CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

Threat and Vulnerability Intelligence Database

RSS Feed

Example Searches:

CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited

CVE-2025-22466
Reflected XSS in Ivanti Endpoint Manager before version 2024 SU1 or before version 2022 SU7 allows a remote unauthenticated attacker to obtain...
Description: Reflected XSS in Ivanti Endpoint Manager before version 2024 SU1 or before version 2022 SU7 allows a remote unauthenticated attacker to obtain admin privileges. User interaction is required.

CVSS: HIGH (8.2)

EPSS Score: 0.05%

SSVC Exploitation: none

Source: CVE
April 8th, 2025 (3 months ago)

CVE-2025-22461
SQL injection in Ivanti Endpoint Manager before version 2024 SU1 or before version 2022 SU7 allows a remote authenticated attacker with admin...
Description: SQL injection in Ivanti Endpoint Manager before version 2024 SU1 or before version 2022 SU7 allows a remote authenticated attacker with admin privileges to achieve code execution.

CVSS: HIGH (7.2)

EPSS Score: 0.28%

Source: CVE
April 8th, 2025 (3 months ago)

CVE-2025-22458
DLL hijacking in Ivanti Endpoint Manager before version 2024 SU1 or before version 2022 SU7 allows an authenticated attacker to escalate to System.
Description: DLL hijacking in Ivanti Endpoint Manager before version 2024 SU1 or before version 2022 SU7 allows an authenticated attacker to escalate to System.

CVSS: HIGH (7.8)

EPSS Score: 0.03%

Source: CVE
April 8th, 2025 (3 months ago)

CVE-2024-54024
An improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability [CWE-78] in Fortinet FortiIsolator...
Description: An improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability [CWE-78] in Fortinet FortiIsolator before version 2.4.6 allows a privileged attacker with super-admin profile and CLI access to execute unauthorized code via specifically crafted HTTP requests.

CVSS: HIGH (7.0)

EPSS Score: 0.31%

SSVC Exploitation: none

Source: CVE
April 8th, 2025 (3 months ago)

CVE-2024-26013
A improper restriction of communication channel to intended endpoints vulnerability [CWE-923] in Fortinet FortiOS version 7.4.0 through 7.4.4,...
Description: A improper restriction of communication channel to intended endpoints vulnerability [CWE-923] in Fortinet FortiOS version 7.4.0 through 7.4.4, 7.2.0 through 7.2.8, 7.0.0 through 7.0.15, 6.4.0 through 6.4.15 and before 6.2.16, Fortinet FortiProxy version 7.4.0 through 7.4.2, 7.2.0 through 7.2.9 and before 7.0.15, Fortinet FortiManager version 7.4.0 through 7.4.2, 7.2.0 through 7.2.4, 7.0.0 through 7.0.11, 6.4.0 through 6.4.14 and before 6.2.13, Fortinet FortiAnalyzer version 7.4.0 through 7.4.2, 7.2.0 through 7.2.4, 7.0.0 through 7.0.11, 6.4.0 through 6.4.14 and before 6.2.13, Fortinet FortiVoice version 7.0.0 through 7.0.2 before 6.4.8 and Fortinet FortiWeb before 7.4.2 may allow an unauthenticated attacker in a man-in-the-middle position to impersonate the management device (FortiCloud server or/and in certain conditions, FortiManager), via intercepting the FGFM authentication request between the management device and the managed device

CVSS: HIGH (7.1)

EPSS Score: 0.04%

SSVC Exploitation: none

Source: CVE
April 8th, 2025 (3 months ago)

CVE-2025-31498
c-ares has a use-after-free in read_answers()
Description: c-ares is an asynchronous resolver library. From 1.32.3 through 1.34.4, there is a use-after-free in read_answers() when process_answer() may re-enqueue a query either due to a DNS Cookie Failure or when the upstream server does not properly support EDNS, or possibly on TCP queries if the remote closed the connection immediately after a response. If there was an issue trying to put that new transaction on the wire, it would close the connection handle, but read_answers() was still expecting the connection handle to be available to possibly dequeue other responses. In theory a remote attacker might be able to trigger this by flooding the target with ICMP UNREACHABLE packets if they also control the upstream nameserver and can return a result with one of those conditions, this has been untested. Otherwise only a local attacker might be able to change system behavior to make send()/write() return a failure condition. This vulnerability is fixed in 1.34.5.

CVSS: HIGH (8.3)

EPSS Score: 0.14%

Source: CVE
April 8th, 2025 (3 months ago)

CVE-2025-30151
Shopware allows Denial Of Service via password length
Description: Shopware is an open commerce platform. It's possible to pass long passwords that leads to Denial Of Service via forms in Storefront forms or Store-API. This vulnerability is fixed in 6.6.10.3 or 6.5.8.17. For older versions of 6.4, corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version.

CVSS: HIGH (7.5)

EPSS Score: 0.05%

Source: CVE
April 8th, 2025 (3 months ago)

CVE-2024-3661
HPE Aruba Networking Virtual Intranet Access (VIA) Client < 4.7.2 Multiple Vulnerabilities (hpesbnw04841)
Description: Nessus Plugin ID 233997 with High Severity Synopsis The remote HPE Aruba Networking Virtual Intranet Access (VIA) Client is missing a security update. Description The version of HPE Aruba Networking Virtual Intranet Access (VIA) Client running on the remote host is affected by multiple vulnerabilities, as referenced in the hpesbnw04841 advisory. - DHCP can add routes to a client’s routing table via the classless static route option (121). VPN-based security solutions that rely on routes to redirect traffic can be forced to leak traffic over the physical interface. An attacker on the same local network can read, disrupt, or possibly modify network traffic that was expected to be protected by the VPN. (CVE-2024-3661) - [Windows only] A vulnerability in the HPE Aruba Networking Virtual Intranet Access (VIA) client could allow malicious users to overwrite arbitrary files as NT AUTHORITY\SYSTEM (root). A successful exploit could allow the creation of a Denial-of-Service (DoS) condition affecting the Microsoft Windows Operating System. This vulnerability does not affect Linux and Android based clients. (CVE-2025-25041)Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number. Solution Upgrade to HPE Aruba Networking Virtual Intranet Access (VIA) Client version 4.7.2 or later. Read more at https://www.tenable.com/plugins/nessus/233997...

CVSS: HIGH (7.6)

Source: Tenable Plugins
April 8th, 2025 (3 months ago)

CVE-2025-29986
Dell Common Event Enabler, version(s) CEE 9.0.0.0, contain(s) an Improper Restriction of Communication Channel to Intended Endpoints vulnerability...
Description: Dell Common Event Enabler, version(s) CEE 9.0.0.0, contain(s) an Improper Restriction of Communication Channel to Intended Endpoints vulnerability in the Common Anti-Virus Agent (CAVA). An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to Unauthorized access.

CVSS: HIGH (8.3)

EPSS Score: 0.09%

Source: CVE
April 8th, 2025 (3 months ago)

CVE-2025-2807
Motors – Car Dealership & Classified Listings Plugin <= 1.4.64 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Installation
Description: The Motors – Car Dealership & Classified Listings Plugin plugin for WordPress is vulnerable to arbitrary plugin installations due to a missing capability check in the mvl_setup_wizard_install_plugin() function in all versions up to, and including, 1.4.64. This makes it possible for authenticated attackers, with Subscriber-level access and above, to install and activate arbitrary plugins on the affected site's server which may make remote code execution possible.

CVSS: HIGH (8.8)

EPSS Score: 0.24%

Source: CVE
April 8th, 2025 (3 months ago)