CyberAlerts

CVE-2024-13931

Description: Relative Path Traversal vulnerabilities in ASPECT allow access to file resources if session administrator credentials become compromised. This issue affects ASPECT-Enterprise: through 3.08.03; NEXUS Series: through 3.08.03; MATRIX Series: through 3.08.03.

CVSS: HIGH (7.2)

EPSS Score: 0.07%

Source: CVE

May 22nd, 2025 (24 days ago)

CVE-2024-13929

Authenticated Servlet Command Injection

Description: Servlet injection vulnerabilities in ASPECT allow remote code execution if session administrator credentials become compromised. This issue affects ASPECT-Enterprise: through 3.08.03; NEXUS Series: through 3.08.03; MATRIX Series: through 3.08.03.

CVSS: HIGH (7.2)

EPSS Score: 0.31%

Source: CVE

May 22nd, 2025 (24 days ago)

CVE-2024-13928

Authenticated SQL Injection

Description: SQL injection vulnerabilities in ASPECT allow unintended access and manipulation of database repositories if session administrator credentials become compromised. This issue affects ASPECT-Enterprise: through 3.08.03; NEXUS Series: through 3.08.03; MATRIX Series: through 3.08.03.

CVSS: HIGH (7.5)

EPSS Score: 0.04%

Source: CVE

May 22nd, 2025 (24 days ago)

CVE-2025-47779

Using malformed From header can forge identity with ";" or NULL in name portion

Description: Asterisk is an open-source private branch exchange (PBX). Prior to versions 18.26.2, 20.14.1, 21.9.1, and 22.4.1 of Asterisk and versions 18.9-cert14 and 20.7-cert5 of certified-asterisk, SIP requests of the type MESSAGE (RFC 3428) authentication do not get proper alignment. An authenticated attacker can spoof any user identity to send spam messages to the user with their authorization token. Abuse of this security issue allows authenticated attackers to send fake chat messages can be spoofed to appear to come from trusted entities. Even administrators who follow Security best practices and Security Considerations can be impacted. Therefore, abuse can lead to spam and enable social engineering, phishing and similar attacks. Versions 18.26.2, 20.14.1, 21.9.1, and 22.4.1 of Asterisk and versions 18.9-cert14 and 20.7-cert5 of certified-asterisk fix the issue.

CVSS: HIGH (7.7)

EPSS Score: 0.04%

Source: CVE

May 22nd, 2025 (24 days ago)

CVE-2025-46715

Sandboxie Arbitrary Kernel Write in SbieDrv.sys API (API_GET_SECURE_PARAM)

Description: Sandboxie is a sandbox-based isolation software for 32-bit and 64-bit Windows NT-based operating systems. Starting in version 1.3.0 and prior to version 1.15.12, Api_GetSecureParam fails to sanitize incoming pointers, and implicitly trusts that the pointer the user has passed in is safe to write to. GetRegValue then writes the contents of the SBIE registry entry selected to this address. An attacker can pass in a kernel pointer and the driver dumps the registry key contents we requested to it. This can be triggered by anyone on the system, including low integrity windows processes. Version 1.15.12 fixes the issue.

CVSS: HIGH (7.8)

EPSS Score: 0.02%

Source: CVE

May 22nd, 2025 (24 days ago)

CVE-2025-43596

MSP360 Backup (for Windows) insecure filesystem permissions

Description: An insecure file system permissions vulnerability in MSP360 Backup 8.0 allows a low privileged user to execute commands with SYSTEM level privileges using a specially crafted file with an arbitrary file backup target. Upgrade to MSP360 Backup 8.1.1.19 (released on 2025-05-15).

CVSS: HIGH (7.8)

EPSS Score: 0.02%

Source: CVE

May 22nd, 2025 (24 days ago)

CVE-2025-33137

IBM Aspera Faspex data modification

Description: IBM Aspera Faspex 5.0.0 through 5.0.12 could allow an authenticated user to obtain sensitive information or perform unauthorized actions on behalf of another user due to client-side enforcement of server-side security.

