Threat and Vulnerability Intelligence Database
Example Searches:
CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited
CVE-2024-20439 |
Description:
Multiple vulnerabilities in Cisco Smart Licensing Utility could allow an unauthenticated, remote attacker to collect sensitive information or administer Cisco Smart Licensing Utility services on a system while the software is running.
Cisco has released software updates that address these vulnerabilities. There are no workarounds that address these vulnerabilities.
For more information about these vulnerabilities, see the Details section of this advisory.
This advisory is available at the following link:https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cslu-7gHMzWmw
Security Impact Rating: Critical
CVE: CVE-2024-20439,CVE-2024-20440
CVSS: CRITICAL (9.8) EPSS Score: 89.45%
April 1st, 2025 (18 days ago)
|
|
CVE-2025-23120 |
Description: View CSAF
1. EXECUTIVE SUMMARY
CVSS v4 9.4
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Rockwell Automation
Equipment: Lifecycle Services with Veeam Backup and Replication
Vulnerability: Deserialization of Untrusted Data
2. RISK EVALUATION
Successful exploitation of this vulnerability could allow an attacker with administrative privileges to execute code on the target system.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
Rockwell Automation reports the following Lifecycle Services with Veeam Backup and Replication are affected:
Industrial Data Center (IDC) with Veeam: Generations 1 – 5
VersaVirtual Appliance (VVA) with Veeam: Series A - C
3.2 VULNERABILITY OVERVIEW
3.2.1 DESERIALIZATION OF UNTRUSTED DATA CWE-502
A remote code execution vulnerability exists in Veeam Backup and Replication, which the affected products use. Exploitation of the vulnerability can allow a threat actor to execute code on the target system.
CVE-2025-23120 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.9 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2025-23120. A base score of 9.4 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H).
3.3 BACKGROUND
CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: United States
3.4 RESEARCHER
Rock...
CVSS: CRITICAL (9.9) EPSS Score: 0.53%
April 1st, 2025 (19 days ago)
|
|
CVE-2025-2237 |
Description: The WP RealEstate plugin for WordPress, used by the Homeo theme, is vulnerable to authentication bypass in all versions up to, and including, 1.6.26. This is due to insufficient role restrictions in the 'process_register' function. This makes it possible for unauthenticated attackers to register an account with the Administrator role.
CVSS: CRITICAL (9.8) EPSS Score: 0.22%
April 1st, 2025 (19 days ago)
|
|
CVE-2024-13553 |
Description: The SMS Alert Order Notifications – WooCommerce plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.7.9. This is due to the plugin using the Host header to determine if the plugin is in a playground environment. This makes it possible for unauthenticated attackers to spoof the Host header to make the OTP code "1234" and authenticate as any user, including administrators.
CVSS: CRITICAL (9.8) EPSS Score: 0.09%
April 1st, 2025 (19 days ago)
|
|
CVE-2025-30065 |
Description: Schema parsing in the parquet-avro module of Apache Parquet 1.15.0 and previous versions allows bad actors to execute arbitrary code
Users are recommended to upgrade to version 1.15.1, which fixes the issue.
CVSS: CRITICAL (10.0) EPSS Score: 0.16%
April 1st, 2025 (19 days ago)
|
|
CVE-2025-31095 |
Description: Authentication Bypass Using an Alternate Path or Channel vulnerability in ho3einie Material Dashboard allows Authentication Bypass. This issue affects Material Dashboard: from n/a through 1.4.5.
CVSS: CRITICAL (9.8) EPSS Score: 0.09%
April 1st, 2025 (19 days ago)
|
|
CVE-2025-31087 |
Description: Deserialization of Untrusted Data vulnerability in silverplugins217 Multiple Shipping And Billing Address For Woocommerce allows Object Injection. This issue affects Multiple Shipping And Billing Address For Woocommerce: from n/a through 1.5.
CVSS: CRITICAL (9.8) EPSS Score: 0.05%
April 1st, 2025 (19 days ago)
|
|
CVE-2025-31084 |
Description: Deserialization of Untrusted Data vulnerability in sunshinephotocart Sunshine Photo Cart allows Object Injection. This issue affects Sunshine Photo Cart: from n/a through 3.4.10.
CVSS: CRITICAL (9.8) EPSS Score: 0.05%
April 1st, 2025 (19 days ago)
|
|
CVE-2025-30971 |
Description: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Xavi Ivars XV Random Quotes allows SQL Injection. This issue affects XV Random Quotes: from n/a through 1.40.
CVSS: CRITICAL (9.3) EPSS Score: 0.04%
April 1st, 2025 (19 days ago)
|
|
CVE-2025-30911 |
Description: Improper Control of Generation of Code ('Code Injection') vulnerability in Rometheme RomethemeKit For Elementor allows Command Injection. This issue affects RomethemeKit For Elementor: from n/a through 1.5.4.
CVSS: CRITICAL (9.9) EPSS Score: 0.22%
April 1st, 2025 (19 days ago)
|