Threat and Vulnerability Intelligence Database
Example Searches:
CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited
|
May 29th, 2025 (about 2 hours ago)
|
CVE-2025-5257 |
Description: SummaryThis advisory addresses a security vulnerability in Mautic where unpublished page previews could be accessed by unauthenticated users and potentially indexed by search engines. This could lead to the unintended disclosure of draft content or sensitive information.
Unauthorized Access to Unpublished Page Previews: The page preview functionality for unpublished content, accessible via predictable URLs (e.g., /page/preview/1, /page/preview/2), lacked proper authorization checks. This allowed any unauthenticated user to view content that was not yet intended for public release, and allowed search engines to index these private preview URLs, making the content publicly discoverable.
MitigationMautic has patched this vulnerability by enforcing proper permission checks on preview pages. Users should upgrade to the patched version of Mautic or later.
CVSS: MEDIUM (6.5)
May 28th, 2025 (about 3 hours ago)
|
|
CVE-2025-5256 |
Description: SummaryThis advisory addresses an Open Redirection vulnerability in Mautic's user unlocking endpoint. This vulnerability could be exploited by an attacker to redirect legitimate users to malicious websites, potentially leading to phishing attacks or the delivery of exploit kits.
Open Redirection via returnUrl Parameter: An Open Redirection vulnerability exists in the /s/action/unlock/user.user/0 endpoint. The returnUrl parameter, intended for post-action redirection, is not properly validated. This allows an attacker to craft a URL that, when clicked by a user, redirects them to an arbitrary external website controlled by the attacker.
MitigationUpdate Mautic to a version that properly validates or sanitizes the returnUrl parameter to ensure that redirects only occur to trusted, internal URLs or explicitly whitelisted domains.
CVSS: MEDIUM (5.4) SSVC Exploitation: none
May 28th, 2025 (about 3 hours ago)
|
|
CVE-2025-5215 |
Description: A vulnerability classified as critical has been found in D-Link DCS-5020L 1.01_B2. This affects the function websReadEvent of the file /rame/ptdc.cgi. The manipulation of the argument Authorization leads to stack-based buffer overflow. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. This vulnerability only affects products that are no longer supported by the maintainer. Es wurde eine Schwachstelle in D-Link DCS-5020L 1.01_B2 entdeckt. Sie wurde als kritisch eingestuft. Hiervon betroffen ist die Funktion websReadEvent der Datei /rame/ptdc.cgi. Dank Manipulation des Arguments Authorization mit unbekannten Daten kann eine stack-based buffer overflow-Schwachstelle ausgenutzt werden. Der Angriff kann über das Netzwerk angegangen werden. Der Exploit steht zur öffentlichen Verfügung.
CVSS: HIGH (8.7) SSVC Exploitation: poc
May 28th, 2025 (about 3 hours ago)
|
|
CVE-2025-5160 |
Description: A vulnerability classified as problematic has been found in H3C SecCenter SMP-E1114P02 up to 20250513. Affected is the function Download of the file /packetCaptureStrategy/download. The manipulation of the argument Name leads to path traversal. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. Es wurde eine problematische Schwachstelle in H3C SecCenter SMP-E1114P02 bis 20250513 entdeckt. Dabei betrifft es die Funktion Download der Datei /packetCaptureStrategy/download. Durch Manipulation des Arguments Name mit unbekannten Daten kann eine path traversal-Schwachstelle ausgenutzt werden. Die Umsetzung des Angriffs kann dabei über das Netzwerk erfolgen. Der Exploit steht zur öffentlichen Verfügung.
CVSS: MEDIUM (5.3) SSVC Exploitation: none
May 28th, 2025 (about 3 hours ago)
|
|
CVE-2025-5137 |
Description: A vulnerability was found in DedeCMS 5.7.117. It has been classified as critical. Affected is an unknown function of the file dede/sys_verifies.php?action=getfiles of the component Incomplete Fix CVE-2018-9175. The manipulation of the argument refiles leads to code injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. Es wurde eine kritische Schwachstelle in DedeCMS 5.7.117 ausgemacht. Dabei betrifft es einen unbekannter Codeteil der Datei dede/sys_verifies.php?action=getfiles der Komponente Incomplete Fix CVE-2018-9175. Durch das Manipulieren des Arguments refiles mit unbekannten Daten kann eine code injection-Schwachstelle ausgenutzt werden. Die Umsetzung des Angriffs kann dabei über das Netzwerk erfolgen. Der Exploit steht zur öffentlichen Verfügung.
CVSS: MEDIUM (5.1) SSVC Exploitation: poc
May 28th, 2025 (about 3 hours ago)
|
|
CVE-2025-48931 |
Description: The TeleMessage service through 2025-05-05 relies on MD5 for password hashing, which opens up various attack possibilities (including rainbow tables) with low computational effort.
CVSS: LOW (3.2)
May 28th, 2025 (about 3 hours ago)
|
|
Description: Microsoft has released the optional KB5058481 preview cumulative update for Windows 10 22H2 with seven changes, including restoring seconds to the time display in the calendar flyout for those who previously lost it. [...]
May 28th, 2025 (about 4 hours ago)
|
|
CVE-2025-48930 |
🚨 Marked as known exploited on May 28th, 2025 (about 4 hours ago).
Description: The TeleMessage service through 2025-05-05 stores certain cleartext information in memory, even though memory content may be accessible to an adversary through various avenues, as exploited in the wild in May 2025.
CVSS: LOW (2.8)
May 28th, 2025 (about 4 hours ago)
|
|
CVE-2025-27706 |
Description: CVE-2025-27706 is a cross-site scripting vulnerability in the management
console of Absolute Secure Access prior to version 13.54. Attackers
with system administrator permissions can interfere with another system
administrator’s use of the management console when the second
administrator visits the page. Attack complexity is low, there are no
preexisting attack requirements, privileges required are high and active
user interaction is required. There is no impact on confidentiality,
the impact on integrity is low and there is no impact on availability.
CVSS: MEDIUM (4.6)
May 28th, 2025 (about 4 hours ago)
|