CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!
Threat and Vulnerability Intelligence Database
Example Searches:
CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited
CVE-2025-30080 |
Description: Signalling in Pexip Infinity 29 through 36.2 before 37.0 has improper input validation that allows remote attackers to trigger a temporary denial of service (software abort).
CVSS: HIGH (7.5) EPSS Score: 0.12%
April 2nd, 2025 (3 months ago)
|
|
CVE-2025-22923 |
Description: An issue in OS4ED openSIS v8.0 through v9.1 allows attackers to execute a directory traversal and delete files by sending a crafted POST request to /Modules.php?modname=users/Staff.php&removefile.
CVSS: HIGH (8.8) EPSS Score: 0.34%
April 2nd, 2025 (3 months ago)
|
|
CVE-2024-37917 |
Description: Pexip Infinity before 35.0 has improper input validation that allows remote attackers to trigger a denial of service (software abort) via a crafted signalling message.
CVSS: HIGH (7.5) EPSS Score: 0.12%
April 2nd, 2025 (3 months ago)
|
|
Description: Impact
An unauthenticated user can retrieve Prometheus metrics from a publicly reachable Miniflux instance where the METRICS_COLLECTOR configuration option is enabled and METRICS_ALLOWED_NETWORKS is set to 127.0.0.1/8 (the default).
Patches
PR #1745 fixes the problem. Available in Miniflux >= 2.0.43.
Workarounds
Set METRICS_COLLECTOR to false (default) or run Miniflux behind a trusted reverse-proxy.
References
https://miniflux.app/docs/configuration.html#metrics-collector
https://miniflux.app/docs/configuration.html#metrics-allowed-networks
References
https://github.com/miniflux/v2/security/advisories/GHSA-3qjf-qh38-x73v
https://nvd.nist.gov/vuln/detail/CVE-2023-27591
https://github.com/miniflux/v2/pull/1745
https://github.com/miniflux/v2/releases/tag/2.0.43
https://miniflux.app/docs/configuration.html#metrics-collector
https://github.com/advisories/GHSA-3qjf-qh38-x73v
CVSS: HIGH (7.5)
April 2nd, 2025 (3 months ago)
|
|
|
Description: Impact
An unauthenticated user can retrieve Prometheus metrics from a publicly reachable Miniflux instance where the METRICS_COLLECTOR configuration option is enabled and METRICS_ALLOWED_NETWORKS is set to 127.0.0.1/8 (the default).
Patches
PR #1745 fixes the problem. Available in Miniflux >= 2.0.43.
Workarounds
Set METRICS_COLLECTOR to false (default) or run Miniflux behind a trusted reverse-proxy.
References
https://miniflux.app/docs/configuration.html#metrics-collector
https://miniflux.app/docs/configuration.html#metrics-allowed-networks
References
https://github.com/miniflux/v2/security/advisories/GHSA-3qjf-qh38-x73v
https://nvd.nist.gov/vuln/detail/CVE-2023-27591
https://github.com/miniflux/v2/pull/1745
https://github.com/miniflux/v2/releases/tag/2.0.43
https://miniflux.app/docs/configuration.html#metrics-collector
https://github.com/advisories/GHSA-3qjf-qh38-x73v
CVSS: HIGH (7.5)
April 2nd, 2025 (3 months ago)
|
|
CVE-2025-20212 |
Description: A vulnerability in the Cisco AnyConnect VPN server of Cisco Meraki MX and Cisco Meraki Z Series devices could allow an authenticated, remote attacker to cause a denial of service (DoS) condition in the Cisco AnyConnect service on an affected device. To exploit this vulnerability, the attacker must have valid VPN user credentials on the affected device.
This vulnerability exists because a variable is not initialized when an SSL VPN session is established. An attacker could exploit this vulnerability by supplying crafted attributes while establishing an SSL VPN session with an affected device. A successful exploit could allow the attacker to cause the Cisco AnyConnect VPN server to restart, resulting in the failure of the established SSL VPN sessions and forcing remote users to initiate a new VPN connection and reauthenticate. A sustained attack could prevent new SSL VPN connections from being established.
Note: When the attack traffic stops, the Cisco AnyConnect VPN server recovers without manual intervention.
CVSS: HIGH (7.7) EPSS Score: 0.12% SSVC Exploitation: none
April 2nd, 2025 (3 months ago)
|
|
CVE-2025-20139 |
Description: A vulnerability in chat messaging features of Cisco Enterprise Chat and Email (ECE) could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition.
This vulnerability is due to improper validation of user-supplied input to chat entry points. An attacker could exploit this vulnerability by sending malicious requests to a messaging chat entry point in the affected application. A successful exploit could allow the attacker to cause the application to stop responding, resulting in a DoS condition. The application may not recover on its own and may need an administrator to manually restart services to recover.
CVSS: HIGH (7.5) EPSS Score: 0.1% SSVC Exploitation: none
April 2nd, 2025 (3 months ago)
|
|
CVE-2025-0014 |
Description: Incorrect default permissions on the AMD Ryzen(TM) AI installation folder could allow an attacker to achieve privilege escalation, potentially resulting in arbitrary code execution.
CVSS: HIGH (7.3) EPSS Score: 0.01% SSVC Exploitation: none
April 2nd, 2025 (3 months ago)
|
|
CVE-2024-36337 |
Description: Integer overflow within AMD NPU Driver could allow a local attacker to write out of bounds, potentially leading to loss of confidentiality, integrity or availability.
CVSS: HIGH (7.9) EPSS Score: 0.01% SSVC Exploitation: none
April 2nd, 2025 (3 months ago)
|
|
CVE-2024-36336 |
Description: Integer overflow within the AMD NPU Driver could allow a local attacker to write out of bounds, potentially leading to a loss of confidentiality, integrity, or availability.
CVSS: HIGH (7.9) EPSS Score: 0.01% SSVC Exploitation: none
April 2nd, 2025 (3 months ago)
|