Threat and Vulnerability Intelligence Database
Example Searches:
CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited
CVE-2025-22152 |
Description: Atheos is a self-hosted browser-based cloud IDE. Prior to v600, the $path and $target parameters are not properly validated across multiple components, allowing an attacker to read, modify, or execute arbitrary files on the server. These vulnerabilities can be exploited through various attack vectors present in multiple PHP files. This vulnerability is fixed in v600.
CVSS: CRITICAL (9.4) EPSS Score: 0.04%
January 11th, 2025 (3 months ago)
|
|
CVE-2024-57823 |
Description: In Raptor RDF Syntax Library through 2.0.16, there is an integer underflow when normalizing a URI with the turtle parser in raptor_uri_normalize_path().
CVSS: CRITICAL (9.3) EPSS Score: 0.05%
January 11th, 2025 (3 months ago)
|
|
CVE-2024-56511 |
Description: DataEase is an open source data visualization analysis tool. Prior to 2.10.4, there is a flaw in the authentication in the io.dataease.auth.filter.TokenFilter class, which can be bypassed and cause the risk of unauthorized access. In the io.dataease.auth.filter.TokenFilter class, ”request.getRequestURI“ is used to obtain the request URL, and it is passed to the "WhitelistUtils.match" method to determine whether the URL request is an interface that does not require authentication. The "match" method filters semicolons, but this is not enough. When users set "server.servlet.context-path" when deploying products, there is still a risk of being bypassed, which can be bypassed by any whitelist prefix /geo/../context-path/. The vulnerability has been fixed in v2.10.4.
CVSS: CRITICAL (9.3) EPSS Score: 0.04%
January 11th, 2025 (3 months ago)
|
|
CVE-2024-41787 |
Description: IBM Engineering Requirements Management DOORS Next 7.0.2 and 7.0.3 could allow a remote attacker to bypass security restrictions, caused by a race condition. By sending a specially crafted request, an attacker could exploit this vulnerability to remotely execute code.
CVSS: CRITICAL (9.8) EPSS Score: 0.09%
January 11th, 2025 (3 months ago)
|
|
CVE-2024-12847 |
Description: NETGEAR DGN1000 before 1.1.00.48 is vulnerable to an authentication bypass vulnerability. A remote and unauthenticated attacker can execute arbitrary operating system commands as root by sending crafted HTTP requests to the setup.cgi endpoint. This vulnerability has been exploited in the wild since at least 2017.
CVSS: CRITICAL (9.8) EPSS Score: 0.08%
January 11th, 2025 (3 months ago)
|
|
CVE-2025-0282 |
Description: Did you have a good break? Have you had a chance to breathe? Wake up.It’s 2025, and the chaos continues.Haha, see what we did? We wrote the exact same thing in 2024 because 2024 was exactly the same.As an industry, we are on GroundHog day
CVSS: CRITICAL (9.0) EPSS Score: 15.33%
January 10th, 2025 (3 months ago)
|
|
CVE-2025-22542 |
Description: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Ofek Nakar Virtual Bot allows Blind SQL Injection.This issue affects Virtual Bot: from n/a through 1.0.0.
CVSS: CRITICAL (9.3) EPSS Score: 0.04%
January 10th, 2025 (3 months ago)
|
|
CVE-2025-22540 |
Description: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Sebastian Orellana Emailing Subscription allows Blind SQL Injection.This issue affects Emailing Subscription: from n/a through 1.4.1.
CVSS: CRITICAL (9.3) EPSS Score: 0.04%
January 10th, 2025 (3 months ago)
|
|
CVE-2025-22504 |
Description: Unrestricted Upload of File with Dangerous Type vulnerability in jumpdemand 4ECPS Web Forms allows Upload a Web Shell to a Web Server.This issue affects 4ECPS Web Forms: from n/a through 0.2.18.
CVSS: CRITICAL (10.0) EPSS Score: 0.04%
January 10th, 2025 (3 months ago)
|
|
CVE-2025-21628 |
Description: Chatwoot is a customer engagement suite. Prior to 3.16.0, conversation and contact filters endpoints did not sanitize the input of query_operator passed from the frontend or the API. This provided any actor who is authenticated, an attack vector to run arbitrary SQL within the filter query by adding a tautological WHERE clause. This issue is patched with v3.16.0.
CVSS: CRITICAL (9.1) EPSS Score: 0.04%
January 10th, 2025 (3 months ago)
|