CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!
Threat and Vulnerability Intelligence Database
Example Searches:
CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited
CVE-2025-29775 |
Description: xml-crypto is an XML digital signature and encryption library for Node.js. An attacker may be able to exploit a vulnerability in versions prior to 6.0.1, 3.2.1, and 2.1.6 to bypass authentication or authorization mechanisms in systems that rely on xml-crypto for verifying signed XML documents. The vulnerability allows an attacker to modify a valid signed XML message in a way that still passes signature verification checks. For example, it could be used to alter critical identity or access control attributes, enabling an attacker to escalate privileges or impersonate another user. Users of versions 6.0.0 and prior should upgrade to version 6.0.1 to receive a fix. Those who are still using v2.x or v3.x should upgrade to patched versions 2.1.6 or 3.2.1, respectively.
CVSS: CRITICAL (9.3) EPSS Score: 0.12%
March 14th, 2025 (3 months ago)
|
|
CVE-2025-29774 |
Description: xml-crypto is an XML digital signature and encryption library for Node.js. An attacker may be able to exploit a vulnerability in versions prior to 6.0.1, 3.2.1, and 2.1.6 to bypass authentication or authorization mechanisms in systems that rely on xml-crypto for verifying signed XML documents. The vulnerability allows an attacker to modify a valid signed XML message in a way that still passes signature verification checks. For example, it could be used to alter critical identity or access control attributes, enabling an attacker with a valid account to escalate privileges or impersonate another user. Users of versions 6.0.0 and prior should upgrade to version 6.0.1 to receive a fix. Those who are still using v2.x or v3.x should upgrade to patched versions 2.1.6 or 3.2.1, respectively.
CVSS: CRITICAL (9.3) EPSS Score: 0.12%
March 14th, 2025 (3 months ago)
|
|
CVE-2024-22267 |
Description: VMware Workstation and Fusion contain a use-after-free vulnerability in the vbluetooth device. A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine's VMX process running on the host.
CVSS: CRITICAL (9.3) EPSS Score: 0.09% SSVC Exploitation: none
March 14th, 2025 (3 months ago)
|
|
CVE-2025-2000 |
Description: A maliciously crafted QPY file can potential execute arbitrary-code embedded in the payload without privilege escalation when deserialising QPY formats < 13. A python process calling Qiskit 0.18.0 through 1.4.1's `qiskit.qpy.load()` function could potentially execute any arbitrary Python code embedded in the correct place in the binary file as part of specially constructed payload.
CVSS: CRITICAL (9.8) EPSS Score: 0.04% SSVC Exploitation: none
March 14th, 2025 (3 months ago)
|
|
CVE-2024-37079 |
Description: vCenter Server contains a heap-overflow vulnerability in the implementation of the DCERPC protocol. A malicious actor with network access to vCenter Server may trigger this vulnerability by sending a specially crafted network packet potentially leading to remote code execution.
CVSS: CRITICAL (9.8) EPSS Score: 24.4% SSVC Exploitation: poc
March 14th, 2025 (3 months ago)
|
|
CVE-2025-27595 |
Description: The device uses a weak hashing alghorithm to create the password hash. Hence, a matching password can be easily calculated by an attacker. This impacts the security and the integrity of the device.
CVSS: CRITICAL (9.8) EPSS Score: 0.05%
March 14th, 2025 (3 months ago)
|
|
CVE-2025-27593 |
Description: The product can be used to distribute malicious code using SDD Device Drivers due to missing download verification checks, leading to code execution on target systems.
CVSS: CRITICAL (9.3) EPSS Score: 0.03%
March 14th, 2025 (3 months ago)
|
|
CVE-2025-2304 |
Description: A Privilege Escalation through a Mass Assignment exists in Camaleon CMS
When a user wishes to change his password, the 'updated_ajax' method of the UsersController is called. The vulnerability stems from the use of the dangerous permit! method, which allows all parameters to pass through without any filtering.
CVSS: CRITICAL (9.4) EPSS Score: 0.06%
March 14th, 2025 (3 months ago)
|
|
CVE-2025-2232 |
Description: The Realteo - Real Estate Plugin by Purethemes plugin for WordPress, used by the Findeo Theme, is vulnerable to authentication bypass in all versions up to, and including, 1.2.8. This is due to insufficient role restrictions in the 'do_register_user' function. This makes it possible for unauthenticated attackers to register an account with the Administrator role.
CVSS: CRITICAL (9.8) EPSS Score: 0.21%
March 14th, 2025 (3 months ago)
|
|
CVE-2024-13771 |
Description: The Civi - Job Board & Freelance Marketplace WordPress Theme plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 2.1.4. This is due to a lack of user validation before changing a password. This makes it possible for unauthenticated attackers to change the password of arbitrary users, including administrators, if the attacker knows the username of the victim.
CVSS: CRITICAL (9.8) EPSS Score: 0.06%
March 14th, 2025 (3 months ago)
|