CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!
Threat and Vulnerability Intelligence Database
Example Searches:
CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited
CVE-2023-25574 |
Description: Impact
Only users that has configured a JupyterHub installation to use the authenticator class LTI13Authenticator are influenced.
LTI13Authenticator that was introduced in jupyterhub-ltiauthenticator 1.3.0 wasn't validating JWT signatures. This is believed to allow the LTI13Authenticator to authorize a forged request granting access to existing and new user identities.
Patches
None.
Workarounds
None.
References
This code segment didn't validate a JWT signature.
References
https://github.com/jupyterhub/ltiauthenticator/security/advisories/GHSA-mcgx-2gcr-p3hp
https://nvd.nist.gov/vuln/detail/CVE-2023-25574
https://github.com/jupyterhub/ltiauthenticator/blob/3feec2e81b9d3b0ad6b58ab4226af640833039f3/ltiauthenticator/lti13/validator.py#L122-L164
https://github.com/jupyterhub/ltiauthenticator/blob/main/CHANGELOG.md#140---2023-03-01
https://github.com/advisories/GHSA-mcgx-2gcr-p3hp
CVSS: CRITICAL (10.0)
February 25th, 2025 (4 months ago)
|
|
CVE-2025-26974 |
Description: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WPExperts.io WP Multi Store Locator allows Blind SQL Injection. This issue affects WP Multi Store Locator: from n/a through 2.5.1.
CVSS: CRITICAL (9.3) EPSS Score: 0.04%
February 25th, 2025 (4 months ago)
|
|
CVE-2025-26966 |
Description: Authentication Bypass Using an Alternate Path or Channel vulnerability in Aldo Latino PrivateContent. This issue affects PrivateContent: from n/a through 8.11.5.
CVSS: CRITICAL (9.8) EPSS Score: 0.08% SSVC Exploitation: none
February 25th, 2025 (4 months ago)
|
|
CVE-2025-26943 |
Description: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Jürgen Müller Easy Quotes allows Blind SQL Injection. This issue affects Easy Quotes: from n/a through 1.2.2.
CVSS: CRITICAL (9.3) EPSS Score: 0.04% SSVC Exploitation: none
February 25th, 2025 (4 months ago)
|
|
CVE-2025-26900 |
Description: Deserialization of Untrusted Data vulnerability in flexmls Flexmls® IDX allows Object Injection. This issue affects Flexmls® IDX: from n/a through 3.14.27.
CVSS: CRITICAL (9.8) EPSS Score: 0.06%
February 25th, 2025 (4 months ago)
|
|
CVE-2025-24032 |
Description:
Nessus Plugin ID 216720 with Critical Severity
Synopsis
The remote SUSE host is missing one or more security updates.
Description
The remote SUSE Linux SLES12 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2025:0688-1 advisory. - CVE-2025-24032: default value for `cert_policy` (`none`) allows for authentication bypass (bsc#1237062). - CVE-2025-24031: uninitialized pointer dereference caused by user pressing ctrl-c/ctrl-d when asked for PIN leads to crash (bsc#1237058).Tenable has extracted the preceding description block directly from the SUSE security advisory.Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.
Solution
Update the affected pam_pkcs11 and / or pam_pkcs11-32bit packages.
Read more at https://www.tenable.com/plugins/nessus/216720
CVSS: CRITICAL (9.2) EPSS Score: 0.05%
February 25th, 2025 (4 months ago)
|
|
CVE-2025-24032 |
Description:
Nessus Plugin ID 216733 with Critical Severity
Synopsis
The remote SUSE host is missing one or more security updates.
Description
The remote SUSE Linux SLED15 / SLED_SAP15 / SLES15 / SLES_SAP15 / openSUSE 15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2025:0689-1 advisory. - CVE-2025-24032: default value for `cert_policy` (`none`) allows for authentication bypass (bsc#1237062). - CVE-2025-24031: uninitialized pointer dereference caused by user pressing ctrl-c/ctrl-d when asked for PIN leads to crash (bsc#1237058).Tenable has extracted the preceding description block directly from the SUSE security advisory.Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.
Solution
Update the affected pam_pkcs11, pam_pkcs11-32bit and / or pam_pkcs11-devel-doc packages.
Read more at https://www.tenable.com/plugins/nessus/216733
CVSS: CRITICAL (9.2) EPSS Score: 0.05%
February 25th, 2025 (4 months ago)
|
|
CVE-2025-1128 |
Description: The Everest Forms – Contact Forms, Quiz, Survey, Newsletter & Payment Form Builder for WordPress plugin for WordPress is vulnerable to arbitrary file upload, read, and deletion due to missing file type and path validation in the 'format' method of the EVF_Form_Fields_Upload class in all versions up to, and including, 3.0.9.4. This makes it possible for unauthenticated attackers to upload, read, and delete arbitrary files on the affected site's server which may make remote code execution, sensitive information disclosure, or a site takeover possible.
CVSS: CRITICAL (9.8) EPSS Score: 0.7%
February 25th, 2025 (4 months ago)
|
|
CVE-2017-3066 |
Description: The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two security flaws impacting Adobe ColdFusion and Oracle Agile Product Lifecycle Management (PLM) to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation.
The vulnerabilities in question are listed below -
CVE-2017-3066 (CVSS score: 9.8) - A deserialization vulnerability impacting
CVSS: CRITICAL (9.8)
February 25th, 2025 (4 months ago)
|
|
CVE-2025-27140 |
Description: WeGIA is a Web manager for charitable institutions. An OS Command Injection vulnerability was discovered in versions prior to 3.2.15 of the WeGIA application, `importar_dump.php` endpoint. This vulnerability could allow an attacker to execute arbitrary code remotely. The command is basically a command to move a temporary file, so a webshell upload is also possible. Version 3.2.15 contains a patch for the issue.
CVSS: CRITICAL (10.0) EPSS Score: 0.28%
February 24th, 2025 (4 months ago)
|