CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!
Threat and Vulnerability Intelligence Database
Example Searches:
CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited
CVE-2024-29190 |
Description: Mobile Security Framework (MobSF) is a pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis. In version 3.9.5 Beta and prior, MobSF does not perform any input validation when extracting the hostnames in `android:host`, so requests can also be sent to local hostnames. This can lead to server-side request forgery. An attacker can cause the server to make a connection to internal-only services within the organization's infrastructure. Commit 5a8eeee73c5f504a6c3abdf2a139a13804efdb77 has a hotfix for this issue.
CVSS: HIGH (7.5) EPSS Score: 0.08% SSVC Exploitation: poc
April 10th, 2025 (3 months ago)
|
|
CVE-2024-29019 |
Description: ESPHome is a system to control microcontrollers remotely through Home Automation systems. API endpoints in dashboard component of ESPHome version 2023.12.9 (command line installation) are vulnerable to Cross-Site Request Forgery (CSRF) allowing remote attackers to carry out attacks against a logged user of the dashboard to perform operations on configuration files (create, edit, delete). It is possible for a malicious actor to create a specifically crafted web page that triggers a cross site request against ESPHome, this allows bypassing the authentication for API calls on the platform. This vulnerability allows bypassing authentication on API calls accessing configuration file operations on the behalf of a logged user. In order to trigger the vulnerability, the victim must visit a weaponized page. In addition to this, it is possible to chain this vulnerability with GHSA-9p43-hj5j-96h5/ CVE-2024-27287 to obtain a complete takeover of the user account. Version 2024.3.0 contains a patch for this issue.
CVSS: HIGH (8.1) EPSS Score: 0.08% SSVC Exploitation: poc
April 10th, 2025 (3 months ago)
|
|
CVE-2024-2807 |
Description: A vulnerability classified as critical was found in Tenda AC15 15.03.05.18/15.03.20_multi. This vulnerability affects the function formExpandDlnaFile of the file /goform/expandDlnaFile. The manipulation of the argument filePath leads to stack-based buffer overflow. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-257662 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. In Tenda AC15 15.03.05.18/15.03.20_multi wurde eine Schwachstelle entdeckt. Sie wurde als kritisch eingestuft. Betroffen ist die Funktion formExpandDlnaFile der Datei /goform/expandDlnaFile. Durch das Beeinflussen des Arguments filePath mit unbekannten Daten kann eine stack-based buffer overflow-Schwachstelle ausgenutzt werden. Der Angriff kann über das Netzwerk passieren. Der Exploit steht zur öffentlichen Verfügung.
CVSS: HIGH (8.8) EPSS Score: 0.43% SSVC Exploitation: poc
April 10th, 2025 (3 months ago)
|
|
CVE-2024-27994 |
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in YITH YITH WooCommerce Product Add-Ons allows Reflected XSS.This issue affects YITH WooCommerce Product Add-Ons: from n/a through 4.5.0.
CVSS: HIGH (7.1) EPSS Score: 0.24% SSVC Exploitation: none
April 10th, 2025 (3 months ago)
|
|
CVE-2024-27921 |
Description: Grav is an open-source, flat-file content management system. A file upload path traversal vulnerability has been identified in the application prior to version 1.7.45, enabling attackers to replace or create files with extensions like .json, .zip, .css, .gif, etc. This critical security flaw poses severe risks, that can allow attackers to inject arbitrary code on the server, undermine integrity of backup files by overwriting existing files or creating new ones, and exfiltrate sensitive data using CSS exfiltration techniques. Upgrading to patched version 1.7.45 can mitigate the issue.
CVSS: HIGH (8.8) EPSS Score: 6.07% SSVC Exploitation: poc
April 10th, 2025 (3 months ago)
|
|
CVE-2024-27769 |
Description:
Unitronics Unistream Unilogic – Versions prior to 1.35.227 -
CWE-200: Exposure of Sensitive Information to an Unauthorized Actor may allow Taking Ownership Over Devices
CVSS: HIGH (8.8) EPSS Score: 0.07% SSVC Exploitation: none
April 10th, 2025 (3 months ago)
|
|
CVE-2024-27195 |
Description: Cross-Site Request Forgery (CSRF) vulnerability in Sandi Verdev Watermark RELOADED allows Stored XSS.This issue affects Watermark RELOADED: from n/a through 1.3.5.
CVSS: HIGH (7.1) EPSS Score: 0.05% SSVC Exploitation: none
April 10th, 2025 (3 months ago)
|
|
CVE-2024-27096 |
Description: GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. An authenticated user can exploit a SQL injection vulnerability in the search engine to extract data from the database. This issue has been patched in version 10.0.13.
CVSS: HIGH (7.7) EPSS Score: 0.19% SSVC Exploitation: none
April 10th, 2025 (3 months ago)
|
|
CVE-2024-2597 |
Description: Vulnerability in AMSS++ version 4.31, which does not sufficiently encode user-controlled input, resulting in a Cross-Site Scripting (XSS) vulnerability through /amssplus/modules/book/main/bookdetail_school_person.php, in the 'b_id' parameter. This vulnerability could allow a remote attacker to send a specially crafted URL to an authenticated user and steal their session cookie credentials.
CVSS: HIGH (7.1) EPSS Score: 0.03% SSVC Exploitation: none
April 10th, 2025 (3 months ago)
|
|
CVE-2024-2586 |
Description: Vulnerability in AMSS++ version 4.31 that allows SQL injection through /amssplus/index.php, in the 'username' parameter. This vulnerability could allow a remote attacker to send a specially crafted SQL query to the server and retrieve all the information stored in the DB.
CVSS: HIGH (8.2) EPSS Score: 0.02% SSVC Exploitation: none
April 10th, 2025 (3 months ago)
|