F5 產品多個漏洞

發佈日期: 2025年02月25日

風險: 高度風險

類型: 操作系統 - Network

於 F5 產品發現多個漏洞。攻擊者可利用此漏洞，於目標系統觸發遠端執行任意程式碼、阻斷服務狀況及權限提升。

 

注意：

受影響之系統或技術暫無可修補 CVE-2016-9840、CVE-2016-9841、CVE-2019-17563、CVE-2020-8037、CVE-2023-2650 和 CVE-2023-45853 的修補程式。受影響之系統或技術暫無可修補 CVE-2024-6119 的修補程式或臨時處理方法。 因此，風險等級評為高度風險。

 

---

影響

• 阻斷服務
• 權限提升
• 遠端執行程式碼

---

受影響之系統或技術

BIG-IP (all modules)

• 17.0.0 - 17.1.2
• 16.0.0 - 16.1.5
• 15.0.0 - 15.1.10
• 14.1.0 - 14.1.5
• 13.1.0 - 13.1.5
• 12.1.0 - 12.1.6
• 11.5.2 - 11.6.5

 

BIG-IQ Centralized Management

• 8.0.0 - 8.3.0

 

BIG-IP Next (LTM)

• 20.2.0 - 20.3.0

 

BIG-IP Next SPK

• 1.7.0 - 1.9.2

 

BIG-IP Next CNF

• 1.1.0 - 1.4.0

 

APM Clients

• 7.2.4 - 7.2.5

 

F5OS-A

• 1.8.0
• 1.7.0
• 1.5.0 - 1.5.2
• 1.4.0
• 1.3.0 - 1.3.2

 

F5OS-C

• 1.8.0
• 1.6.0 - 1.6.2
• 1.5.0 - 1.5.1

 

Traffix SDC

• 5.2.0
• 5.1.0

---

解決方案

臨時處理方法：

從以下臨時處理方法以減輕攻擊：

 

針對 CVE-2016-9840：

 

1. 在 BIG-IP 系統上禁用 HTTP 壓縮。
2. 在 iRules 中禁用壓縮。

請瀏覽供應商之網站，以獲得更多詳細資料。

 

應用供應商提供的臨時處理方法：

• https://my.f5.com/manage/s/article/K000149905

 

針對 CVE-2019-17563：

 

1. 通過 Self IP 地址阻止配置工具的訪問。
2. 通過 management interface 阻止配置工具的訪問。

請瀏覽供應商之網站，以獲得更多詳細資料。

 

應用供應商提供的臨時處理方法：

• https://my.f5.com/manage/s/article/K24551552

 

針對 CVE-2023-45853：

 

1. 確保受影響的系統僅接受來自受信任用戶的 ZIP 文件。

請瀏覽供應商之網站，以獲得更多詳細資料。

 

應用供應商提供的臨時處理方法：

• https://my.f5.com/manage/s/article/K000149884

 

針對 CVE-2023-2650：

 

1. 不要為客戶端 SSL 配置文件配置客戶端證書驗證，或為服務器 SSL 配置文件配置服務器證書驗證（適用於 BIG-IP）。
2. 不要在服務器中為 httpd 配置客戶端證書驗證。如果之前已實施客戶端證書，請將其移除（適用於 BIG-IP 和 BIG-IQ）。

請瀏覽供應商之網站，以獲得更多詳細資料。

 

應用供應商提供的臨時處理方法：

• https://my.f5.com/manage/s/article/K000135178

 

針對 CVE-2020-8037：

 

1. 通過 self IP 地址阻止 SSH 訪問（適用於 BIG-IP）。
2. 通過 management interface 阻止 SSH 訪問（適用於 BIG-IP）。
3. 將CLI 訪問限制於 root 用戶（適用於 F5OS）。

請瀏覽供應商之網站，以獲得更多詳細資料。

 

應用供應商提供的臨時處理方法：

• https://my.f5.com/manage/s/article/K000149929

 

針對 CVE-2016-9841：

 

1. 禁用 HTTP 壓縮（適用於 BIG-IP）。
2. 在網絡訪問和連接配置文件中禁用壓縮（適用於 BIG-IP APM 客戶端）。

請瀏覽供應商之網站，以獲得更多詳細資料。

 

應用供應商提供的臨時處理方法：

• https://my.f5.com/manage/s/article/K000149915

 

 

---

漏洞識別碼

• CVE-2016-9840
• CVE-2016-9841
• CVE-2019-17563
• CVE-2020-8037
• CVE-2023-2650
• CVE-2023-45853
• CVE-2024-6119

---

資料來源

• F5

---

相關連結

• https://my.f5.com/manage/s/article/K000149905
• https://my.f5.com/manage/s/article/K24551552
• https://my.f5.com/manage/s/article/K000149884
• https://my.f5.com/manage/s/article/K000135178
• https://my.f5.com/manage/s/article/K000149304
• https://my.f5.com/manage/s/article/K000149929
• https://my.f5.com/manage/s/article/K000149915

F5 Products Multiple Vulnerabilities

Release Date: 25 Feb 2025

RISK: High Risk

TYPE: Operating Systems - Networks OS

Multiple vulnerabilities were identified in F5 Products, attacker can exploit this vulnerability to trigger remote code execution, denial of service condition and elevation of privilege on the targeted system.

 

Note:

No patch is currently available for  CVE-2016-9840, CVE-2016-9841, CVE-2019-17563, CVE-2020-8037, CVE-2023-2650 and CVE-2023-45853 of the affected products. No patch or workaround is currently available for CVE-2024-6119. Hence, the risk level is rated as High Risk.

---

Impact

• Denial of Service
• Elevation of Privilege
• Remote Code Execution

---

System / Technologies affected

BIG-IP (all modules)

• 17.0.0 - 17.1.2
• 16.0.0 - 16.1.5
• 15.0.0 - 15.1.10
• 14.1.0 - 14.1.5
• 13.1.0 - 13.1.5
• 12.1.0 - 12.1.6
• 11.5.2 - 11.6.5

 

BIG-IQ Centralized Management

• 8.0.0 - 8.3.0

 

BIG-IP Next (LTM)

• 20.2.0 - 20.3.0

 

BIG-IP Next SPK

• 1.7.0 - 1.9.2

 

BIG-IP Next CNF

• 1.1.0 - 1.4.0

 

APM Clients

• 7.2.4 - 7.2.5

 

F5OS-A

• 1.8.0
• 1.7.0
• 1.5.0 - 1.5.2
• 1.4.0
• 1.3.0 - 1.3.2

 

F5OS-C

• 1.8.0
• 1.6.0 - 1.6.2
• 1.5.0 - 1.5.1

 

Traffix SDC

• 5.2.0
• 5.1.0

---

Solutions

Workaround:

Mitigate the vulnerability of attacks by following workaround:

 

For CVE-2016-9840:

 

1. Disable HTTP compression on the BIG-IP system.
2. Disable compression in iRules. 

Please visit the vendor web-site for more details.