CVSS: HIGH (7.1)

EPSS Score: 0.04%

Source: CVE

May 22nd, 2025 (24 days ago)

CVE-2025-33136

IBM Aspera Faspex data modification

Description: IBM Aspera Faspex 5.0.0 through 5.0.12 could allow an authenticated user to obtain sensitive information or perform unauthorized actions on behalf of another user due to improper protection of assumed immutable data.

CVSS: HIGH (7.1)

EPSS Score: 0.03%

Source: CVE

May 22nd, 2025 (24 days ago)

CVE-2024-48850

Authenticated Absolute Path Traversal

Description: Absolute File Traversal vulnerabilities in ASPECT allows access and modification of unintended resources. This issue affects ASPECT-Enterprise: through 3.08.03; NEXUS Series: through 3.08.03; MATRIX Series: through 3.08.03.

CVSS: HIGH (7.2)

EPSS Score: 0.06%

Source: CVE

May 22nd, 2025 (24 days ago)

CVE-2025-5081

Campcodes Cybercafe Management System adminprofile.php sql injection

Description: A vulnerability classified as critical was found in Campcodes Cybercafe Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /adminprofile.php. The manipulation of the argument mobilenumber leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. Other parameters might be affected as well. In Campcodes Cybercafe Management System 1.0 wurde eine kritische Schwachstelle entdeckt. Das betrifft eine unbekannte Funktionalität der Datei /adminprofile.php. Durch die Manipulation des Arguments mobilenumber mit unbekannten Daten kann eine sql injection-Schwachstelle ausgenutzt werden. Der Angriff kann über das Netzwerk angegangen werden. Der Exploit steht zur öffentlichen Verfügung.

CVSS: HIGH (7.3)

EPSS Score: 0.03%

SSVC Exploitation: poc

Source: CVE

May 22nd, 2025 (24 days ago)

Threat and Vulnerability Intelligence Database

Example Searches:

