Threat and Vulnerability Intelligence Database
Example Searches:
CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited
CVE-2025-0455 |
Description: The airPASS from NetVision Information has a SQL Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary SQL commands to read, modify, and delete database contents.
CVSS: CRITICAL (9.8) EPSS Score: 0.09%
January 17th, 2025 (3 months ago)
|
|
CVE-2024-50603 |
Description: Aviatrix Controllers contain an OS command injection vulnerability that could allow an unauthenticated attacker to execute arbitrary code. Shell metacharacters can be sent to /v1/api in cloud_type for list_flightpath_destination_instances, or src_cloud_type for flightpath_connection_test.
CVSS: CRITICAL (10.0) EPSS Score: 92.43%
January 16th, 2025 (3 months ago)
|
|
CVE-2022-40684 |
Description: A newly emerged threat actor named “Belsen Group” has publicly released sensitive configuration data and VPN credentials from over 15,000 FortiGate firewalls, affecting both governmental and private sector organizations worldwide. The data, which includes usernames, passwords, firewall rules, and digital certificates, was allegedly obtained through a 2022 Fortinet zero-day vulnerability (CVE-2022-40684) and has now been …
The post 15,000 FortiGate Firewall and VPN Credentials Leaked by Hackers appeared first on CyberInsider.
CVSS: CRITICAL (9.8)
January 16th, 2025 (3 months ago)
|
|
CVE-2025-23061 |
Description: Mongoose before 8.9.5 can improperly use a nested $where filter with a populate() match, leading to search injection. NOTE: this issue exists because of an incomplete fix for CVE-2024-53900.
CVSS: CRITICAL (9.0) EPSS Score: 0.05%
January 16th, 2025 (3 months ago)
|
|
CVE-2025-22785 |
Description: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ComMotion Course Booking System allows SQL Injection.This issue affects Course Booking System: from n/a through 6.0.5.
CVSS: CRITICAL (9.3) EPSS Score: 0.04%
January 16th, 2025 (3 months ago)
|
|
CVE-2025-22782 |
Description: Unrestricted Upload of File with Dangerous Type vulnerability in Web Ready Now WR Price List Manager For Woocommerce allows Upload a Web Shell to a Web Server.This issue affects WR Price List Manager For Woocommerce: from n/a through 1.0.8.
CVSS: CRITICAL (9.9) EPSS Score: 0.04%
January 16th, 2025 (3 months ago)
|
|
CVE-2025-22146 |
Description: Sentry is a developer-first error tracking and performance monitoring tool. A critical vulnerability was discovered in the SAML SSO implementation of Sentry. It was reported to us via our private bug bounty program. The vulnerability allows an attacker to take over any user account by using a malicious SAML Identity Provider and another organization on the same Sentry instance. The victim email address must be known in order to exploit this vulnerability. The Sentry SaaS fix was deployed on Jan 14, 2025. For self hosted users; if only a single organization is allowed `(SENTRY_SINGLE_ORGANIZATION = True)`, then no action is needed. Otherwise, users should upgrade to version 25.1.0 or higher. There are no known workarounds for this vulnerability.
CVSS: CRITICAL (9.1) EPSS Score: 0.04%
January 16th, 2025 (3 months ago)
|
|
CVE-2024-9636 |
Description: The Post Grid and Gutenberg Blocks plugin for WordPress is vulnerable to privilege escalation in versions 2.2.85 to 2.3.3. This is due to the plugin not properly restricting what user meta can be updated during profile registration. This makes it possible for unauthenticated attackers to register on the site as an administrator.
CVSS: CRITICAL (9.8) EPSS Score: 0.06%
January 16th, 2025 (3 months ago)
|
|
CVE-2024-12297 |
Description: Moxa’s Ethernet switch EDS-508A Series, running firmware version 3.11 and earlier, is vulnerable to an authentication bypass because of flaws in its authorization mechanism. Although both client-side and back-end server verification are involved in the process, attackers can exploit weaknesses in its implementation. These vulnerabilities may enable brute-force attacks to guess valid credentials or MD5 collision attacks to forge authentication hashes, potentially compromising the security of the device.
CVSS: CRITICAL (9.2) EPSS Score: 0.04%
January 16th, 2025 (3 months ago)
|
|
CVE-2025-23025 |
Description: XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. NOTE: The Realtime WYSIWYG Editor extension was **experimental**, and thus **not recommended**, in the versions affected by this vulnerability. It has become enabled by default, and thus recommended, starting with XWiki 16.9.0. A user with only **edit right** can join a realtime editing session where others, that where already there or that may join later, have **script** or **programming** access rights. This user can then insert **script rendering macros** that are executed for those users in the realtime session that have script or programming rights. The inserted scripts can be used to gain more access rights. This vulnerability has been patched in XWiki 15.10.2, 16.4.1 and 16.6.0-rc-1. Users are advised to upgrade. Users unable to upgrade may either disable the realtime WYSIWYG editing by disabling the ``xwiki-realtime`` CKEditor plugin from the WYSIWYG editor administration section or uninstall the Realtime WYSIWYG Editorextension (org.xwiki.platform:xwiki-platform-realtime-wysiwyg-ui).
CVSS: CRITICAL (9.1) EPSS Score: 0.05%
January 15th, 2025 (3 months ago)
|