 

Apply workarounds issued by the vendor:

• https://my.f5.com/manage/s/article/K000149905

 

For CVE-2019-17563:

 

1. Block Configuration utility access through self IP addresses.
2. Block Configuration utility access through the management interface.

Please visit the vendor web-site for more details.

 

Apply workarounds issued by the vendor:

• https://my.f5.com/manage/s/article/K24551552

 

For CVE-2023-45853:

 

1. Ensure that the affected system accepts ZIP files from only trusted users.

Please visit the vendor web-site for more details.

 

Apply workarounds issued by the vendor:

• https://my.f5.com/manage/s/article/K000149884

 

For CVE-2023-2650:

 

1. Do not configure client certificate authentication for the Client SSL profile or server certificate authentication for the Server SSL profile (For BIG-IP)
2. Do not configure httpd for client-side certificate authentication in the server. If client-side certificates have been previously implemented, remove them (For BIG-IP and BIG-IQ)

Please visit the vendor web-site for more details.

 

Apply workarounds issued by the vendor:

• https://my.f5.com/manage/s/article/K000135178

 

For CVE-2020-8037:

 

1. Block SSH access through self IP addresses (For BIG-IP)
2. Block SSH access through the management interface (For BIG-IP)
3. Restrict CLI access to the root user (For F5OS)

Please visit the vendor web-site for more details.

 

Apply workarounds issued by the vendor:

• https://my.f5.com/manage/s/article/K000149929

 

For CVE-2016-9841:

 

1. Disable HTTP compression (For BIG-IP)
2. Disable compression in network access and connectivity profiles (For BIG-IP APM Clients)

Please visit the vendor web-site for more details.

 

Apply workarounds issued by the vendor:

• https://my.f5.com/manage/s/article/K000149915

 

 

---

Vulnerability Identifier

• CVE-2016-9840
• CVE-2016-9841
• CVE-2019-17563
• CVE-2020-8037
• CVE-2023-2650
• CVE-2023-45853
• CVE-2024-6119

---

Source

• F5

---

Related Link

• https://my.f5.com/manage/s/article/K000149905
• https://my.f5.com/manage/s/article/K24551552
• https://my.f5.com/manage/s/article/K000149884
• https://my.f5.com/manage/s/article/K000135178
• https://my.f5.com/manage/s/article/K000149304
• https://my.f5.com/manage/s/article/K000149929
• https://my.f5.com/manage/s/article/K000149915

Microsoft Edge 多個漏洞

發佈日期: 2025年02月24日

風險: 中度風險

類型: 用戶端 - 瀏覽器

於 Microsoft Edge 發現多個漏洞。遠端攻擊者可利用這些漏洞，於目標系統觸發遠端執行任意程式碼。

---

影響

• 遠端執行程式碼

---

受影響之系統或技術

• Microsoft Edge Stable Channel 133.0.3065.82 之前的版本
• Microsoft Edge Extended Stable Channel 132.0.2957.171 之前的版本

---

解決方案

在安裝軟體之前，請先瀏覽供應商之網站，以獲得更多詳細資料。

安裝軟件供應商提供的修補程式：

• 更新至 Microsoft Edge Stable Channel 133.0.3065.82 或之後的版本
• 更新至 Microsoft Edge Extended Stable Channel 132.0.2957.171 或之後的版本

---

漏洞識別碼

• CVE-2025-21279
• CVE-2025-21283
• CVE-2025-21342
• CVE-2025-21408

---

資料來源

• Microsoft Edge

---

相關連結

• https://learn.microsoft.com/en-us/deployedge/microsoft-edge-relnotes-security#february-20-2025
• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21279
• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21283
• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21408
• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21342

Microsoft Edge Multiple Vulnerabilities

Release Date: 24 Feb 2025

RISK: Medium Risk

TYPE: Clients - Browsers

Multiple vulnerabilities were identified in Microsoft Edge. A remote attacker could exploit some of these vulnerabilities to trigger remote code execution on the targeted system.

---

Impact

• Remote Code Execution

---

System / Technologies affected

• Microsoft Edge Stable Channel version prior to 133.0.3065.82
• Microsoft Edge Extended Stable Channel version prior to 132.0.2957.171

---

Solutions

Before installation of the software, please visit the software vendor web-site for more details.

Apply fixes issued by the vendor:

• Update to Microsoft Edge Stable Channel version 133.0.3065.82 or later
• Update to Microsoft Edge Extended Stable Channel version 132.0.2957.171 or later

---

Vulnerability Identifier

• CVE-2025-21279
• CVE-2025-21283
• CVE-2025-21342
• CVE-2025-21408

---

Source

• Microsoft Edge

---

Related Link

• https://learn.microsoft.com/en-us/deployedge/microsoft-edge-relnotes-security#february-20-2025
• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21279
• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21283
• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21408
• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21342

Palo Alto PAN-OS 敏感資料洩露漏洞

發佈日期: 2025年02月21日

風險: 中度風險

類型: 保安軟件及應用設備 - 保安軟件及應用設備

在 Palo Alto PAN-OS 發現一個漏洞。遠端攻擊者可利用此漏洞，於目標系統觸發敏感資料洩露。

 

注意：

CVE-2025-0111 正被廣泛利用。利用 CVE-2025-0111 將導致 Palo Alto Networks PAN-OS 軟體中的認證檔案讀取漏洞，使擁有管理 Web 介面網路存取權限的認證攻擊者，能夠讀取 PAN-OS 檔案系統中，「nobody」使用者可讀取的檔案。

---

影響

• 資料洩露

---

受影響之系統或技術

• PAN-OS < 10.1.14-h9 的版本
• PAN-OS < 10.2.7-h24, < 10.2.8-h21, < 10.2.9-h21, < 10.2.10-h14, < 10.2.11-h12, < 10.2.12-h6, < 10.2.13-h3 的版本
• PAN-OS < 11.1.2-h18, < 11.1.6-h1 的版本
• PAN-OS < 11.2.4-h4 的版本

---

解決方案

在安裝軟體之前，請先瀏覽供應商之網站，以獲得更多詳細資料。

 

• 安裝供應商提供的修補程式
• 詳情請參閱以下連結：
  https://securityadvisories.paloaltonetworks.com/CVE-2025-0111

---

漏洞識別碼

• CVE-2025-0111

---

資料來源

• Palo Alto

---

相關連結

• https://securityadvisories.paloaltonetworks.com/CVE-2025-0111

Palo Alto PAN-OS Information Disclosure Vulnerability

Release Date: 21 Feb 2025

RISK: Medium Risk

TYPE: Security software and application - Security Software & Appliance

A vulnerability was identified in Palo Alto PAN-OS. A remote attacker can exploit this vulnerability to trigger information disclosure on the targeted system.

