Threat and Vulnerability Intelligence Database
Example Searches:
CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited
CVE-2025-2567 |
Description: An attacker could modify or disable settings, disrupt fuel monitoring
and supply chain operations, leading to disabling of ATG monitoring.
This would result in potential safety hazards in fuel storage and
transportation.
CVSS: CRITICAL (9.8) EPSS Score: 0.04%
April 15th, 2025 (3 days ago)
|
|
CVE-2024-27102 |
Description: Wings is the server control plane for Pterodactyl Panel. This vulnerability impacts anyone running the affected versions of Wings. The vulnerability can potentially be used to access files and directories on the host system. The full scope of impact is exactly unknown, but reading files outside of a server's base directory (sandbox root) is possible. In order to use this exploit, an attacker must have an existing "server" allocated and controlled by Wings. Details on the exploitation of this vulnerability are embargoed until March 27th, 2024 at 18:00 UTC. In order to mitigate this vulnerability, a full rewrite of the entire server filesystem was necessary. Because of this, the size of the patch is massive, however effort was made to reduce the amount of breaking changes. Users are advised to update to version 1.11.9. There are no known workarounds for this vulnerability.
CVSS: CRITICAL (10.0) EPSS Score: 0.28% SSVC Exploitation: poc
April 15th, 2025 (4 days ago)
|
|
CVE-2024-2413 |
Description: Intumit SmartRobot uses a fixed encryption key for authentication. Remote attackers can use this key to encrypt a string composed of the user's name and timestamp to generate an authentication code. With this authentication code, they can obtain administrator privileges and subsequently execute arbitrary code on the remote server using built-in system functionality.
CVSS: CRITICAL (9.8) EPSS Score: 0.72% SSVC Exploitation: none
April 15th, 2025 (4 days ago)
|
|
CVE-2024-20758 |
Description: Adobe Commerce versions 2.4.6-p4, 2.4.5-p6, 2.4.4-p7, 2.4.7-beta3 and earlier are affected by an Improper Input Validation vulnerability that could result in arbitrary code execution on the underlying filesystem. Exploitation of this issue does not require user interaction, but the attack complexity is high.
CVSS: CRITICAL (9.0) EPSS Score: 2.43% SSVC Exploitation: none
April 15th, 2025 (4 days ago)
|
|
CVE-2024-1071 |
Description: The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to SQL Injection via the 'sorting' parameter in versions 2.1.3 to 2.8.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
CVSS: CRITICAL (9.8) EPSS Score: 92.25% SSVC Exploitation: none
April 15th, 2025 (4 days ago)
|
|
CVE-2024-54092 |
Description: As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens' ProductCERT Security Advisories (CERT Services | Services | Siemens Global).
View CSAF
1. EXECUTIVE SUMMARY
CVSS v4 9.3
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Siemens
Equipment: Industrial Edge Device Kit
Vulnerability: Weak Authentication
2. RISK EVALUATION
Successful exploitation of this vulnerability could allow an unauthenticated remote attacker to circumvent authentication and impersonate a legitimate user.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
Siemens reports that the following products are affected:
Industrial Edge Device Kit - arm64 V1.19: All versions
Industrial Edge Device Kit - x86-64 V1.21: Versions prior to V1.21.1-1
Industrial Edge Device Kit - arm64 V1.17: All versions
Industrial Edge Device Kit - arm64 V1.21: Versions prior to V1.21.1-1
Industrial Edge Device Kit - x86-64 V1.19: All versions
Industrial Edge Device Kit - arm64 V1.18: All versions
Industrial Edge Device Kit - x86-64 V1.20: Versions prior to V1.20.2-1
Industrial Edge Device Kit - arm64 V1.20: Versions prior to V1.20.2-1
Industrial Edge Device Kit - x86-64 V1.18: All versions
Industrial Edge Device Kit - x86-64 V1.17: All versions
3.2 VULNERABILITY OVERVIEW
3.2.1 WEAK AUTHENTICATION CWE-1390
Affected devices do not properly enfor...
CVSS: CRITICAL (9.8) EPSS Score: 0.2%
April 15th, 2025 (4 days ago)
|
|
CVE-2022-23521 |
Description: View CSAF
1. EXECUTIVE SUMMARY
CVSS v4 8.8
ATTENTION: Exploitable remotely/low attack complexity
Vendor: ABB
Equipment: M2M Gateway
Vulnerabilities: Integer Overflow or Wraparound, Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling'), Unquoted Search Path or Element, Untrusted Search Path, Use After Free, Out-of-bounds Write, Buffer Copy without Checking Size of Input ('Classic Buffer Overflow'), Missing Release of Memory after Effective Lifetime, Allocation of Resources Without Limits or Throttling, Improper Privilege Management, Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'), Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection'), Improper Restriction of Operations within the Bounds of a Memory Buffer, Incorrect Calculation of Buffer Size, Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition'), Access of Resource Using Incompatible Type ('Type Confusion'), Improper Input Validation, Uncontrolled Resource Consumption, Observable Discrepancy, Generation of Error Message Containing Sensitive Information, Improper Authentication, Improper Validation of Integrity Check Value, Inadequate Encryption Strength, Improper Removal of Sensitive Information Before Storage or Transfer, Exposure of Sensitive Information to an Unauthorized Actor
2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow an attacker to stop the...
CVSS: CRITICAL (9.8)
April 15th, 2025 (4 days ago)
|
|
Description: A critical security vulnerability has been disclosed in the Apache Roller open-source, Java-based blogging server software that could allow malicious actors to retain unauthorized access even after a password change.
The flaw, assigned the CVE identifier CVE-2025-24859, carries a CVSS score of 10.0, indicating maximum severity. It affects all versions of Roller up to and including 6.1.4.
CVSS: CRITICAL (10.0) EPSS Score: 0.04%
April 15th, 2025 (4 days ago)
|
|
CVE-2025-30985 |
Description: Deserialization of Untrusted Data vulnerability in NotFound GNUCommerce allows Object Injection. This issue affects GNUCommerce: from n/a through 1.5.4.
CVSS: CRITICAL (9.8) EPSS Score: 0.04%
April 15th, 2025 (4 days ago)
|
|
CVE-2025-3579 |
Description: In versions prior to Aidex 1.7, an authenticated malicious user, taking advantage of an open registry, could execute unauthorised commands within the system. This includes executing operating system (Unix) commands, interacting with internal services such as PHP or MySQL, and even invoking native functions of the framework used, such as Laravel or Symfony. This execution is achieved by Prompt Injection attacks through the /api//message endpoint, manipulating the content of the ‘content’ parameter.
CVSS: CRITICAL (9.3) EPSS Score: 0.08%
April 15th, 2025 (4 days ago)
|