CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!
Threat and Vulnerability Intelligence Database
Example Searches:
CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited
CVE-2025-1137 |
Description: IBM Storage Scale 5.2.2.0 and 5.2.2.1, under certain configurations, could allow an authenticated user to execute privileged commands due to improper input neutralization.
CVSS: HIGH (7.5) EPSS Score: 0.05%
May 10th, 2025 (about 1 month ago)
|
|
CVE-2025-47424 |
Description: Retool (self-hosted) before 3.196.0 allows Host header injection. When the BASE_DOMAIN environment variable is not set, the HTTP host header can be manipulated.
CVSS: HIGH (7.1) EPSS Score: 0.02%
May 10th, 2025 (about 1 month ago)
|
|
CVE-2025-4494 |
Description: A vulnerability, which was classified as critical, was found in JAdmin-JAVA JAdmin 1.0. Affected is the function toLogin of the file NoNeedLoginController.java of the component Admin Backend. The manipulation leads to improper authentication. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. Es wurde eine Schwachstelle in JAdmin-JAVA JAdmin 1.0 gefunden. Sie wurde als kritisch eingestuft. Dabei betrifft es die Funktion toLogin der Datei NoNeedLoginController.java der Komponente Admin Backend. Durch Beeinflussen mit unbekannten Daten kann eine improper authentication-Schwachstelle ausgenutzt werden. Die Umsetzung des Angriffs kann dabei über das Netzwerk erfolgen. Der Exploit steht zur öffentlichen Verfügung.
CVSS: HIGH (7.3) EPSS Score: 0.1%
May 9th, 2025 (about 1 month ago)
|
|
CVE-2025-4492 |
Description: A vulnerability, which was classified as critical, has been found in Campcodes Online Food Ordering System 1.0. This issue affects some unknown processing of the file /routers/ticket-message.php. The manipulation of the argument ticket_id leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. Eine Schwachstelle wurde in Campcodes Online Food Ordering System 1.0 entdeckt. Sie wurde als kritisch eingestuft. Dies betrifft einen unbekannten Teil der Datei /routers/ticket-message.php. Durch das Beeinflussen des Arguments ticket_id mit unbekannten Daten kann eine sql injection-Schwachstelle ausgenutzt werden. Der Angriff kann über das Netzwerk passieren. Der Exploit steht zur öffentlichen Verfügung.
CVSS: HIGH (7.3) EPSS Score: 0.03%
May 9th, 2025 (about 1 month ago)
|
|
CVE-2025-47269 |
Description: code-server runs VS Code on any machine anywhere through browser access. Prior to version 4.99.4, a maliciously crafted URL using the proxy subpath can result in the attacker gaining access to the session token. Failure to properly validate the port for a proxy request can result in proxying to an arbitrary domain. The malicious URL `https:///proxy/[email protected]/path` would be proxied to `[email protected]/path` where the attacker could exfiltrate a user's session token. Any user who runs code-server with the built-in proxy enabled and clicks on maliciously crafted links that go to their code-server instances with reference to /proxy. Normally this is used to proxy local ports, however the URL can reference the attacker's domain instead, and the connection is then proxied to that domain, which will include sending cookies. With access to the session cookie, the attacker can then log into code-server and have full access to the machine hosting code-server as the user running code-server. This issue has been patched in version 4.99.4.
CVSS: HIGH (8.3) EPSS Score: 0.04%
May 9th, 2025 (about 1 month ago)
|
|
CVE-2025-4447 |
Description: In Eclipse OpenJ9 versions up to 0.51, when used with OpenJDK version 8 a stack based buffer overflow can be caused by modifying a file on disk that is read when the JVM starts.
CVSS: HIGH (7.0) EPSS Score: 0.02%
May 9th, 2025 (about 1 month ago)
|
|
CVE-2025-4488 |
Description: A vulnerability was found in itsourcecode Gym Management System 1.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /ajax.php?action=delete_package. The manipulation of the argument ID leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. In itsourcecode Gym Management System 1.0 wurde eine kritische Schwachstelle ausgemacht. Dabei geht es um eine nicht genauer bekannte Funktion der Datei /ajax.php?action=delete_package. Mittels dem Manipulieren des Arguments ID mit unbekannten Daten kann eine sql injection-Schwachstelle ausgenutzt werden. Die Umsetzung des Angriffs kann dabei über das Netzwerk erfolgen. Der Exploit steht zur öffentlichen Verfügung.
CVSS: HIGH (7.3) EPSS Score: 0.03%
May 9th, 2025 (about 1 month ago)
|
|
CVE-2025-4484 |
Description: A vulnerability, which was classified as critical, was found in itsourcecode Gym Management System 1.0. This affects an unknown part of the file /ajax.php?action=delete_user. The manipulation of the argument ID leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. Es wurde eine kritische Schwachstelle in itsourcecode Gym Management System 1.0 gefunden. Betroffen hiervon ist ein unbekannter Ablauf der Datei /ajax.php?action=delete_user. Dank Manipulation des Arguments ID mit unbekannten Daten kann eine sql injection-Schwachstelle ausgenutzt werden. Umgesetzt werden kann der Angriff über das Netzwerk. Der Exploit steht zur öffentlichen Verfügung.
CVSS: HIGH (7.3) EPSS Score: 0.03%
May 9th, 2025 (about 1 month ago)
|
|
CVE-2024-25121 |
Description: TYPO3 is an open source PHP based web content management system released under the GNU GPL. In affected versions of TYPO3 entities of the File Abstraction Layer (FAL) could be persisted directly via `DataHandler`. This allowed attackers to reference files in the fallback storage directly and retrieve their file names and contents. The fallback storage ("zero-storage") is used as a backward compatibility layer for files located outside properly configured file storages and within the public web root directory. Exploiting this vulnerability requires a valid backend user account. Users are advised to update to TYPO3 version 8.7.57 ELTS, 9.5.46 ELTS, 10.4.43 ELTS, 11.5.35 LTS, 12.4.11 LTS, or 13.0.1 which fix the problem described. When persisting entities of the File Abstraction Layer directly via DataHandler, `sys_file` entities are now denied by default, and `sys_file_reference` & `sys_file_metadata` entities are not permitted to reference files in the fallback storage anymore. When importing data from secure origins, this must be explicitly enabled in the corresponding DataHandler instance by using `$dataHandler->isImporting = true;`.
CVSS: HIGH (7.1) EPSS Score: 0.17% SSVC Exploitation: none
May 9th, 2025 (about 1 month ago)
|
|
CVE-2024-24924 |
Description: A vulnerability has been identified in Simcenter Femap (All versions < V2306.0000). The affected application contains an out of bounds write past the end of an allocated buffer while parsing a specially crafted Catia MODEL file. This could allow an attacker to execute code in the context of the current process. (ZDI-CAN-22059)
CVSS: HIGH (7.8) EPSS Score: 0.05% SSVC Exploitation: none
May 9th, 2025 (about 1 month ago)
|