 

Note:

 

CVE-2025-0111 is being exploited in the wild. Exploitation of CVE-2025-0111 will cause an authenticated file read vulnerability in the Palo Alto Networks PAN-OS software enables an authenticated attacker with network access to the management web interface to read files on the PAN-OS filesystem that are readable by the “nobody” user.

---

Impact

• Information Disclosure

---

System / Technologies affected

• PAN-OS 10.1 versions < 10.1.14-h9
• PAN-OS 10.2 versions < 10.2.7-h24, < 10.2.8-h21, < 10.2.9-h21, < 10.2.10-h14, < 10.2.11-h12, < 10.2.12-h6, < 10.2.13-h3
• PAN-OS 11.1 versions < 11.1.2-h18, < 11.1.6-h1
• PAN-OS 11.2 versions < 11.2.4-h4

---

Solutions

Before installation of the software, please visit the vendor web-site for more details.

 

• Apply fixes issued by the vendor
• For detail, please refer to the link below:
  https://securityadvisories.paloaltonetworks.com/CVE-2025-0111

---

Vulnerability Identifier

• CVE-2025-0111

---

Source

• Palo Alto

---

Related Link

• https://securityadvisories.paloaltonetworks.com/CVE-2025-0111

思科 AsyncOS 繞過保安限制漏洞

發佈日期: 2025年02月21日

風險: 中度風險

類型: 保安軟件及應用設備 - 保安軟件及應用設備

於思科 AsyncOS 發現一個漏洞。遠端攻擊者可利用這個漏洞，於目標系統觸發繞過保安限制。

---

影響

• 繞過保安限制

---

受影響之系統或技術

• 思科 AsyncOS Software for Secure Email Gateway 14.2 以前的版本
• 思科 AsyncOS Software for Secure Email Gateway 15.0 以前的版本
• 思科 AsyncOS Software for Secure Email Gateway 16.0 以前的版本

---

解決方案

在安裝軟體之前，請先瀏覽供應商之網站，以獲得更多詳細資料。

 

安裝供應商提供的修補程式：

• https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-esa-mailpol-bypass-5nVcJZMw

---

漏洞識別碼

• CVE-2025-20153

---

資料來源

• Cisco

---

相關連結

• https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-esa-mailpol-bypass-5nVcJZMw

Cisco AsyncOS Security Restriction Bypass Vulnerability

Release Date: 21 Feb 2025

RISK: Medium Risk

TYPE: Security software and application - Security Software & Appliance

A vulnerability was identified in Cisco AsyncOS. A remote attacker could exploit this vulnerability to trigger security restriction bypass on the targeted system.

---

Impact

• Security Restriction Bypass

---

System / Technologies affected

• Cisco AsyncOS Software for Secure Email Gateway versions prior to 14.2
• Cisco AsyncOS Software for Secure Email Gateway versions prior to 15.0
• Cisco AsyncOS Software for Secure Email Gateway versions prior to 16.0

---

Solutions

Before installation of the software, please visit the vendor web-site for more details.

 

Apply fixes issued by the vendor:

• https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-esa-mailpol-bypass-5nVcJZMw

---

Vulnerability Identifier

• CVE-2025-20153

---

Source

• Cisco

---

Related Link

• https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-esa-mailpol-bypass-5nVcJZMw

Drupal 多個漏洞

發佈日期: 2025年02月21日

風險: 中度風險

類型: 伺服器 - 其他伺服器

於 Drupal Core 發現多個漏洞。遠端攻擊者可利用這些漏洞，於目標系統觸發跨網站指令碼、遠端執行程式碼及繞過保安限制。

---

影響

• 跨網站指令碼
• 遠端執行程式碼
• 繞過保安限制

---

受影響之系統或技術

• Drupal 10.3 之前版本
• Drupal 10.4 之前版本
• Drupal 11.0 之前版本
• Drupal 11.1 之前版本

---

解決方案

在安裝軟體之前，請先瀏覽供應商之網站，以獲得更多詳細資料。
 

安裝供應商提供的修補程式：

• 對於 Drupal 10.3, 更新到 Drupal 10.3.13.
• 對於 Drupal 10.4, 更新到 Drupal 10.4.3.
• 對於 Drupal 11.0, 更新到 Drupal 11.0.12.
• 對於 Drupal 11.1, 更新到 Drupal 11.1.3.

 

注意：10.3 之前的所有 Drupal 10 版本均已結束生命週期，供應商已停止為這些產品提供修補程式。 （Drupal 8 和 Drupal 9 版本生命週期已結束。）

---

漏洞識別碼

• 暫無 CVE 可提供

---

資料來源

• Drupal

---

相關連結

• https://www.drupal.org/sa-core-2025-002
• https://www.drupal.org/sa-core-2025-001
• https://www.drupal.org/sa-core-2025-003

Drupal Multiple Vulnerabilities

Release Date: 21 Feb 2025

RISK: Medium Risk

TYPE: Servers - Other Servers

Multiple vulnerabilities were identified in Drupal Core. A remote attacker could exploit these vulnerabilities to trigger cross-site scripting, remote code execution and security restriction bypass on the targeted system.

---

Impact

• Cross-Site Scripting
• Remote Code Execution
• Security Restriction Bypass

---

System / Technologies affected

• Drupal version prior to 10.3
• Drupal version prior to 10.4
• Drupal version prior to 11.0
• Drupal version prior to 11.1

---

Solutions

Before installation of the software, please visit the vendor web-site for more details.
 

Apply fixes issued by the vendor:

• For Drupal 10.3, update to Drupal 10.3.13.
• For Drupal 10.4, update to Drupal 10.4.3.
• For Drupal 11.0, update to Drupal 11.0.12.
• For Drupal 11.1, update to Drupal 11.1.3.

 

Note: All versions of Drupal 10 prior to 10.3 are end-of-life and do not receive security coverage. (Drupal 8 and Drupal 9 have both reached end-of-life.)

