CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!
Threat and Vulnerability Intelligence Database
Example Searches:
CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited
CVE-2024-9264 |
Description: The SQL Expressions experimental feature of Grafana allows for the evaluation of `duckdb` queries containing user input. These queries are insufficiently sanitized before being passed to `duckdb`, leading to a command injection and local file inclusion vulnerability. Any user with the VIEWER or higher permission is capable of executing this attack. The `duckdb` binary must be present in Grafana's $PATH for this attack to function; by default, this binary is not installed in Grafana distributions.
CVSS: CRITICAL (9.4) EPSS Score: 89.04% SSVC Exploitation: poc
March 14th, 2025 (3 months ago)
|
|
CVE-2024-13824 |
Description: The CiyaShop - Multipurpose WooCommerce Theme theme for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 4.19.0 via deserialization of untrusted input in the 'add_ciyashop_wishlist' and 'ciyashop_get_compare' functions. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present.
CVSS: CRITICAL (9.8) EPSS Score: 0.33%
March 14th, 2025 (3 months ago)
|
|
CVE-2024-11286 |
Description: The WP JobHunt plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 7.1. This is due to the plugin not properly verifying a user's identity prior to authenticating them through the cs_parse_request() function. This makes it possible for unauthenticated attackers to to log in to any user's account, including administrators.
CVSS: CRITICAL (9.8) EPSS Score: 0.15%
March 14th, 2025 (3 months ago)
|
|
CVE-2024-11285 |
Description: The WP JobHunt plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 7.1. This is due to the plugin not properly validating a user's identity prior to updating their details like email via the account_settings_callback() function. This makes it possible for unauthenticated attackers to change arbitrary user's email addresses, including administrators, and leverage that to reset the user's password and gain access to their account.
CVSS: CRITICAL (9.8) EPSS Score: 0.07%
March 14th, 2025 (3 months ago)
|
|
CVE-2024-11284 |
Description: The WP JobHunt plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 6.9. This is due to the plugin not properly validating a user's identity prior to updating their password through the account_settings_save_callback() function. This makes it possible for unauthenticated attackers to change arbitrary user's passwords, including administrators, and leverage that to gain access to their account.
CVSS: CRITICAL (9.8) EPSS Score: 0.07%
March 14th, 2025 (3 months ago)
|
|
CVE-2024-22718 |
Description: Cross Site Scripting (XSS) vulnerability in Form Tools 3.1.1 allows attackers to run arbitrary code via the client_id parameter in the application URL.
CVSS: CRITICAL (9.6) EPSS Score: 0.35% SSVC Exploitation: none
March 13th, 2025 (3 months ago)
|
|
CVE-2024-36130 |
Description: An insufficient authorization vulnerability in web component of EPMM prior to 12.1.0.1 allows an unauthorized attacker within the network to execute arbitrary commands on the underlying operating system of the appliance.
CVSS: CRITICAL (9.8) EPSS Score: 9.11% SSVC Exploitation: none
March 13th, 2025 (3 months ago)
|
|
CVE-2024-22923 |
Description: SQL injection vulnerability in adv radius v.2.2.5 allows a local attacker to execute arbitrary code via a crafted script.
CVSS: CRITICAL (9.8) EPSS Score: 0.38% SSVC Exploitation: none
March 13th, 2025 (3 months ago)
|
|
CVE-2024-0039 |
Description: In attp_build_value_cmd of att_protocol.cc, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation.
CVSS: CRITICAL (9.8) EPSS Score: 20.65% SSVC Exploitation: none
March 13th, 2025 (3 months ago)
|
|
CVE-2024-0390 |
Description: INPRAX "iZZi connect" application on Android contains hard-coded MQTT queue credentials. The same MQTT queue is used by corresponding physical recuperation devices. Exploiting this vulnerability could potentially allow unauthorized access to manage and read parameters of the recuperation unit "reQnet iZZi".This issue affects "iZZi connect" application versions before 2024010401.
CVSS: CRITICAL (9.8) EPSS Score: 0.24% SSVC Exploitation: none
March 13th, 2025 (3 months ago)
|