Threat and Vulnerability Intelligence Database
Example Searches:
CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited
CVE-2025-48390 |
Description: FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.178, FreeScout is vulnerable to code injection due to insufficient validation of user input in the php_path parameter. The backticks characters are not removed, as well as tabulation is not removed. When checking user input, the file_exists function is also called to check for the presence of such a file (folder) in the file system. A user with the administrator role can create a translation for the language, which will create a folder in the file system. Further in tools.php, the user can specify the path to this folder as php_path, which will lead to the execution of code in backticks. This issue has been patched in version 1.8.178.
CVSS: HIGH (8.6) EPSS Score: 0.09%
May 29th, 2025 (10 days ago)
|
|
CVE-2025-48389 |
Description: FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.178, FreeScout is vulnerable to deserialization of untrusted data due to insufficient validation. Through the set function, a string with a serialized object can be passed, and when getting an option through the get method, deserialization will occur, which will allow arbitrary code execution This issue has been patched in version 1.8.178.
CVSS: HIGH (8.6) EPSS Score: 0.09%
May 29th, 2025 (10 days ago)
|
|
CVE-2024-24556 |
Description: urql is a GraphQL client that exposes a set of helpers for several frameworks. The `@urql/next` package is vulnerable to XSS. To exploit this an attacker would need to ensure that the response returns `html` tags and that the web-application is using streamed responses (non-RSC). This vulnerability is due to improper escaping of html-like characters in the response-stream. To fix this vulnerability upgrade to version 1.1.1
CVSS: HIGH (7.2) EPSS Score: 0.35% SSVC Exploitation: none
May 29th, 2025 (10 days ago)
|
|
CVE-2024-23940 |
Description: Trend Micro uiAirSupport, included in the Trend Micro Security 2023 family of consumer products, version 6.0.2092 and below is vulnerable to a DLL hijacking/proxying vulnerability, which if exploited could allow an attacker to impersonate and modify a library to execute code on the system and ultimately escalate privileges on an affected system.
CVSS: HIGH (7.8) EPSS Score: 0.05% SSVC Exploitation: poc
May 29th, 2025 (10 days ago)
|
|
CVE-2024-23896 |
Description: A vulnerability has been reported in Cups Easy (Purchase & Inventory), version 1.0, whereby user-controlled inputs are not sufficiently encoded, resulting in a Cross-Site Scripting (XSS) vulnerability via /cupseasylive/stock.php, in the batchno parameter. Exploitation of this vulnerability could allow a remote attacker to send a specially crafted URL to an authenticated user and steal their session cookie credentials.
CVSS: HIGH (8.2) EPSS Score: 0.04% SSVC Exploitation: none
May 29th, 2025 (10 days ago)
|
|
CVE-2024-23894 |
Description: A vulnerability has been reported in Cups Easy (Purchase & Inventory), version 1.0, whereby user-controlled inputs are not sufficiently encoded, resulting in a Cross-Site Scripting (XSS) vulnerability via /cupseasylive/stockissuancecreate.php, in the issuancedate parameter. Exploitation of this vulnerability could allow a remote attacker to send a specially crafted URL to an authenticated user and steal their session cookie credentials.
CVSS: HIGH (8.2) EPSS Score: 0.04% SSVC Exploitation: none
May 29th, 2025 (10 days ago)
|
|
CVE-2024-23893 |
Description: A vulnerability has been reported in Cups Easy (Purchase & Inventory), version 1.0, whereby user-controlled inputs are not sufficiently encoded, resulting in a Cross-Site Scripting (XSS) vulnerability via /cupseasylive/costcentermodify.php, in the costcenterid parameter. Exploitation of this vulnerability could allow a remote attacker to send a specially crafted URL to an authenticated user and steal their session cookie credentials.
CVSS: HIGH (8.2) EPSS Score: 0.04% SSVC Exploitation: none
May 29th, 2025 (10 days ago)
|
|
CVE-2024-23892 |
Description: A vulnerability has been reported in Cups Easy (Purchase & Inventory), version 1.0, whereby user-controlled inputs are not sufficiently encoded, resulting in a Cross-Site Scripting (XSS) vulnerability via /cupseasylive/costcentercreate.php, in the costcenterid parameter. Exploitation of this vulnerability could allow a remote attacker to send a specially crafted URL to an authenticated user and steal their session cookie credentials.
CVSS: HIGH (8.2) EPSS Score: 0.04% SSVC Exploitation: none
May 29th, 2025 (10 days ago)
|
|
CVE-2024-23890 |
Description: A vulnerability has been reported in Cups Easy (Purchase & Inventory), version 1.0, whereby user-controlled inputs are not sufficiently encoded, resulting in a Cross-Site Scripting (XSS) vulnerability via /cupseasylive/itempopup.php, in the description parameter. Exploitation of this vulnerability could allow a remote attacker to send a specially crafted URL to an authenticated user and steal their session cookie credentials.
CVSS: HIGH (8.2) EPSS Score: 0.05% SSVC Exploitation: none
May 29th, 2025 (10 days ago)
|
|
CVE-2024-23889 |
Description: A vulnerability has been reported in Cups Easy (Purchase & Inventory), version 1.0, whereby user-controlled inputs are not sufficiently encoded, resulting in a Cross-Site Scripting (XSS) vulnerability via /cupseasylive/itemgroupcreate.php, in the itemgroupid parameter. Exploitation of this vulnerability could allow a remote attacker to send a specially crafted URL to an authenticated user and steal their session cookie credentials.
CVSS: HIGH (8.2) EPSS Score: 0.05% SSVC Exploitation: none
May 29th, 2025 (10 days ago)
|