---

Vulnerability Identifier

• No CVE information is available

---

Source

• Drupal

---

Related Link

• https://www.drupal.org/sa-core-2025-002
• https://www.drupal.org/sa-core-2025-001
• https://www.drupal.org/sa-core-2025-003

Mozilla Firefox 遠端執行程式碼漏洞

發佈日期: 2025年02月20日

風險: 中度風險

類型: 用戶端 - 瀏覽器

於 Mozilla Firefox 發現一個漏洞，遠端攻擊者可利用此漏洞，於目標系統觸發遠端執行任意程式碼。

---

影響

• 遠端執行程式碼

---

受影響之系統或技術

以下版本之前的版本﹕

• Firefox 135.0.1

---

解決方案

在安裝軟體之前，請先瀏覽供應商之官方網站，以獲得更多詳細資料。

更新至版本:

•  Firefox 135.0.1

---

漏洞識別碼

• CVE-2025-1414

---

資料來源

• Mozilla

---

相關連結

• https://www.mozilla.org/en-US/security/advisories/mfsa2025-12/

Mozilla Firefox Remote Code Execution Vulnerability

Release Date: 20 Feb 2025

RISK: Medium Risk

TYPE: Clients - Browsers

A vulnerability was identified in Mozilla Firefox. A remote attacker could exploit this vulnerability to trigger remote code execution on the targeted system.

---

Impact

• Remote Code Execution

---

System / Technologies affected

Versions prior to:

• Firefox 135.0.1

---

Solutions

Before installation of the software, please visit the vendor web-site for more details.

Apply fix issued by the vendor:

• Firefox 135.0.1

---

Vulnerability Identifier

• CVE-2025-1414

---

Source

• Mozilla

---

Related Link

• https://www.mozilla.org/en-US/security/advisories/mfsa2025-12/

Google Chrome 多個漏洞

發佈日期: 2025年02月20日

風險: 中度風險

類型: 用戶端 - 瀏覽器

於 Google Chrome 發現多個漏洞。遠端攻擊者可利用這些漏洞，於目標系統觸發阻斷服務狀況及遠端執行任意程式碼。

---

影響

• 遠端執行程式碼
• 阻斷服務

---

受影響之系統或技術

• Google Chrome 133.0.6943.126 (Linux) 之前的版本
• Google Chrome 133.0.6943.126/.127 (Mac) 之前的版本
• Google Chrome 133.0.6943.126/.127 (Windows) 之前的版本

---

解決方案

在安裝軟體之前，請先瀏覽供應商之網站，以獲得更多詳細資料。

安裝軟件供應商提供的修補程式：

• 更新至 133.0.6943.126 (Linux) 或之後版本
• 更新至 133.0.6943.126/.127 (Mac) 或之後版本
• 更新至 133.0.6943.126/.127 (Windows) 或之後版本

---

漏洞識別碼

• CVE-2025-0999
• CVE-2025-1006
• CVE-2025-1426

---

資料來源

• Google Chrome

---

相關連結

• https://chromereleases.googleblog.com/2025/02/stable-channel-update-for-desktop_18.html

Google Chrome Multiple Vulnerabilities

Release Date: 20 Feb 2025

RISK: Medium Risk

TYPE: Clients - Browsers

Multiple vulnerabilities were identified in Google Chrome. A remote attacker could exploit some of these vulnerabilities to trigger denial of service condition and remote code execution on the targeted system.

---

Impact

• Remote Code Execution
• Denial of Service

---

System / Technologies affected

• Google Chrome prior to 133.0.6943.126 (Linux)
• Google Chrome prior to 133.0.6943.126/.127 (Mac)
• Google Chrome prior to 133.0.6943.126/.127 (Windows)

---

Solutions

Before installation of the software, please visit the software vendor web-site for more details.

Apply fixes issued by the vendor:

• Update to version 133.0.6943.126 (Linux) or later
• Update to version 133.0.6943.126/.127 (Mac) or later
• Update to version 133.0.6943.126/.127 (Windows) or later

---

Vulnerability Identifier

• CVE-2025-0999
• CVE-2025-1006
• CVE-2025-1426

---

Source

• Google Chrome

---

Related Link

• https://chromereleases.googleblog.com/2025/02/stable-channel-update-for-desktop_18.html

Microsoft 產品多個漏洞

發佈日期: 2025年02月20日

風險: 高度風險

類型: 操作系統 - 視窗操作系統

於 Microsoft 產品發現多個漏洞。遠端攻擊者可利用這些漏洞，於目標系統觸發權限提升及遠端執行任意程式碼。

 

注意:

這些漏洞會影響 Microsoft 雲端服務，而 Microsoft 已實施必要的安全緩解措施。

 

CVE-2025-21355 的漏洞概念驗證碼已被公開。微軟已完全緩解此漏洞。此服務的使用者不需要採取任何行動。此 CVE 的目的是提供進一步的透明度。

 

CVE-2025-24989 已被廣泛利用。Power Pages 中存在存取控制不正確的漏洞，未經授權的攻擊者可透過網路提升權限，繞過使用者註冊控制。此漏洞已在服務中緩解，並通知所有受影響的用戶。此更新解決了註冊控制繞過的問題。受影響的客戶已獲指示如何檢視其網站，以找出潛在的入侵漏洞及清理方法。如果您尚未收到通知，則此漏洞不會對您造成影響。

---

影響

• 遠端執行程式碼
• 權限提升

---

受影響之系統或技術

對於 CVE-2025-24989

• Microsoft Power Pages

對於 CVE-2025-21355

• Microsoft Bing

---

解決方案

請先瀏覽供應商之網站，以獲得更多詳細資料。

 

• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-24989
• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21355

---

漏洞識別碼

• CVE-2025-24989
• CVE-2025-21355

---

資料來源

• Microsoft

---

相關連結

• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-24989
• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21355

Microsoft Products Multiple Vulnerabilities

Release Date: 20 Feb 2025

RISK: High Risk

TYPE: Operating Systems - Windows OS

Multiple vulnerabilities were identified in Microsoft Products. A remote attacker could exploit some of these vulnerabilities to trigger elevation of privilege and remote code execution on the targeted system.

 

Note:

These vulnerabilities affect Microsoft cloud services, and Microsoft has already implemented the necessary security mitigations.

 

Proof-of-concept code is publicly available for CVE-2025-21355. This vulnerability has already been fully mitigated by Microsoft. There is no action for users of this service to take. The purpose of this CVE is to provide further transparency.

 

Exploit in the wild has been detected for CVE-2025-24989. An improper access control vulnerability in Power Pages allows an unauthorized attacker to elevate privileges over a network potentially bypassing the user registration control. This vulnerability has already been mitigated in the service and all affected cusomters have been notified. This update addressed the registration control bypass. Affected customers have been given instructions on reviewing their sites for potential exploitation and clean up methods. If you've not been notified this vulnerability does not affect you.

