Threat and Vulnerability Intelligence Database
Example Searches:
CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited
CVE-2025-22290 |
Description: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in enituretechnology LTL Freight Quotes – FreightQuote Edition allows SQL Injection. This issue affects LTL Freight Quotes – FreightQuote Edition: from n/a through 2.3.11.
CVSS: CRITICAL (9.3) EPSS Score: 0.04%
February 17th, 2025 (2 months ago)
|
|
CVE-2024-57971 |
Description: DataSourceResource.java in the SpagoBI API support in Knowage Server in KNOWAGE before 8.1.30 does not ensure that java:comp/env/jdbc/ occurs at the beginning of a JNDI Name.
CVSS: CRITICAL (9.1) EPSS Score: 0.05%
February 17th, 2025 (2 months ago)
|
|
CVE-2025-26793 |
Description: The Web GUI configuration panel of Hirsch (formerly Identiv and Viscount) Enterphone MESH through 2024 ships with default credentials (username freedom, password viscount). The administrator is not prompted to change these credentials on initial configuration, and changing the credentials requires many steps. Attackers can use the credentials over the Internet via mesh.webadmin.MESHAdminServlet to gain access to dozens of Canadian and U.S. apartment buildings and obtain building residents' PII. NOTE: the Supplier's perspective is that the "vulnerable systems are not following manufacturers' recommendations to change the default password."
CVSS: CRITICAL (10.0) EPSS Score: 0.07%
February 16th, 2025 (2 months ago)
|
|
CVE-2025-1302 |
Description: Versions of the package jsonpath-plus before 10.3.0 are vulnerable to Remote Code Execution (RCE) due to improper input sanitization. An attacker can execute aribitrary code on the system by exploiting the unsafe default usage of eval='safe' mode.
**Note:**
This is caused by an incomplete fix for [CVE-2024-21534](https://security.snyk.io/vuln/SNYK-JS-JSONPATHPLUS-7945884).
CVSS: CRITICAL (9.3) EPSS Score: 0.05%
February 16th, 2025 (2 months ago)
|
|
CVE-2024-13513 |
Description: The Oliver POS – A WooCommerce Point of Sale (POS) plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.4.2.3 via the logging functionality. This makes it possible for unauthenticated attackers to extract sensitive data including the plugin's clientToken, which in turn can be used to change user account information including emails and account type. This allows attackers to then change account passwords resulting in a complete site takeover. Version 2.4.2.3 disabled logging but left sites with existing log files vulnerable.
CVSS: CRITICAL (9.8) EPSS Score: 0.06%
February 16th, 2025 (2 months ago)
|
|
CVE-2024-12562 |
Description: The s2Member Pro plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 241216 via deserialization of untrusted input from the 's2member_pro_remote_op' vulnerable parameter. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.
CVSS: CRITICAL (9.8) EPSS Score: 0.07%
February 16th, 2025 (2 months ago)
|
|
CVE-2022-48174 |
Description:
Nessus Plugin ID 216343 with Critical Severity
Synopsis
The remote CBL Mariner host is missing one or more security updates.
Description
The version of busybox installed on the remote CBL Mariner 2.0 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the CVE-2022-48174 advisory. - There is a stack overflow vulnerability in ash.c:6030 in busybox before 1.35. In the environment of Internet of Vehicles, this vulnerability can be executed from command to arbitrary code execution. (CVE-2022-48174)Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.
Solution
Update the affected packages.
Read more at https://www.tenable.com/plugins/nessus/216343
CVSS: CRITICAL (9.8)
February 15th, 2025 (2 months ago)
|
|
CVE-2025-26506 |
Description: Certain HP LaserJet Pro, HP LaserJet Enterprise, and HP LaserJet Managed Printers may potentially be vulnerable to Remote Code Execution and Elevation of Privilege when processing a PostScript print job.
CVSS: CRITICAL (9.2) EPSS Score: 0.04%
February 15th, 2025 (2 months ago)
|
|
CVE-2025-22630 |
Description: Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in MarketingFire Widget Options allows OS Command Injection.This issue affects Widget Options: from n/a through 4.1.0.
CVSS: CRITICAL (9.9) EPSS Score: 0.04%
February 15th, 2025 (2 months ago)
|
|
CVE-2025-0867 |
Description: The standard user uses the run as function to start the MEAC applications with administrative privileges. To ensure that the system can startup on its own, the credentials of the administrator were stored. Consequently, the EPC2 user can execute any command with administrative privileges. This allows a privilege escalation to the administrative level.
CVSS: CRITICAL (9.9) EPSS Score: 0.04%
February 15th, 2025 (2 months ago)
|