CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!
Threat and Vulnerability Intelligence Database
Example Searches:
CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited
CVE-2024-12810 |
Description: The JobCareer | Job Board Responsive WordPress Theme theme for WordPress is vulnerable to unauthorized access, modification, and loss of data due to a missing capability checks on multiple functions in all versions up to, and including, 7.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files, generate backups, restore backups, update theme options, and reset theme options to default settings.
CVSS: HIGH (8.8) EPSS Score: 0.05%
March 14th, 2025 (4 months ago)
|
|
CVE-2024-44987 |
Description:
Nessus Plugin ID 232714 with High Severity
Synopsis
The remote Amazon Linux 2 host is missing a security update.
Description
The version of kernel installed on the remote host is prior to 4.14.355-271.569. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2-2024-2696 advisory. In the Linux kernel, the following vulnerability has been resolved: ipv6: prevent UAF in ip6_send_skb() (CVE-2024-44987) In the Linux kernel, the following vulnerability has been resolved: VMCI: Fix use-after-free when removing resource in vmci_resource_remove() (CVE-2024-46738) In the Linux kernel, the following vulnerability has been resolved: of/irq: Prevent device address out-of-bounds read in interrupt map walk (CVE-2024-46743) In the Linux kernel, the following vulnerability has been resolved: Squashfs: sanity check symbolic link size (CVE-2024-46744) In the Linux kernel, the following vulnerability has been resolved: Input: uinput - reject requests with unreasonable number of slots (CVE-2024-46745) In the Linux kernel, the following vulnerability has been resolved: PCI: Add missing bridge lock to pci_bus_lock() (CVE-2024-46750) In the Linux kernel, the following vulnerability has been resolved: hwmon: (w83627ehf) Fix underflows seen when writing limit attributes (CVE-2024-46756) In the Linux kernel, the following vulnerability has been resolved: hwmon: (nct6775-core) Fix underflows seen...
CVSS: HIGH (7.8) EPSS Score: 0.05%
March 14th, 2025 (4 months ago)
|
|
CVE-2025-24439 |
Description:
Nessus Plugin ID 232715 with High Severity
Synopsis
The remote host is missing one or more security updates.
Description
The version of Adobe Substance 3D Sampler installed on the remote host is prior to 5.0. It is, therefore, affected by multiple vulnerabilities as referenced in the APSB25-16 advisory. - Substance3D - Sampler versions 4.5.2 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. (CVE-2025-24439, CVE-2025-24443) - Substance3D - Sampler versions 4.5.2 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. (CVE-2025-24440, CVE-2025-24441, CVE-2025-24442, CVE-2025-24444, CVE-2025-24445)Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.
Solution
Upgrade to Adobe Substance 3D Sampler version 5.0 or later.
Read more at https://www.tenable.com/plugins/nessus/232715
CVSS: HIGH (7.8) EPSS Score: 0.02%
March 14th, 2025 (4 months ago)
|
|
CVE-2025-21169 |
Description:
Nessus Plugin ID 232716 with High Severity
Synopsis
The remote host is missing one or more security updates.
Description
The version of Adobe Substance 3D Designer installed on the remote host is prior to 14.1.1. It is, therefore, affected by multiple vulnerabilities as referenced in the APSB25-22 advisory. - Substance3D - Designer versions 14.1 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. (CVE-2025-21169) - Substance3D - Designer versions 14.1 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. (CVE-2025-27172)Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.
Solution
Upgrade to Adobe Substance 3D Designer version 14.1.1 or later.
Read more at https://www.tenable.com/plugins/nessus/232716
CVSS: HIGH (7.8) EPSS Score: 0.02%
March 14th, 2025 (4 months ago)
|
|
CVE-2024-22038 |
Description:
Nessus Plugin ID 232718 with Medium Severity
Synopsis
The remote SUSE host is missing a security update.
Description
The remote SUSE Linux SLED15 / SLED_SAP15 / SLES15 / SLES_SAP15 / openSUSE 15 host has packages installed that are affected by a vulnerability as referenced in the SUSE-SU-2025:0857-1 advisory. - CVE-2024-22038: Fixed DoS attacks, information leaks with crafted Git repositories (bnc#1230469) Other fixes: - Fixed behaviour when using '--shell' aka 'osc shell' option in a VM build. Startup is faster and permissions stay intact now. - fixes for POSIX compatibility for obs-docker-support adn mkbaselibs - Add support for apk in docker/podman builds - Add support for 'wget' in Docker images - Fix debian support for Dockerfile builds - Fix preinstallimages in containers - mkosi: add back system-packages used by build-recipe directly - pbuild: parse the Release files for debian repos - mkosi: drop most systemd/build-packages deps and use obs_scm directory as source if present - improve source copy handling - Introduce --repos-directory and --containers-directory options - productcompose: support of building against a baseiso - preinstallimage: avoid inclusion of build script generated files - preserve timestamps on sources copy-in for kiwi and productcompose - alpine package support updates - tumbleweed config update - debian: Support installation ...
CVSS: HIGH (7.3)
March 14th, 2025 (4 months ago)
|
|
CVE-2025-27610 |
Description:
Nessus Plugin ID 232719 with High Severity
Synopsis
The remote openSUSE host is missing one or more security updates.
Description
The remote openSUSE 15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2025:0858-1 advisory. - CVE-2025-27610: Fixed improper sanitization of user-supplied paths when serving files leading to local file inclusion (bsc#1239298). - CVE-2025-25184: Fixed Rack::CommonLogger log entry manipulation (bsc#1237141).Tenable has extracted the preceding description block directly from the SUSE security advisory.Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.
Solution
Update the affected ruby2.5-rubygem-rack-1_6, ruby2.5-rubygem-rack-doc-1_6 and / or ruby2.5-rubygem-rack-testsuite-1_6 packages.
Read more at https://www.tenable.com/plugins/nessus/232719
CVSS: HIGH (7.5) EPSS Score: 0.07%
March 14th, 2025 (4 months ago)
|
|
CVE-2024-13321 |
Description: The AnalyticsWP plugin for WordPress is vulnerable to SQL Injection via the 'custom_sql' parameter in all versions up to, and including, 2.0.0 due to insufficient authorization checks on the handle_get_stats() function. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
CVSS: HIGH (7.5) EPSS Score: 0.06%
March 14th, 2025 (4 months ago)
|
|
CVE-2025-2221 |
Description: The WPCOM Member plugin for WordPress is vulnerable to time-based SQL Injection via the ‘user_phone’ parameter in all versions up to, and including, 1.7.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
CVSS: HIGH (7.5) EPSS Score: 0.1%
March 14th, 2025 (4 months ago)
|
|
CVE-2025-2103 |
Description: The SoundRise Music plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on theironMusic_ajax() function in all versions up to, and including, 1.6.11. This makes it possible for authenticated attackers, with subscriber-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.
CVSS: HIGH (8.8) EPSS Score: 0.04%
March 14th, 2025 (4 months ago)
|
|
CVE-2025-1764 |
Description: The LoginPress | wp-login Custom Login Page Customizer plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.3.1. This is due to missing or incorrect nonce validation on the 'custom_plugin_set_option' function. This makes it possible for unauthenticated attackers to update arbitrary options on the WordPress site via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site. The 'WPBRIGADE_SDK__DEV_MODE' constant must be set to 'true' to exploit the vulnerability.
CVSS: HIGH (7.5) EPSS Score: 0.02%
March 14th, 2025 (4 months ago)
|