---

Impact

• Remote Code Execution
• Elevation of Privilege

---

System / Technologies affected

For CVE-2025-24989

• Microsoft Power Pages

For CVE-2025-21355

• Microsoft Bing

---

Solutions

Please visit the software vendor web-site for more details.

 

• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-24989
• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21355

---

Vulnerability Identifier

• CVE-2025-24989
• CVE-2025-21355

---

Source

• Microsoft

---

Related Link

• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-24989
• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21355

OpenSSH 多個漏洞

發佈日期: 2025年02月19日

風險: 中度風險

類型: 伺服器 - 網絡管理

於 OpenSSH 發現多個漏洞。遠端攻擊者可利用這些漏洞，於目標系統觸發阻斷服務狀況及仿冒。

---

影響

• 阻斷服務
• 仿冒

---

受影響之系統或技術

• OpenSSH 版本 6.8p1 至 9.9p1 (含).

---

解決方案

在安裝軟體之前，請先瀏覽供應商之網站，以獲得更多詳細資料。

 

安裝供應商提供的修補程式：

• http://www.openssh.com/security.html

---

漏洞識別碼

• CVE-2025-26465
• CVE-2025-26466

---

資料來源

• OpenSSH

---

相關連結

• http://www.openssh.com/security.html

OpenSSH Multiple Vulnerabilities

Release Date: 19 Feb 2025

RISK: Medium Risk

TYPE: Servers - Network Management

Multiple vulnerabilities were identified in OpenSSH. A remote attacker could exploit some of these vulnerabilities to trigger denial of service condition and spoofing on the targeted system.

---

Impact

• Denial of Service
• Spoofing

---

System / Technologies affected

• OpenSSH versions 6.8p1 to 9.9p1 (inclusive).

---

Solutions

Before installation of the software, please visit the vendor web-site for more details.

 

Apply fixes issued by the vendor:

• http://www.openssh.com/security.html

---

Vulnerability Identifier

• CVE-2025-26465
• CVE-2025-26466

---

Source

• OpenSSH

---

Related Link

• http://www.openssh.com/security.html

Microsoft Edge 多個漏洞

發佈日期: 2025年02月17日

風險: 中度風險

類型: 用戶端 - 瀏覽器

於 Microsoft Edge 發現多個漏洞。遠端攻擊者可利用這些漏洞，於目標系統觸發阻斷服務狀況、遠端執行任意程式碼、繞過保安限制、敏感資料洩露及仿冒。

---

影響

• 阻斷服務
• 遠端執行程式碼
• 繞過保安限制
• 資料洩露
• 仿冒

---

受影響之系統或技術

• Microsoft Edge Stable Channel 133.0.3065.69 之前的版本

---

解決方案

在安裝軟體之前，請先瀏覽供應商之網站，以獲得更多詳細資料。

安裝軟件供應商提供的修補程式：

• 更新至 Microsoft Edge Stable Channel 133.0.3065.69 或之後的版本

---

漏洞識別碼

• CVE-2025-0995
• CVE-2025-0996
• CVE-2025-0997
• CVE-2025-0998
• CVE-2025-21401

---

資料來源

• Microsoft Edge

---

相關連結

• https://learn.microsoft.com/en-us/deployedge/microsoft-edge-relnotes-security#february-14-2025
• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-0995
• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-0996
• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-0997
• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-0998
• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21401

Microsoft Edge Multiple Vulnerabilities

Release Date: 17 Feb 2025

RISK: Medium Risk

TYPE: Clients - Browsers

Multiple vulnerabilities were identified in Microsoft Edge. A remote attacker could exploit some of these vulnerabilities to trigger denial of service condition, remote code execution, security restriction bypass, sensitive information disclosure and spoofing on the targeted system.

---

Impact

• Denial of Service
• Remote Code Execution
• Security Restriction Bypass
• Information Disclosure
• Spoofing

---

System / Technologies affected

• Microsoft Edge Stable Channel version prior to 133.0.3065.69

---

Solutions

Before installation of the software, please visit the software vendor web-site for more details.

Apply fixes issued by the vendor:

• Update to Microsoft Edge Stable Channel version 133.0.3065.69 or later

---

Vulnerability Identifier

• CVE-2025-0995
• CVE-2025-0996
• CVE-2025-0997
• CVE-2025-0998
• CVE-2025-21401

---

Source

• Microsoft Edge

---

Related Link

• https://learn.microsoft.com/en-us/deployedge/microsoft-edge-relnotes-security#february-14-2025
• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-0995
• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-0996
• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-0997
• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-0998
• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21401

GitLab 多個漏洞

發佈日期: 2025年02月14日

風險: 中度風險

類型: 伺服器 - 其他伺服器

於 GitLab 發現多個漏洞。遠端攻擊者可利用這些漏洞，於目標系統觸發阻斷服務狀況、跨網站指令碼、洩露敏感資料、權限提升及繞過保安限制。

---

影響

• 阻斷服務
• 跨網站指令碼
• 繞過保安限制
• 權限提升
• 資料洩露

---

受影響之系統或技術

• GitLab Community Edition (CE) 17.8.2, 17.7.4 及 17.6.5 以前的版本
• GitLab Enterprise Edition (EE) 17.8.2, 17.7.4 及 17.6.5 以前的版本

---

解決方案

在安裝軟體之前，請先瀏覽供應商之網站，以獲得更多詳細資料。

 

安裝供應商提供的修補程式：

• https://about.gitlab.com/releases/2025/02/12/patch-release-gitlab-17-8-2-released/

---

漏洞識別碼

• CVE-2024-3303
• CVE-2024-9870
• CVE-2024-12379
• CVE-2025-0376
• CVE-2025-0516
• CVE-2025-1042
• CVE-2025-1198
• CVE-2025-1212

---

資料來源

• GitLab

---

相關連結

• https://about.gitlab.com/releases/2025/02/12/patch-release-gitlab-17-8-2-released/

GitLab Multiple Vulnerabilities

Release Date: 14 Feb 2025

RISK: Medium Risk

TYPE: Servers - Other Servers

Multiple vulnerabilities were identified in GitLab. A remote attacker could exploit these vulnerabilities to trigger denial of service condition, cross-site scripting, sensitive information disclosure, elevation of privilege and security restriction bypass on the targeted system.

---

Impact

• Denial of Service
• Cross-Site Scripting
• Security Restriction Bypass
• Elevation of Privilege
• Information Disclosure

---

System / Technologies affected

• GitLab Community Edition (CE) versions prior to 17.8.2, 17.7.4 and 17.6.5
• GitLab Enterprise Edition (EE) versions prior to 17.8.2, 17.7.4 and 17.6.5

---

Solutions

Before installation of the software, please visit the vendor web-site for more details.