CVE-2024-13931	Authenticated Relative Path Traversal Description: Relative Path Traversal vulnerabilities in ASPECT allow access to file resources if session administrator credentials become compromised. This issue affects ASPECT-Enterprise: through 3.08.03; NEXUS Series: through 3.08.03; MATRIX Series: through 3.08.03. CVSS: HIGH (7.2) EPSS Score: 0.07% Source: CVE May 22nd, 2025 (24 days ago)
CVE-2024-13929	Authenticated Servlet Command Injection Description: Servlet injection vulnerabilities in ASPECT allow remote code execution if session administrator credentials become compromised. This issue affects ASPECT-Enterprise: through 3.08.03; NEXUS Series: through 3.08.03; MATRIX Series: through 3.08.03. CVSS: HIGH (7.2) EPSS Score: 0.31% Source: CVE May 22nd, 2025 (24 days ago)
CVE-2024-13928	Authenticated SQL Injection Description: SQL injection vulnerabilities in ASPECT allow unintended access and manipulation of database repositories if session administrator credentials become compromised. This issue affects ASPECT-Enterprise: through 3.08.03; NEXUS Series: through 3.08.03; MATRIX Series: through 3.08.03. CVSS: HIGH (7.5) EPSS Score: 0.04% Source: CVE May 22nd, 2025 (24 days ago)
CVE-2025-47779	Using malformed From header can forge identity with ";" or NULL in name portion Description: Asterisk is an open-source private branch exchange (PBX). Prior to versions 18.26.2, 20.14.1, 21.9.1, and 22.4.1 of Asterisk and versions 18.9-cert14 and 20.7-cert5 of certified-asterisk, SIP requests of the type MESSAGE (RFC 3428) authentication do not get proper alignment. An authenticated attacker can spoof any user identity to send spam messages to the user with their authorization token. Abuse of this security issue allows authenticated attackers to send fake chat messages can be spoofed to appear to come from trusted entities. Even administrators who follow Security best practices and Security Considerations can be impacted. Therefore, abuse can lead to spam and enable social engineering, phishing and similar attacks. Versions 18.26.2, 20.14.1, 21.9.1, and 22.4.1 of Asterisk and versions 18.9-cert14 and 20.7-cert5 of certified-asterisk fix the issue. CVSS: HIGH (7.7) EPSS Score: 0.04% Source: CVE May 22nd, 2025 (24 days ago)
CVE-2025-46715	Sandboxie Arbitrary Kernel Write in SbieDrv.sys API (API_GET_SECURE_PARAM) Description: Sandboxie is a sandbox-based isolation software for 32-bit and 64-bit Windows NT-based operating systems. Starting in version 1.3.0 and prior to version 1.15.12, Api_GetSecureParam fails to sanitize incoming pointers, and implicitly trusts that the pointer the user has passed in is safe to write to. GetRegValue then writes the contents of the SBIE registry entry selected to this address. An attacker can pass in a kernel pointer and the driver dumps the registry key contents we requested to it. This can be triggered by anyone on the system, including low integrity windows processes. Version 1.15.12 fixes the issue. CVSS: HIGH (7.8) EPSS Score: 0.02% Source: CVE May 22nd, 2025 (24 days ago)
CVE-2025-43596	MSP360 Backup (for Windows) insecure filesystem permissions Description: An insecure file system permissions vulnerability in MSP360 Backup 8.0 allows a low privileged user to execute commands with SYSTEM level privileges using a specially crafted file with an arbitrary file backup target. Upgrade to MSP360 Backup 8.1.1.19 (released on 2025-05-15). CVSS: HIGH (7.8) EPSS Score: 0.02% Source: CVE May 22nd, 2025 (24 days ago)
CVE-2025-33137	IBM Aspera Faspex data modification Description: IBM Aspera Faspex 5.0.0 through 5.0.12 could allow an authenticated user to obtain sensitive information or perform unauthorized actions on behalf of another user due to client-side enforcement of server-side security. CVSS: HIGH (7.1) EPSS Score: 0.04% Source: CVE May 22nd, 2025 (24 days ago)
CVE-2025-33136	IBM Aspera Faspex data modification Description: IBM Aspera Faspex 5.0.0 through 5.0.12 could allow an authenticated user to obtain sensitive information or perform unauthorized actions on behalf of another user due to improper protection of assumed immutable data. CVSS: HIGH (7.1) EPSS Score: 0.03% Source: CVE May 22nd, 2025 (24 days ago)
CVE-2024-48850	Authenticated Absolute Path Traversal Description: Absolute File Traversal vulnerabilities in ASPECT allows access and modification of unintended resources. This issue affects ASPECT-Enterprise: through 3.08.03; NEXUS Series: through 3.08.03; MATRIX Series: through 3.08.03. CVSS: HIGH (7.2) EPSS Score: 0.06% Source: CVE May 22nd, 2025 (24 days ago)
CVE-2025-5081	Campcodes Cybercafe Management System adminprofile.php sql injection Description: A vulnerability classified as critical was found in Campcodes Cybercafe Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /adminprofile.php. The manipulation of the argument mobilenumber leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. Other parameters might be affected as well. In Campcodes Cybercafe Management System 1.0 wurde eine kritische Schwachstelle entdeckt. Das betrifft eine unbekannte Funktionalität der Datei /adminprofile.php. Durch die Manipulation des Arguments mobilenumber mit unbekannten Daten kann eine sql injection-Schwachstelle ausgenutzt werden. Der Angriff kann über das Netzwerk angegangen werden. Der Exploit steht zur öffentlichen Verfügung. CVSS: HIGH (7.3) EPSS Score: 0.03% SSVC Exploitation: poc Source: CVE May 22nd, 2025 (24 days ago)