CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!
Threat and Vulnerability Intelligence Database
Example Searches:
CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited
CVE-2025-24472 |
Description: Fortinet FortiOS and FortiProxy contain an authentication bypass vulnerability that allows a remote attacker to gain super-admin privileges via crafted CSF proxy requests.
CVSS: HIGH (8.1)
March 18th, 2025 (4 months ago)
|
|
CVE-2025-30066 |
Description: The tj-actions/changed-files GitHub Action contains an embedded malicious code vulnerability that allows a remote attacker to discover secrets by reading actions logs. These secrets may include, but are not limited to, valid AWS access keys, GitHub personal access tokens (PATs), npm tokens, and private RSA keys.
CVSS: HIGH (8.6) EPSS Score: 63.87%
March 18th, 2025 (4 months ago)
|
|
CVE-2024-8927 |
Description: In PHP versions 8.1.* before 8.1.30, 8.2.* before 8.2.24, 8.3.* before 8.3.12, HTTP_REDIRECT_STATUS variable is used to check whether or not CGI binary is being run by the HTTP server. However, in certain scenarios, the content of this variable can be controlled by the request submitter via HTTP headers, which can lead to cgi.force_redirect option not being correctly applied. In certain configurations this may lead to arbitrary file inclusion in PHP.
CVSS: HIGH (7.5) EPSS Score: 0.03% SSVC Exploitation: none
March 18th, 2025 (4 months ago)
|
|
CVE-2024-46259 |
Description: cute_png v1.05 was discovered to contain a heap buffer overflow via the cp_unfilter() function at cute_png.h.
CVSS: HIGH (7.8) EPSS Score: 0.02% SSVC Exploitation: poc
March 18th, 2025 (4 months ago)
|
|
CVE-2025-27688 |
Description: Dell ThinOS 2408 and prior, contains an improper permissions vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Elevation of privileges.
CVSS: HIGH (7.8) EPSS Score: 0.01%
March 18th, 2025 (4 months ago)
|
|
CVE-2024-20927 |
Description: Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. While the vulnerability is in Oracle WebLogic Server, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle WebLogic Server accessible data. CVSS 3.1 Base Score 8.6 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N).
CVSS: HIGH (8.6) EPSS Score: 0.2% SSVC Exploitation: none
March 18th, 2025 (4 months ago)
|
|
CVE-2025-0813 |
Description: View CSAF
1. EXECUTIVE SUMMARY
CVSS v4 7.0
ATTENTION: Low Attack Complexity
Vendor: Schneider Electric
Equipment: EcoStruxure Power Automation System User Interface (EPAS-UI)
Vulnerability: Improper Authentication
2. RISK EVALUATION
Successful exploitation of this vulnerability could allow an attacker to bypass device authentication, potentially gain access to sensitive information, or execute arbitrary code.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
Schneider Electric reports that the following products are affected:
EcoStruxure Power Automation System User Interface (EPAS-UI): Version v2.1 up to and including v2.9
3.2 VULNERABILITY OVERVIEW
3.2.1 IMPROPER AUTHENTICATION CWE-287
The Schneider Electric EcoStruxure Power Automation System User Interface (EPAS-UI) is vulnerable to authentication bypass. This occurs when an unauthorized user, without permission rights, has physical access to the EPAS-UI computer and is able to reboot the workstation and interrupt the normal boot process.
CVE-2025-0813 has been assigned to this vulnerability. A CVSS v3 base score of 6.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2025-0813. A base score of 7.0 has been calculated; the CVSS vector string is (CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).
3.3 BACKGROUND
CRITICAL INFRASTRUCTURE SECTORS: Commercial Facilities, Critical Manufacturing, Energy
COUNTRIES/AREAS D...
CVSS: HIGH (7.0) EPSS Score: 0.03%
March 18th, 2025 (4 months ago)
|
|
CVE-2025-1058 |
Description: View CSAF
1. EXECUTIVE SUMMARY
CVSS v4 8.7
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Schneider Electric
Equipment: ASCO 5310 / 5350
Vulnerabilities: Download of Code Without Integrity Check, Allocation of Resources Without Limits or Throttling, Cleartext Transmission of Sensitive Information, Unrestricted Upload of File with Dangerous Type
2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow an attacker to perform a denial of service, loss of availability, or loss of device integrity.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
Schneider Electric reports the following products are affected:
Schneider Electric ASCO 5310 Single-Channel Remote Annunciator: All versions
Schneider Electric ASCO 5350 Eight Channel Remote Annunciator: All versions
3.2 VULNERABILITY OVERVIEW
3.2.1 DOWNLOAD OF CODE WITHOUT INTEGRITY CHECK CWE-494
Schneider Electric ASCO 5310 / 5350 remote annunciator is vulnerable to a download of code without integrity check vulnerability that could render the device inoperable when malicious firmware is downloaded.
CVE-2025-1058 has been assigned to this vulnerability. A CVSS v3 base score of 8.1 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2025-1058. A base score of 7.2 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N).
3.2.2 ALLOCATION OF RESOURCES WITHOUT LIMIT...
CVSS: HIGH (7.2)
March 18th, 2025 (4 months ago)
|
|
CVE-2025-30107 |
Description: On IROAD V9 devices, Managing Settings and Obtaining Sensitive Data and Sabotaging the Car Battery can be performed by unauthorized parties. A vulnerability in the dashcam's configuration management allows unauthorized users to modify settings, disable critical functions, and turn off battery protection, potentially causing physical damage to the vehicle.
CVSS: HIGH (7.5) EPSS Score: 0.04%
March 18th, 2025 (4 months ago)
|
|
CVE-2024-37479 |
Description: Local File Inclusion vulnerability in LA-Studio LA-Studio Element Kit for Elementor via "LaStudioKit Progress Bar" widget in New Post, specifically in the "progress_type" attribute.This issue affects LA-Studio Element Kit for Elementor: from n/a through 1.3.8.1.
CVSS: HIGH (8.5) EPSS Score: 0.33% SSVC Exploitation: none
March 18th, 2025 (4 months ago)
|