 

Apply fixes issued by the vendor:

• https://about.gitlab.com/releases/2025/02/12/patch-release-gitlab-17-8-2-released/

---

Vulnerability Identifier

• CVE-2024-3303
• CVE-2024-9870
• CVE-2024-12379
• CVE-2025-0376
• CVE-2025-0516
• CVE-2025-1042
• CVE-2025-1198
• CVE-2025-1212

---

Source

• GitLab

---

Related Link

• https://about.gitlab.com/releases/2025/02/12/patch-release-gitlab-17-8-2-released/

PostgreSQL 篡改漏洞

發佈日期: 2025年02月14日

風險: 中度風險

類型: 伺服器 - 數據庫伺服器

於 PostgreSQL 發現一個漏洞，遠端攻擊者可利用此漏洞，於目標系統觸發篡改、洩露敏感資料及繞過保安限制。

---

影響

• 篡改
• 繞過保安限制
• 資料洩露

---

受影響之系統或技術

• PostgreSQL 17.3 之前的版本
• PostgreSQL 16.7 之前的版本
• PostgreSQL 15.11 之前的版本
• PostgreSQL 14.16 之前的版本
• PostgreSQL 13.19 之前的版本

---

解決方案

在安裝軟體之前，請先瀏覽軟體供應商之網站，以獲得更多詳細資料。

 

安裝供應商提供的修補程式：

• https://www.postgresql.org/support/security/CVE-2025-1094/

---

漏洞識別碼

• CVE-2025-1094

---

資料來源

• https://www.postgresql.org/support/security/CVE-2025-1094/

---

相關連結

• https://www.postgresql.org/support/security/CVE-2025-1094/

PostgreSQL Data Manipulation Vulnerability

Release Date: 14 Feb 2025

RISK: Medium Risk

TYPE: Servers - Database Servers

A vulnerability was identified in PostgreSQL. A remote attacker could exploit this vulnerability to trigger sensitive information disclosure, data manipulation and security restriction bypass on the targeted system.

 

---

Impact

• Data Manipulation
• Security Restriction Bypass
• Information Disclosure

---

System / Technologies affected

• PostgreSQL versions before 17.3
• PostgreSQL versions before 16.7
• PostgreSQL versions before 15.11
• PostgreSQL versions before 14.16
• PostgreSQL versions before 13.19

---

Solutions

Before installation of the software, please visit the software manufacturer website for more details.

 

Apply fixes issued by the vendor:

• https://www.postgresql.org/support/security/CVE-2025-1094/

---

Vulnerability Identifier

• CVE-2025-1094

---

Source

• https://www.postgresql.org/support/security/CVE-2025-1094/

---

Related Link

• https://www.postgresql.org/support/security/CVE-2025-1094/

F5 產品遠端執行程式碼漏洞

發佈日期: 2025年02月13日

風險: 高度風險

類型: 操作系統 - Network

於 F5 產品發現一個漏洞。遠端攻擊者可利用此漏洞，於目標系統觸發遠端執行任意程式碼。

 

注意：

受影響之系統或技術暫無可修補 CVE-2024-9287 的修補程式。因此，風險等級評為高度風險。

---

影響

• 遠端執行程式碼

---

受影響之系統或技術

BIG-IP Next CNF

• 1.1.0 - 1.4.0

 

BIG-IP Next SPK

• 1.7.0 - 1.9.2

---

解決方案

臨時處理方法：

從以下臨時處理方法以減輕攻擊：

 

1. 避免使用存在漏洞的 venv 模組來創建和使用自定義 Python 腳本。

 

請瀏覽供應商之網站，以獲得更多詳細資料。

 

應用供應商提供的臨時處理方法：

• https://my.f5.com/manage/s/article/K000149756

---

漏洞識別碼

• CVE-2024-9287

---

資料來源

• F5

---

相關連結

• https://my.f5.com/manage/s/article/K000149756

F5 Products Remote Code Execution Vulnerability

Release Date: 13 Feb 2025

RISK: High Risk

TYPE: Operating Systems - Networks OS

A vulnerability was identified in F5 Products. A remote attacker could exploit this vulnerability to trigger remote code execution on the targeted system.

 

Note:

No patch is currently available for CVE-2024-9287 of the affected products. Hence, the risk level is rated as High Risk.

---

Impact

• Remote Code Execution

---

System / Technologies affected

BIG-IP Next CNF

• 1.1.0 - 1.4.0

 

BIG-IP Next SPK

• 1.7.0 - 1.9.2

---

Solutions

Workaround:

Mitigate the vulnerability of attacks by following workaround:

 

1. Do not create and use custom Python scripts using the vulnerable venv module

 

Please visit the vendor web-site for more details.

 

Apply workarounds issued by the vendor:

• https://my.f5.com/manage/s/article/K000149756

 

 

---

Vulnerability Identifier

• CVE-2024-9287

---

Source

• F5

---

Related Link

• https://my.f5.com/manage/s/article/K000149756

蘋果產品多個漏洞

發佈日期: 2025年02月13日

風險: 中度風險

類型: 操作系統 - 流動裝置及操作系統

於蘋果產品發現一個漏洞。遠端攻擊者可利用此漏洞，於目標系統觸發繞過保安限制。

 

注意：

利用 CVE-2025-24200，攻擊者可以透過物理攻擊在設備鎖定狀態下繞過 USB 限制模式。CISA 已將此漏洞添加到其Known Exploited Vulnerabilities目錄中。蘋果亦知悉有報告指出，這個漏洞可能已被利用來針對特定目標進行攻擊。

---

影響

• 繞過保安限制

---

受影響之系統或技術

• iOS 18.3.1 以前的版本
• iPadOS 17.7.5 以前的版本
• iPadOS 18.3.1 以前的版本

---

解決方案

在安裝軟體之前，請先瀏覽供應商之網站，以獲得更多詳細資料。

安裝供應商提供的修補程式：

 

• iOS 18.3.1
• iPadOS 17.7.5
• iPadOS 18.3.1

---

漏洞識別碼

• CVE-2025-24200

---

資料來源

• Apple
• CISA

---

相關連結

• https://support.apple.com/en-us/122173
• https://support.apple.com/en-us/122174
• https://www.cisa.gov/news-events/alerts/2025/02/12/cisa-adds-two-known-exploited-vulnerabilities-catalog

Apple Products Security Restriction Bypass Vulnerability

Release Date: 13 Feb 2025

RISK: Medium Risk

TYPE: Operating Systems - Mobile & Apps

A vulnerability was identified in Apple Products. A remote attacker could exploit this vulnerability to trigger security restriction bypass on the targeted system.

 

Note:

For CVE-2025-24200, a physical attack may disable USB Restricted Mode on a locked device. CISA has added this CVE to its Known Exploited Vulnerabilities Catalog and Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals.

