CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!
Threat and Vulnerability Intelligence Database
Example Searches:
CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited
CVE-2025-22630 |
Description: Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in MarketingFire Widget Options allows OS Command Injection.This issue affects Widget Options: from n/a through 4.1.0.
CVSS: CRITICAL (9.9) EPSS Score: 0.04%
February 15th, 2025 (4 months ago)
|
|
CVE-2025-0867 |
Description: The standard user uses the run as function to start the MEAC applications with administrative privileges. To ensure that the system can startup on its own, the credentials of the administrator were stored. Consequently, the EPC2 user can execute any command with administrative privileges. This allows a privilege escalation to the administrative level.
CVSS: CRITICAL (9.9) EPSS Score: 0.04%
February 15th, 2025 (4 months ago)
|
|
CVE-2024-56180 |
Description: CWE-502 Deserialization of Untrusted Data at the eventmesh-meta-raft plugin module in Apache EventMesh master branch without release version on windows\linux\mac os e.g. platforms allows attackers to send controlled message and remote code execute via hessian deserialization rpc protocol. Users can use the code under the master branch in project repo or version 1.11.0 to fix this issue.
CVSS: CRITICAL (9.8) EPSS Score: 0.04%
February 15th, 2025 (4 months ago)
|
|
CVE-2024-52577 |
Description: In Apache Ignite versions from 2.6.0 and before 2.17.0, configured Class Serialization Filters are ignored for some Ignite endpoints. The vulnerability could be exploited if an attacker manually crafts an Ignite message containing a vulnerable object whose class is present in the Ignite server classpath and sends it to Ignite server endpoints. Deserialization of such a message by the Ignite server may result in the execution of arbitrary code on the Apache Ignite server side.
CVSS: CRITICAL (9.5) EPSS Score: 0.04%
February 15th, 2025 (4 months ago)
|
|
CVE-2024-13152 |
Description: Authorization Bypass Through User-Controlled SQL Primary Key vulnerability in BSS Software Mobuy Online Machinery Monitoring Panel allows SQL Injection.This issue affects Mobuy Online Machinery Monitoring Panel: before 2.0.
CVSS: CRITICAL (10.0) EPSS Score: 0.09%
February 15th, 2025 (4 months ago)
|
|
CVE-2024-52577 |
Description: In Apache Ignite versions from 2.6.0 and before 2.17.0, configured Class Serialization Filters are ignored for some Ignite endpoints. The vulnerability could be exploited if an attacker manually crafts an Ignite message containing a vulnerable object whose class is present in the Ignite server classpath and sends it to Ignite server endpoints. Deserialization of such a message by the Ignite server may result in the execution of arbitrary code on the Apache Ignite server side.
References
https://nvd.nist.gov/vuln/detail/CVE-2024-52577
https://lists.apache.org/thread/1bst0n27m9kb3b6f6hvlghn182vqb2hh
https://github.com/apache/ignite/commit/f1d3579eabb2c6f5b11b94d58600afc497a8603d
http://www.openwall.com/lists/oss-security/2025/02/14/2
https://github.com/advisories/GHSA-8355-xj3p-hv6q
CVSS: CRITICAL (9.5) EPSS Score: 0.04%
February 14th, 2025 (4 months ago)
|
|
CVE-2023-20198 |
Description: A newly uncovered cyber espionage campaign led by the Chinese state-sponsored hacking group Salt Typhoon (Red Mike) has compromised vulnerable Cisco devices worldwide, targeting telecommunications providers across multiple countries, including the United States, the United Kingdom, and South Africa. The attack exploits two critical privilege escalation vulnerabilities, CVE-2023-20198 and CVE-2023-20273, found in Cisco IOS XE …
The post Chinese Hackers Breach Cisco Devices in Global Telecom Attacks appeared first on CyberInsider.
CVSS: CRITICAL (10.0)
February 14th, 2025 (4 months ago)
|
|
CVE-2025-25286 |
Description: Crayfish is a collection of Islandora 8 microservices, one of which, Homarus, provides FFmpeg as a microservice. Prior to Crayfish version 4.1.0, remote code execution may be possible in web-accessible installations of Homarus in certain configurations. The issue has been patched in `islandora/crayfish:4.1.0`. Some workarounds are available. The exploit requires making a request against the Homarus's `/convert` endpoint; therefore, the ability to exploit is much reduced if the microservice is not directly accessible from the Internet, so: Prevent general access from the Internet from hitting Homarus. Alternatively or additionally, configure auth in Crayfish to be more strongly required, such that requests with `Authorization` headers that do not validate are rejected before the problematic CLI interpolation occurs.
CVSS: CRITICAL (9.8) EPSS Score: 0.04%
February 14th, 2025 (4 months ago)
|
|
CVE-2025-25067 |
Description: mySCADA myPRO Manager
is vulnerable to an OS command injection which could allow a remote attacker to execute arbitrary OS commands.
CVSS: CRITICAL (9.8) EPSS Score: 0.05%
February 14th, 2025 (4 months ago)
|
|
CVE-2025-24865 |
Description: The administrative web interface of
mySCADA myPRO Manager
can be accessed without authentication
which could allow an unauthorized attacker to retrieve sensitive
information and upload files without the associated password.
CVSS: CRITICAL (10.0) EPSS Score: 0.07%
February 14th, 2025 (4 months ago)
|