CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

Threat and Vulnerability Intelligence Database

RSS Feed

Example Searches:

CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited

CVE-2024-20917
Vulnerability in the Oracle Enterprise Manager Base Platform product of Oracle Enterprise Manager (component: Log Management). The supported...
Description: Vulnerability in the Oracle Enterprise Manager Base Platform product of Oracle Enterprise Manager (component: Log Management). The supported version that is affected is 13.5.0.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Enterprise Manager Base Platform. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Enterprise Manager Base Platform, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Enterprise Manager Base Platform accessible data as well as unauthorized update, insert or delete access to some of Oracle Enterprise Manager Base Platform accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Enterprise Manager Base Platform. CVSS 3.1 Base Score 7.5 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:L).

CVSS: HIGH (7.5)

EPSS Score: 0.09%

SSVC Exploitation: none

Source: CVE
March 27th, 2025 (3 months ago)

CVE-2025-30358
Mesop Class Pollution vulnerability leads to DoS and Jailbreak attacks
Description: Mesop is a Python-based UI framework that allows users to build web applications. A class pollution vulnerability in Mesop prior to version 0.14.1 allows attackers to overwrite global variables and class attributes in certain Mesop modules during runtime. This vulnerability could directly lead to a denial of service (DoS) attack against the server. Additionally, it could also result in other severe consequences given the application's implementation, such as identity confusion, where an attacker could impersonate an assistant or system role within conversations. This impersonation could potentially enable jailbreak attacks when interacting with large language models (LLMs). Just like the Javascript's prototype pollution, this vulnerability could leave a way for attackers to manipulate the intended data-flow or control-flow of the application at runtime and lead to severe consequences like remote code execution when gadgets are available. Users should upgrade to version 0.14.1 to obtain a fix for the issue.

CVSS: HIGH (8.1)

EPSS Score: 0.32%

Source: CVE
March 27th, 2025 (3 months ago)

CVE-2025-25100
WordPress Cazamba plugin <= 1.2 - CSRF to Reflected Cross Site Scripting (XSS) vulnerability
Description: Cross-Site Request Forgery (CSRF) vulnerability in victoracano Cazamba allows Reflected XSS.This issue affects Cazamba: from n/a through 1.2.

CVSS: HIGH (7.1)

EPSS Score: 0.02%

Source: CVE
March 27th, 2025 (3 months ago)

CVE-2025-25086
WordPress Secret Meta plugin <= 1.2.1 - CSRF to Reflected Cross Site Scripting (XSS) vulnerability
Description: Cross-Site Request Forgery (CSRF) vulnerability in WPDeveloper Secret Meta allows Reflected XSS.This issue affects Secret Meta: from n/a through 1.2.1.

CVSS: HIGH (7.1)

EPSS Score: 0.02%

Source: CVE
March 27th, 2025 (3 months ago)

CVE-2024-21079
Vulnerability in the Oracle Marketing product of Oracle E-Business Suite (component: Campaign LOV). Supported versions that are affected are...
Description: Vulnerability in the Oracle Marketing product of Oracle E-Business Suite (component: Campaign LOV). Supported versions that are affected are 12.2.3-12.2.13. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Marketing. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Marketing accessible data. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

CVSS: HIGH (7.5)

EPSS Score: 0.19%

SSVC Exploitation: none

Source: CVE
March 27th, 2025 (3 months ago)

CVE-2025-30355
Synapse vulnerable to federation denial of service via malformed events
🚨 Marked as known exploited on March 27th, 2025 (3 months ago).
Description: Synapse is an open source Matrix homeserver implementation. A malicious server can craft events which, when received, prevent Synapse version up to 1.127.0 from federating with other servers. The vulnerability has been exploited in the wild and has been fixed in Synapse v1.127.1. No known workarounds are available.

CVSS: HIGH (7.1)

EPSS Score: 0.94%

SSVC Exploitation: none

Source: CVE
March 27th, 2025 (3 months ago)

CVE-2025-2255
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitLab
Description: An issue has been discovered in Gitlab EE/CE for AppSec affecting all versions from 13.5.0 before 17.8.6, 17.9 before 17.9.3, and 17.10 before 17.10.1. Certain error messages could allow Cross-Site Scripting attacks (XSS). for AppSec.

CVSS: HIGH (8.7)

EPSS Score: 0.02%

Source: CVE
March 27th, 2025 (3 months ago)

CVE-2025-2242
Incorrect Authorization in GitLab
Description: An improper access control vulnerability in GitLab CE/EE affecting all versions from 17.4 prior to 17.8.6, 17.9 prior to 17.9.3, and 17.10 prior to 17.10.1 allows a user who was an instance admin before but has since been downgraded to a regular user to continue to maintain elevated privileges to groups and projects.

CVSS: HIGH (7.5)

EPSS Score: 0.01%

Source: CVE
March 27th, 2025 (3 months ago)

CVE-2025-0811
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitLab
Description: An issue has been discovered in GitLab CE/EE affecting all versions from 17.7 before 17.8.6, 17.9 before 17.9.3, and 17.10 before 17.10.1. Improper rendering of certain file types leads to cross-site scripting.

CVSS: HIGH (8.7)

EPSS Score: 0.02%

Source: CVE
March 27th, 2025 (3 months ago)

CVE-2024-56171
Amazon Linux 2 : libxml2 (ALAS-2025-2794)
Description: Nessus Plugin ID 233379 with High Severity Synopsis The remote Amazon Linux 2 host is missing a security update. Description The version of libxml2 installed on the remote host is prior to 2.9.1-6. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2-2025-2794 advisory. libxml2 before 2.12.10 and 2.13.x before 2.13.6 has a use-after-free in xmlSchemaIDCFillNodeTables and xmlSchemaBubbleIDCNodeTables in xmlschemas.c. To exploit this, a crafted XML document must be validated against an XML schema with certain identity constraints, or a crafted XML schema must be used. (CVE-2024-56171) libxml2 before 2.12.10 and 2.13.x before 2.13.6 has a stack-based buffer overflow in xmlSnprintfElements in valid.c. To exploit this, DTD validation must occur for an untrusted document or untrusted DTD. NOTE: this is similar to CVE-2017-9047. (CVE-2025-24928) libxml2 before 2.12.10 and 2.13.x before 2.13.6 has a NULL pointer dereference in xmlPatMatch in pattern.c. (CVE-2025-27113)Tenable has extracted the preceding description block directly from the tested product security advisory.Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number. Solution Run 'yum update libxml2' to update your system. Read more at https://www.tenable.com/plugins/nessus/233379

CVSS: HIGH (7.8)

Source: Tenable Plugins
March 27th, 2025 (3 months ago)