/files"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "PMB",
"vendor": "PMB Services",
"versions": [
{
"lessThan": "7.5.6-2",
"status": "affected",
"version": "7.5.1",
"versionType": "semver"
},
{
"lessThan": "7.4.9",
"status": "affected",
"version": "7.4.1",
"versionType": "semver"
},
{
"lessThan": "7.3.18",
"status": "affected",
"version": "7.3.1",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Johan Caluwe from CCB / CERT.be"
},
{
"lang": "en",
"type": "coordinator",
"value": "ANSSI / CERT-FR"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Deserialization of Untrusted Data vulnerability in PMB Services PMB allows Remote Code Inclusion.\u003cp\u003eThis issue affects PMB: from 7.5.1 before 7.5.6-2, from 7.4.1 before 7.4.9, from 7.3.1 before 7.3.18.\u003c/p\u003e"
}
],
"value": "Deserialization of Untrusted Data vulnerability in PMB Services PMB allows Remote Code Inclusion.This issue affects PMB: from 7.5.1 before 7.5.6-2, from 7.4.1 before 7.4.9, from 7.3.1 before 7.3.18."
}
],
"impacts": [
{
"capecId": "CAPEC-253",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-253 Remote Code Inclusion"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502 Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-27T07:01:52.386Z",
"orgId": "a6d3dc9e-0591-4a13-bce7-0f5b31ff6158",
"shortName": "ENISA"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://github.com/enisaeu/CNW/blob/main/advisories/2024/CNW-2024-A-12.md"
},
{
"tags": [
"product"
],
"url": "https://forge.sigb.net/projects/pmb/files"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Remote Code Inclusion Vulnerability in Multiple PMB Versions",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "a6d3dc9e-0591-4a13-bce7-0f5b31ff6158",
"assignerShortName": "ENISA",
"cveId": "CVE-2024-26289",
"datePublished": "2024-05-27T07:01:52.386Z",
"dateReserved": "2024-02-16T16:12:43.383Z",
"dateUpdated": "2024-08-02T00:07:19.301Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}