CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

Threat and Vulnerability Intelligence Database

RSS Feed

Example Searches:

CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited

CVE-2025-21605
Redis DoS Vulnerability due to unlimited growth of output buffers abused by unauthenticated client
Description: Redis is an open source, in-memory database that persists on disk. In versions starting at 2.6 and prior to 7.4.3, An unauthenticated client can cause unlimited growth of output buffers, until the server runs out of memory or is killed. By default, the Redis configuration does not limit the output buffer of normal clients (see client-output-buffer-limit). Therefore, the output buffer can grow unlimitedly over time. As a result, the service is exhausted and the memory is unavailable. When password authentication is enabled on the Redis server, but no password is provided, the client can still cause the output buffer to grow from "NOAUTH" responses until the system will run out of memory. This issue has been patched in version 7.4.3. An additional workaround to mitigate this problem without patching the redis-server executable is to block access to prevent unauthenticated users from connecting to Redis. This can be done in different ways. Either using network access control tools like firewalls, iptables, security groups, etc, or enabling TLS and requiring users to authenticate using client side certificates.

CVSS: HIGH (7.5)

EPSS Score: 0.05%

Source: CVE
April 23rd, 2025 (2 months ago)

CVE-2025-1021
Missing authorization vulnerability in synocopy in Synology DiskStation Manager (DSM) before 7.1.1-42962-8, 7.2.1-69057-7 and 7.2.2-72806-3 allows...
Description: Missing authorization vulnerability in synocopy in Synology DiskStation Manager (DSM) before 7.1.1-42962-8, 7.2.1-69057-7 and 7.2.2-72806-3 allows remote attackers to read arbitrary files via unspecified vectors.

CVSS: HIGH (7.5)

EPSS Score: 0.06%

SSVC Exploitation: none

Source: CVE
April 23rd, 2025 (2 months ago)

CVE-2025-42603
Information Disclosure Vulnerability in Meon KYC solutions
Description: This vulnerability exists in the Meon KYC solutions due to transmission of sensitive data in plain text within the response payloads of certain API endpoints. An authenticated remote attacker could exploit this vulnerability by intercepting API response that contains unencrypted sensitive information belonging to other users. Successful exploitation of this vulnerability could allow remote attacker to impersonate the target user and gain unauthorized access to the user account.

CVSS: HIGH (8.7)

EPSS Score: 0.1%

Source: CVE
April 23rd, 2025 (2 months ago)

CVE-2025-42602
Improper Authentication Vulnerability in Meon KYC solutions
Description: This vulnerability exists in Meon KYC solutions due to improper handling of access and refresh tokens in certain API endpoints of authentication process. A remote attacker could exploit this vulnerability by intercepting and manipulating the responses through API request body leading to unauthorized access of other user accounts.

CVSS: HIGH (8.2)

EPSS Score: 0.26%

Source: CVE
April 23rd, 2025 (2 months ago)

CVE-2025-42601
Captcha Bypass Vulnerability in Meon KYC solutions
Description: This vulnerability exists in Meon KYC solutions due to insufficient server-side validation of the Captcha in certain API endpoints. A remote attacker could exploit this vulnerability by intercepting the request and removing the Captcha parameter leading to bypassing the Captcha verification mechanism.

CVSS: HIGH (8.2)

EPSS Score: 0.15%

Source: CVE
April 23rd, 2025 (2 months ago)

CVE-2025-42600
Brute Force Attack Vulnerability in Meon KYC solutions
Description: This vulnerability exists in Meon KYC solutions due to missing restrictions on the number of incorrect One-Time Password (OTP) attempts through certain API endpoints of login process. A remote attacker could exploit this vulnerability by performing a brute force attack on OTP, which could lead to gain unauthorized access to other user accounts.

CVSS: HIGH (8.2)

EPSS Score: 0.22%

Source: CVE
April 23rd, 2025 (2 months ago)

CVE-2025-3530
WordPress Simple PayPal Shopping Cart <= 5.1.2 - Unauthenticated Product Price Manipulation
Description: The WordPress Simple Shopping Cart plugin for WordPress is vulnerable to product price manipulation in all versions up to, and including, 5.1.2. This is due to a logic flaw involving the inconsistent use of parameters during the cart addition process. The plugin uses the parameter 'product_tmp_two' for computing a security hash against price tampering while using 'wspsc_product' to display the product, allowing an unauthenticated attacker to substitute details from a cheaper product and bypass payment for a more expensive item.

CVSS: HIGH (7.5)

EPSS Score: 0.1%

Source: CVE
April 23rd, 2025 (2 months ago)

CVE-2025-3529
WordPress Simple PayPal Shopping Cart <= 5.1.2 - Unauthenticated Information Exposure via file_url Parameter
Description: The WordPress Simple Shopping Cart plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 5.1.2 via the 'file_url' parameter. This makes it possible for unauthenticated attackers to view potentially sensitive information and download a digital product without paying for it.

CVSS: HIGH (8.2)

EPSS Score: 0.07%

Source: CVE
April 23rd, 2025 (2 months ago)
[vllm] CVE-2025-24357 Malicious model remote code execution fix bypass with PyTorch < 2.6.0
Description: Description https://github.com/vllm-project/vllm/security/advisories/GHSA-rh4j-5rhw-hr54 reported a vulnerability where loading a malicious model could result in code execution on the vllm host. The fix applied to specify weights_only=True to calls to torch.load() did not solve the problem prior to PyTorch 2.6.0. PyTorch has issued a new CVE about this problem: https://github.com/advisories/GHSA-53q9-r3pm-6pq6 This means that versions of vLLM using PyTorch before 2.6.0 are vulnerable to this problem. Background Knowledge When users install VLLM according to the official manual But the version of PyTorch is specified in the requirements. txt file So by default when the user install VLLM, it will install the PyTorch with version 2.5.1 In CVE-2025-24357, weights_only=True was used for patching, but we know this is not secure. Because we found that using Weights_only=True in pyTorch before 2.5.1 was unsafe Here, we use this interface to prove that it is not safe. Fix update PyTorch version to 2.6.0 Credit This vulnerability was found By Ji'an Zhou and Li'shuo Song References https://github.com/pytorch/pytorch/security/advisories/GHSA-53q9-r3pm-6pq6 https://github.com/vllm-project/vllm/security/advisories/GHSA-ggpf-24jw-3fcw https://github.com/vllm-project/vllm/security/advisories/GHSA-rh4j-5rhw-hr54 https://github.com/advisories/GHSA-ggpf-24jw-3fcw

CVSS: HIGH (7.5)

Source: Github Advisory Database (PIP)
April 23rd, 2025 (2 months ago)

CVE-2025-43950
DPMAdirektPro 4.1.5 is vulnerable to DLL Hijacking. It happens by placing a malicious DLL in a directory (in the absence of a legitimate DLL),...
Description: DPMAdirektPro 4.1.5 is vulnerable to DLL Hijacking. It happens by placing a malicious DLL in a directory (in the absence of a legitimate DLL), which is then loaded by the application instead of the legitimate DLL. This causes the malicious DLL to load with the same privileges as the application, thus causing a privilege escalation.

CVSS: HIGH (7.8)

EPSS Score: 0.01%

Source: CVE
April 22nd, 2025 (2 months ago)