Threat and Vulnerability Intelligence Database
Example Searches:
CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited
CVE-2025-2857 |
đ¨ Marked as known exploited on March 27th, 2025 (24 days ago).
Description: Following the sanbdox escape in CVE-2025-2783, various Firefox developers identified a similar pattern in our IPC code. Attackers were able to confuse the parent process into leaking handles into unpriviled child processes leading to a sandbox escape.
The original vulnerability was being exploited in the wild.
*This only affects Firefox on Windows. Other operating systems are unaffected.* This vulnerability affects Firefox < 136.0.4, Firefox ESR < 128.8.1, and Firefox ESR < 115.21.1.
CVSS: CRITICAL (10.0) EPSS Score: 0.09%
March 27th, 2025 (24 days ago)
|
|
CVE-2024-9574 |
Description: SQL injection vulnerability in SOPlanning <1.45, via /soplanning/www/user_groupes.php in the by parameter, which could allow a remote user to submit a specially crafted query, allowing an attacker to retrieve all the information stored in the DB.
CVSS: CRITICAL (9.8) EPSS Score: 0.08% SSVC Exploitation: none
March 27th, 2025 (24 days ago)
|
|
đ¨ Marked as known exploited on April 10th, 2025 (10 days ago).
Description: The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two six-year-old security flaws impacting Sitecore CMS and Experience Platform (XP) to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation.
The vulnerabilities are listed below -
CVE-2019-9874 (CVSS score: 9.8) - A deserialization vulnerability in the Sitecore.Security.AntiCSRF
CVSS: CRITICAL (9.8)
March 27th, 2025 (24 days ago)
|
|
CVE-2025-2332 |
Description: The Export All Posts, Products, Orders, Refunds & Users plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.13 via deserialization of untrusted input in the 'returnMetaValueAsCustomerInput' function. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present.
CVSS: CRITICAL (9.8) EPSS Score: 0.18%
March 27th, 2025 (24 days ago)
|
|
CVE-2024-21082 |
Description: Vulnerability in the Oracle BI Publisher product of Oracle Analytics (component: XML Services). Supported versions that are affected are 7.0.0.0.0 and 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle BI Publisher. Successful attacks of this vulnerability can result in takeover of Oracle BI Publisher. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
CVSS: CRITICAL (9.8) EPSS Score: 0.58% SSVC Exploitation: none
March 26th, 2025 (25 days ago)
|
|
CVE-2019-9874 |
đ¨ Marked as known exploited on April 10th, 2025 (10 days ago).
Description:
CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.
CVE-2019-9874 Sitecore CMS and Experience Platform (XP) Deserialization Vulnerability
CVE-2019-9875 Sitecore CMS and Experience Platform (XP) Deserialization Vulnerability
These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.
Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.
Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.
CVSS: CRITICAL (9.8)
March 26th, 2025 (25 days ago)
|
|
CVE-2019-9874 |
Description: Sitecore CMS and Experience Platform (XP) contain a deserialization vulnerability in the Sitecore.Security.AntiCSRF module that allows an unauthenticated attacker to execute arbitrary code by sending a serialized .NET object in the HTTP POST parameter __CSRFTOKEN.
CVSS: CRITICAL (9.8)
March 26th, 2025 (25 days ago)
|
|
Description: CVE-2025-2825: Unauthenticated HTTP(S) port access on CrushFTPv10/v11
CVSS: CRITICAL (9.8) EPSS Score: 15.48%
March 26th, 2025 (25 days ago)
|
|
CVE-2024-38468 |
Description: Shenzhen Guoxin Synthesis image system before 8.3.0 allows unauthorized password resets via the resetPassword API.
CVSS: CRITICAL (9.8) EPSS Score: 0.2% SSVC Exploitation: none
March 26th, 2025 (25 days ago)
|
|
CVE-2025-30524 |
Description: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in origincode Product Catalog allows SQL Injection. This issue affects Product Catalog: from n/a through 1.0.4.
CVSS: CRITICAL (9.3) EPSS Score: 0.04% SSVC Exploitation: none
March 26th, 2025 (25 days ago)
|