Threat and Vulnerability Intelligence Database
Example Searches:
CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited
CVE-2025-24901 |
Description: WeGIA is a Web Manager for Charitable Institutions. A SQL Injection vulnerability was discovered in the WeGIA application, `deletar_permissao.php` endpoint. This vulnerability could allow an authorized attacker to execute arbitrary SQL queries, allowing access to or deletion of sensitive information. This issue has been addressed in version 3.2.12 and all users are advised to upgrade. There are no known workarounds for this vulnerability.
CVSS: CRITICAL (9.4) EPSS Score: 0.05%
February 4th, 2025 (3 months ago)
|
|
CVE-2025-24661 |
Description: Deserialization of Untrusted Data vulnerability in MagePeople Team Taxi Booking Manager for WooCommerce allows Object Injection. This issue affects Taxi Booking Manager for WooCommerce: from n/a through 1.1.8.
CVSS: CRITICAL (9.8) EPSS Score: 0.04%
February 4th, 2025 (3 months ago)
|
|
CVE-2025-24370 |
Description: Django-Unicorn adds modern reactive component functionality to Django templates. Affected versions of Django-Unicorn are vulnerable to python class pollution vulnerability. The vulnerability arises from the core functionality `set_property_value`, which can be remotely triggered by users by crafting appropriate component requests and feeding in values of second and third parameter to the vulnerable function, leading to arbitrary changes to the python runtime status. With this finding at least five ways of vulnerability exploitation have been observed, stably resulting in Cross-Site Scripting (XSS), Denial of Service (DoS), and Authentication Bypass attacks in almost every Django-Unicorn-based application. This issue has been addressed in version 0.62.0 and all users are advised to upgrade. There are no known workarounds for this vulnerability.
CVSS: CRITICAL (9.3) EPSS Score: 0.04%
February 4th, 2025 (3 months ago)
|
|
CVE-2024-57968 |
🚨 Marked as known exploited on March 10th, 2025 (about 1 month ago).
Description: Advantive VeraCore before 2024.4.2.1 allows remote authenticated users to upload files to unintended folders (e.g., ones that are accessible during web browsing by other users). upload.aspx can be used for this.
CVSS: CRITICAL (9.9) EPSS Score: 0.05%
February 4th, 2025 (3 months ago)
|
|
CVE-2024-57450 |
Description: ChestnutCMS <=1.5.0 is vulnerable to File Upload via the Create template function.
CVSS: CRITICAL (9.8) EPSS Score: 0.04%
February 4th, 2025 (3 months ago)
|
|
CVE-2024-57098 |
Description: Moss v0.1.3 version has an SQL injection vulnerability that allows attackers to inject carefully designed payloads into the order parameter.
CVSS: CRITICAL (9.8) EPSS Score: 0.04%
February 4th, 2025 (3 months ago)
|
|
CVE-2024-45569 |
Description: Memory corruption while parsing the ML IE due to invalid frame content.
CVSS: CRITICAL (9.8) EPSS Score: 0.08%
February 4th, 2025 (3 months ago)
|
|
CVE-2025-0929 |
Description: Multiple vulnerabilities in TeamCal Neo
Fri, 01/31/2025 - 13:14
Aviso
Affected Resources
TeamCal Neo: 3.8.2 version.
Description
INCIBE has coordinated the publication of 2 vulnerabilities: one critical and one of medium severity, affecting Lewe's TeamCal Neo, an online calendar by days to manage events and absences of work teams, which have been discovered by Ignacio Garcia Mestre (Br4v3n).These vulnerabilities have been assigned the following codes, CVSS v3.1 base score, CVSS vector and CWE vulnerability type for each vulnerability.CVE-2025-0929: CVSS v3.1: 9.8 | CVSS AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | CWE-89CVE-2025-0930: CVSS v3.1: 6.1 | CVSS AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N | CWE-79
Identificador
INCIBE-2025-0051
5 - Critical
Solution
There is no reported solution at this time.
Detail
CVE-2025-0929: SQL injection vulnerability in TeamCal Neo, version 3.8.2. This could allow an attacker to retrieve, update and delete all database information by injecting a malicious SQL statement via the ‘abs’ parameter in ‘/teamcal/src/index.php’.CVE-2025-0930: Reflected Cross-Site Scripting (XSS) in TeamCal Neo, version 3.8.2. This allows an attacker to execute malicious JavaScript code, after injecting code via the ‘abs’ parameter in ‘/teamcal/src/index.php’.
Ref...
CVSS: CRITICAL (9.8) EPSS Score: 0.04%
February 1st, 2025 (3 months ago)
|
|
CVE-2025-24891 |
Description: Dumb Drop is a file upload application. Users with permission to upload to the service are able to exploit a path traversal vulnerability to overwrite arbitrary system files. As the container runs as root by default, there is no limit to what can be overwritten. With this, it's possible to inject malicious payloads into files ran on schedule or upon certain service actions. As the service is not required to run with authentication enabled, this may permit wholly unprivileged users root access. Otherwise, anybody with a PIN.
CVSS: CRITICAL (9.7) EPSS Score: 0.04%
February 1st, 2025 (3 months ago)
|
|
CVE-2025-0929 |
Description: SQL injection vulnerability in TeamCal Neo, version 3.8.2. This could allow an attacker to retrieve, update and delete all database information by injecting a malicious SQL statement via the ‘abs’ parameter in ‘/teamcal/src/index.php’.
CVSS: CRITICAL (9.8) EPSS Score: 0.04%
February 1st, 2025 (3 months ago)
|