---

Impact

• Security Restriction Bypass

---

System / Technologies affected

• Versions prior to iOS 18.3.1
• Versions prior to iPadOS 17.7.5
• Versions prior to iPadOS 18.3.1

---

Solutions

Before installation of the software, please visit the vendor web-site for more details.

 

Apply fixes issued by the vendor:

 

• iOS 18.3.1
• iPadOS 17.7.5
• iPadOS 18.3.1

---

Vulnerability Identifier

• CVE-2025-24200

---

Source

• Apple
• CISA

---

Related Link

• https://support.apple.com/en-us/122173
• https://support.apple.com/en-us/122174
• https://www.cisa.gov/news-events/alerts/2025/02/12/cisa-adds-two-known-exploited-vulnerabilities-catalog

Google Chrome 多個漏洞

發佈日期: 2025年02月13日

風險: 中度風險

類型: 用戶端 - 瀏覽器

於 Google Chrome 發現多個漏洞。遠端攻擊者可利用這些漏洞，於目標系統觸發遠端執行程式碼、繞過保安限制、阻斷服務、仿冒及資料洩露。

---

影響

• 繞過保安限制
• 遠端執行程式碼
• 阻斷服務
• 仿冒
• 資料洩露

---

受影響之系統或技術

• Google Chrome 133.0.6943.98 (Linux) 之前的版本
• Google Chrome 133.0.6943.98/.99 (Mac) 之前的版本
• Google Chrome 133.0.6943.98/.99 (Windows) 之前的版本

---

解決方案

在安裝軟體之前，請先瀏覽供應商之網站，以獲得更多詳細資料。

安裝軟件供應商提供的修補程式：

• 更新至 133.0.6943.98 (Linux) 或之後版本
• 更新至 133.0.6943.98/.99 (Mac) 或之後版本
• 更新至 133.0.6943.98/.99 (Windows) 或之後版本

---

漏洞識別碼

• CVE-2025-0995
• CVE-2025-0996
• CVE-2025-0997
• CVE-2025-0998

---

資料來源

• Google Chrome

---

相關連結

• https://chromereleases.googleblog.com/2025/02/stable-channel-update-for-desktop_12.html

Google Chrome Multiple Vulnerabilities

Release Date: 13 Feb 2025

RISK: Medium Risk

TYPE: Clients - Browsers

Multiple vulnerabilities were identified in Google Chrome. A remote attacker could exploit some of these vulnerabilities to trigger remote code execution, security restriction bypass, denial of service, spoofing and sensitive information disclosure on the targeted system.

---

Impact

• Security Restriction Bypass
• Remote Code Execution
• Denial of Service
• Spoofing
• Information Disclosure

---

System / Technologies affected

• Google Chrome prior to 133.0.6943.98 (Linux)
• Google Chrome prior to 133.0.6943.98/.99 (Mac)
• Google Chrome prior to 133.0.6943.98/.99 (Windows)

---

Solutions

Before installation of the software, please visit the software vendor web-site for more details.

Apply fixes issued by the vendor:

• Update to version 133.0.6943.98 (Linux) or later
• Update to version 133.0.6943.98/.99 (Mac) or later
• Update to version 133.0.6943.98/.99 (Windows) or later

---

Vulnerability Identifier

• CVE-2025-0995
• CVE-2025-0996
• CVE-2025-0997
• CVE-2025-0998

---

Source

• Google Chrome

---

Related Link

• https://chromereleases.googleblog.com/2025/02/stable-channel-update-for-desktop_12.html

Palo Alto PAN-OS 多個漏洞

發佈日期: 2025年02月13日

風險: 中度風險

類型: 保安軟件及應用設備 - 保安軟件及應用設備

於 Palo Alto PAN-OS 發現多個漏洞。遠端攻擊者可利用這些漏洞，於目標系統觸發遠端執行程式碼、篡改及繞過保安限制。

 

---

影響

• 遠端執行程式碼
• 篡改
• 繞過保安限制

---

受影響之系統或技術

• PAN-OS 10.1.14-h9 之前的 PAN-OS 10.1 版本
• PAN-OS 10.2.13-h3 之前的 PAN-OS 10.2 版本
• PAN-OS 11.1.6-h1 之前的 PAN-OS 11.1 版本
• PAN-OS 11.2.4-h4 之前的 PAN-OS 11.2 版本
• PAN-OS OpenConfig Plugin 2.1.2 之前的版本

---

解決方案

在安裝軟體之前，請先瀏覽供應商之網站，以獲得更多詳細資料。

 

安裝供應商提供的修補程式：

• https://security.paloaltonetworks.com/CVE-2025-0108
• https://security.paloaltonetworks.com/CVE-2025-0109
• https://security.paloaltonetworks.com/CVE-2025-0110

---

漏洞識別碼

• CVE-2025-0109
• CVE-2025-0108
• CVE-2025-0110

---

資料來源

• Palo Alto

---

相關連結

• https://security.paloaltonetworks.com/CVE-2025-0108
• https://security.paloaltonetworks.com/CVE-2025-0109
• https://security.paloaltonetworks.com/CVE-2025-0110

Palo Alto PAN-OS Multiple vulnerabilities

Release Date: 13 Feb 2025

RISK: Medium Risk

TYPE: Security software and application - Security Software & Appliance

Multiple vulnerabilities were identified in Palo Alto PAN-OS . A remote attacker could exploit some of these vulnerabilities to trigger remote code execution, data manipulation and security restriction bypass on the targeted system.

---

Impact

• Remote Code Execution
• Data Manipulation
• Security Restriction Bypass

---

System / Technologies affected

• PAN-OS 10.1 versions earlier than PAN-OS 10.1.14-h9
• PAN-OS 10.2 versions earlier than PAN-OS 10.2.13-h3
• PAN-OS 11.1 versions earlier than PAN-OS 11.1.6-h1
• PAN-OS 11.2 versions earlier than PAN-OS 11.2.4-h4
• PAN-OS OpenConfig Plugin versions earlier than 2.1.2

---

Solutions

Before installation of the software, please visit the vendor web-site for more details.

