Threat and Vulnerability Intelligence Database
Example Searches:
CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited
CVE-2025-24434 |
Description: Adobe Commerce versions 2.4.7-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by an Improper Authorization vulnerability that could result in Privilege escalation. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized access. Exploitation of this issue does not require user interaction. A successful attacker can abuse this to achieve session takeover, increasing the confidentiality and integrity impact as high.
References
https://nvd.nist.gov/vuln/detail/CVE-2025-24434
https://helpx.adobe.com/security/products/magento/apsb25-08.html
https://github.com/advisories/GHSA-fppq-f2m6-xv5c
CVSS: CRITICAL (9.1) EPSS Score: 0.05%
February 12th, 2025 (2 months ago)
|
|
CVE-2025-24434 |
Description: Adobe Commerce versions 2.4.7-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by an Improper Authorization vulnerability that could result in Privilege escalation. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized access. Exploitation of this issue does not require user interaction. A successful attacker can abuse this to achieve session takeover, increasing the confidentiality and integrity impact as high.
References
https://nvd.nist.gov/vuln/detail/CVE-2025-24434
https://helpx.adobe.com/security/products/magento/apsb25-08.html
https://github.com/advisories/GHSA-fppq-f2m6-xv5c
CVSS: CRITICAL (9.1) EPSS Score: 0.05%
February 12th, 2025 (2 months ago)
|
|
CVE-2025-24973 |
Description: Concorde, formerly know as Nexkey, is a fork of the federated microblogging platform Misskey. Prior to version 12.25Q1.1, due to an improper implementation of the logout process, authentication credentials remain in cookies even after a user has explicitly logged out, which may allow an attacker to steal authentication tokens. This could have devastating consequences if a user with admin privileges is (or was) using a shared device. Users who have logged in on a shared device should go to Settings > Security and regenerate their login tokens. Version 12.25Q1.1 fixes the issue. As a workaround, clear cookies and site data in the browser after logging out.
CVSS: CRITICAL (9.4) EPSS Score: 0.04%
February 12th, 2025 (2 months ago)
|
|
CVE-2025-24434 |
Description: Adobe Commerce versions 2.4.7-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by an Improper Authorization vulnerability that could result in Privilege escalation. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized access. Exploitation of this issue does not require user interaction. A successful attacker can abuse this to achieve session takeover, increasing the confidentiality and integrity impact as high.
CVSS: CRITICAL (9.1) EPSS Score: 0.05%
February 12th, 2025 (2 months ago)
|
|
CVE-2025-22467 |
Description: A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.6 allows a remote authenticated attacker to achieve remote code execution.
CVSS: CRITICAL (9.9) EPSS Score: 0.05%
February 12th, 2025 (2 months ago)
|
|
CVE-2025-21198 |
Description: Microsoft High Performance Compute (HPC) Pack Remote Code Execution Vulnerability
CVSS: CRITICAL (9.0) EPSS Score: 0.05%
February 12th, 2025 (2 months ago)
|
|
CVE-2025-1144 |
Description: School Affairs System from Quanxun has an Exposure of Sensitive Information, allowing unauthenticated attackers to view specific pages and obtain database information as well as plaintext administrator credentials.
CVSS: CRITICAL (9.8) EPSS Score: 0.04%
February 12th, 2025 (2 months ago)
|
|
CVE-2025-1126 |
Description: A Reliance on Untrusted Inputs in a Security Decision vulnerability has been identified in the Lexmark Print Management Client.
CVSS: CRITICAL (9.3) EPSS Score: 0.04%
February 12th, 2025 (2 months ago)
|
|
CVE-2025-1044 |
Description: Logsign Unified SecOps Platform Authentication Bypass Vulnerability. This vulnerability allows remote attackers to bypass authentication on affected installations of Logsign Unified SecOps Platform. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the web service, which listens on TCP port 443 by default. The issue results from the lack of proper implementation of the authentication algorithm. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-25336.
CVSS: CRITICAL (9.8) EPSS Score: 0.09%
February 12th, 2025 (2 months ago)
|
|
CVE-2025-0181 |
Description: The WP Foodbakery plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 4.7. This is due to the plugin not properly validating a user's identity prior to setting the current user and their authentication cookie. This makes it possible for unauthenticated attackers to gain access to a target user's (e.g. administrators) account.
CVSS: CRITICAL (9.8) EPSS Score: 0.09%
February 12th, 2025 (2 months ago)
|