 

Apply fixes issued by the vendor:

• https://security.paloaltonetworks.com/CVE-2025-0108
• https://security.paloaltonetworks.com/CVE-2025-0109
• https://security.paloaltonetworks.com/CVE-2025-0110

---

Vulnerability Identifier

• CVE-2025-0109
• CVE-2025-0108
• CVE-2025-0110

---

Source

• Palo Alto

---

Related Link

• https://security.paloaltonetworks.com/CVE-2025-0108
• https://security.paloaltonetworks.com/CVE-2025-0109
• https://security.paloaltonetworks.com/CVE-2025-0110

Adobe 每月保安更新 (2025年2月)

發佈日期: 2025年02月12日

風險: 中度風險

類型: 用戶端 - 辦公室應用

Adobe已為產品提供本月保安更新：

 

受影響產品	風險程度	影響	備註	詳情（包括 CVE）
Adobe InDesign	中度風險	遠端執行程式碼 資料洩露 阻斷服務		APSB25-01
Adobe Commerce	中度風險	權限提升 繞過保安限制 遠端執行程式碼		APSB25-08
Substance 3D Stager	中度風險	阻斷服務		APSB25-09
Adobe InCopy	中度風險	遠端執行程式碼		APSB25-10
Adobe Illustrator	中度風險	遠端執行程式碼		APSB25-11
Substance 3D Designer	中度風險	遠端執行程式碼		APSB25-12
Adobe Photoshop Elements	中度風險	權限提升		APSB25-13

 

「極高度風險」產品數目：0

「高度風險」產品數目：0

「中度風險」產品數目：7

「低度風險」產品數目：0

整體「風險程度」評估：中度風險

---

影響

• 遠端執行程式碼
• 資料洩露
• 阻斷服務
• 權限提升
• 繞過保安限制

---

受影響之系統或技術

• Adobe InDesign ID20.0 及以前版本
• Adobe InDesign ID19.5.1 及以前版本
• Adobe Commerce 2.4.8-beta1
• Adobe Commerce 2.4.7-p3 及以前版本
• Adobe Commerce 2.4.6-p8 及以前版本
• Adobe Commerce 2.4.5-p10 及以前版本
• Adobe Commerce 2.4.4-p11 及以前版本
• Adobe Commerce B2B 1.5.0 及以前版本
• Adobe Commerce B2B 1.4.2-p3 及以前版本
• Adobe Commerce B2B 1.3.5-p8 及以前版本
• Adobe Commerce B2B 1.3.4-p10 及以前版本
• Adobe Commerce B2B 1.3.3-p11 及以前版本
• Magento Open Source 2.4.8-beta1
• Magento Open Source 2.4.7-p3 及以前版本
• Magento Open Source 2.4.6-p8 及以前版本
• Magento Open Source 2.4.5-p10 及以前版本
• Magento Open Source 2.4.4-p11 及以前版本
• Adobe Substance 3D Stager 3.1.0 及以前版本
• Adobe InCopy  20.0 及以前版本
• Adobe InCopy  19.5.1 及以前版本
• Illustrator 2025 29.1 及以前版本
• Illustrator 2024 28.7.3 及以前版本
• Adobe Substance 3D Designer 14.0.2 及以前版本
• Photoshop Elements 2025.0 [build: 20240918.PSE.cae27345, 20240918.PSE.d3263bae (Mac ARM)

---

解決方案

在安裝軟體之前，請先瀏覽供應商之網站，以獲得更多詳細資料。

• 安裝供應商提供的修補程式。個別產品詳情可參考上表「詳情」一欄或執行軟件更新。

---

漏洞識別碼

• https://www.cvedetails.com/vulnerability-list.php?vendor_id=53&year=2025&month=02

---

資料來源

• Adobe

---

相關連結

• https://helpx.adobe.com/security.html/security/security-bulletin.ug.html

Adobe Monthly Security Update (February 2025)

Release Date: 12 Feb 2025

RISK: Medium Risk

TYPE: Clients - Productivity Products

Adobe has released monthly security update for their products:

 

Vulnerable Product	Risk Level	Impacts	Notes	Details (including CVE)
Adobe InDesign	Medium Risk	Remote Code Execution Information Disclosure Denial of Service		APSB25-01
Adobe Commerce	Medium Risk	Elevation of Privilege Security Restriction Bypass Remote Code Execution		APSB25-08
Substance 3D Stager	Medium Risk	Denial of Service		APSB25-09
Adobe InCopy	Medium Risk	Remote Code Execution		APSB25-10
Adobe Illustrator	Medium Risk	Remote Code Execution		APSB25-11
Substance 3D Designer	Medium Risk	Remote Code Execution		APSB25-12
Adobe Photoshop Elements	Medium Risk	Elevation of Privilege		APSB25-13

 

Number of 'Extremely High Risk' product(s): 0

Number of 'High Risk' product(s): 0

Number of 'Medium Risk' product(s): 7

Number of 'Low Risk' product(s): 0

Evaluation of overall 'Risk Level': Medium Risk

---

Impact

• Remote Code Execution
• Information Disclosure
• Denial of Service
• Elevation of Privilege
• Security Restriction Bypass

---

System / Technologies affected

• Adobe InDesign ID20.0 and earlier versions
• Adobe InDesign ID19.5.1 and earlier versions
• Adobe Commerce 2.4.8-beta1
• Adobe Commerce 2.4.7-p3 and earlier versions
• Adobe Commerce 2.4.6-p8 and earlier versions
• Adobe Commerce 2.4.5-p10 and earlier versions
• Adobe Commerce 2.4.4-p11 and earlier versions
• Adobe Commerce B2B 1.5.0 and earlier versions
• Adobe Commerce B2B 1.4.2-p3 and earlier versions
• Adobe Commerce B2B 1.3.5-p8 and earlier versions
• Adobe Commerce B2B 1.3.4-p10 and earlier versions
• Adobe Commerce B2B 1.3.3-p11 and earlier versions
• Magento Open Source 2.4.8-beta1
• Magento Open Source 2.4.7-p3 and earlier versions
• Magento Open Source 2.4.6-p8 and earlier versions
• Magento Open Source 2.4.5-p10 and earlier versions
• Magento Open Source 2.4.4-p11 and earlier versions
• Adobe Substance 3D Stager 3.1.0 and earlier versions
• Adobe InCopy  20.0 and earlier versions
• Adobe InCopy  19.5.1 and earlier versions
• Illustrator 2025 29.1 and earlier versions
• Illustrator 2024 28.7.3 and earlier versions
• Adobe Substance 3D Designer 14.0.2 and earlier versions
• Photoshop Elements 2025.0 [build: 20240918.PSE.cae27345, 20240918.PSE.d3263bae (Mac ARM)

---

Solutions

Before installation of the software, please visit the vendor web-site for more details.

• Apply fixes issued by the vendor. Please refer to 'Details' column in the above table for details of individual product update or run software update.

---

Vulnerability Identifier

• https://www.cvedetails.com/vulnerability-list.php?vendor_id=53&year=2025&month=02

---

Source

• Adobe

---

Related Link

• https://helpx.adobe.com/security.html/security/security-bulletin.ug.html