CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!
Threat and Vulnerability Intelligence Database
Example Searches:
CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited
CVE-2024-13655 |
Description: The Flex Mag - Responsive WordPress News Theme theme for WordPress is vulnerable to unauthorized modification of data that can lead to a denial of service due to a missing capability check on the propanel_of_ajax_callback() function in all versions up to, and including, 3.5.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary option values on the WordPress site. This can be leveraged to delete an option that would create an error on the site and deny service to legitimate users.
CVSS: HIGH (8.1) EPSS Score: 0.03%
March 7th, 2025 (4 months ago)
|
|
CVE-2024-13320 |
Description: The CURCY - WooCommerce Multi Currency - Currency Switcher plugin for WordPress is vulnerable to SQL Injection via the 'wc_filter_price_meta[where]' parameter in all versions up to, and including, 2.3.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
CVSS: HIGH (7.5) EPSS Score: 0.08%
March 7th, 2025 (4 months ago)
|
|
CVE-2025-0749 |
Description: The Homey theme for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.4.3. This is due to the 'verification_id' value being set to empty, and the not empty check is missing in the dashboard user profile page. This makes it possible for unauthenticated attackers to log in to the first verified user.
CVSS: HIGH (8.1) EPSS Score: 0.09%
March 7th, 2025 (4 months ago)
|
|
CVE-2025-27598 |
Description: ImageSharp is a 2D graphics API. An Out-of-bounds Write vulnerability has been found in the ImageSharp gif decoder, allowing attackers to cause a crash using a specially crafted gif. This can potentially lead to denial of service. The problem has been patched. All users are advised to upgrade to v3.1.7 or v2.1.10.
CVSS: HIGH (7.5) EPSS Score: 0.07%
March 6th, 2025 (4 months ago)
|
|
CVE-2025-27513 |
Description: Impact
What kind of vulnerability is it? Who is impacted?
A vulnerability in OpenTelemetry.Api package 1.10.0 to 1.11.1 could cause a Denial of Service (DoS) when a tracestate and traceparent header is received. These versions are used in OpenTelemetry .NET Automatic Instrumentation 1.10.0-beta.1 and 1.10.0.
Even if an application does not explicitly use trace context propagation, receiving these headers can still trigger high CPU usage.
This issue impacts any application accessible over the web or backend services that process HTTP requests containing a tracestate header.
Application may experience excessive resource consumption, leading to increased latency, degraded performance, or downtime.
Patches
Has the problem been patched? What versions should users upgrade to?
This issue has been resolved in OpenTelemetry.Api 1.11.2 by reverting the change that introduced the problematic behavior in versions 1.10.0 to 1.11.1. OpenTelemetry .NET Automatic Instrumentation fixes it in 1.11.0 release.
Fixed version
OpenTelemetry .NET Automatic Instrumentation
Status
<= 1.9.0
✅ Not affected
1.10.0-beta.1, 1.10.0
❌ Vulnerable
1.11.0 (Fixed)
✅ Safe to use
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
References
Are there any links users can visit to find out more?
References
https://github.com/open-telemetry/opentelemetry-dotnet-instrumentation/security/advisories/GHSA-vc29-vg52-6643
https://github.com/open-telemetry/opentelem...
CVSS: HIGH (7.5) EPSS Score: 0.06%
March 6th, 2025 (4 months ago)
|
|
CVE-2025-2034 |
Description: A vulnerability has been found in PHPGurukul Pre-School Enrollment System 1.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /admin/edit-class.php?cid=1. The manipulation of the argument classname/capacity leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. In PHPGurukul Pre-School Enrollment System 1.0 wurde eine Schwachstelle gefunden. Sie wurde als kritisch eingestuft. Betroffen ist eine unbekannte Verarbeitung der Datei /admin/edit-class.php?cid=1. Mittels Manipulieren des Arguments classname/capacity mit unbekannten Daten kann eine sql injection-Schwachstelle ausgenutzt werden. Der Angriff kann über das Netzwerk passieren. Der Exploit steht zur öffentlichen Verfügung.
CVSS: HIGH (7.3) EPSS Score: 0.05%
March 6th, 2025 (4 months ago)
|
|
CVE-2025-0337 |
Description: ServiceNow has addressed an authorization bypass vulnerability that was identified in the Washington release of the Now Platform. This vulnerability, if exploited, potentially could enable an authenticated user to access unauthorized data stored within the Now Platform that the user otherwise would not be entitled to access.
This issue is addressed in the listed patches and family release, which have been made available to hosted and self-hosted customers, as well as partners.
CVSS: HIGH (7.1) EPSS Score: 0.03% SSVC Exploitation: none
March 6th, 2025 (4 months ago)
|
|
CVE-2024-51476 |
Description: IBM Concert Software 1.0.5 uses an inadequate account lockout setting that could allow a remote attacker to brute force account credentials.
CVSS: HIGH (7.5) EPSS Score: 0.05% SSVC Exploitation: none
March 6th, 2025 (4 months ago)
|
|
CVE-2024-50130 |
Description: In the Linux kernel, the following vulnerability has been resolved:
netfilter: bpf: must hold reference on net namespace
BUG: KASAN: slab-use-after-free in __nf_unregister_net_hook+0x640/0x6b0
Read of size 8 at addr ffff8880106fe400 by task repro/72=
bpf_nf_link_release+0xda/0x1e0
bpf_link_free+0x139/0x2d0
bpf_link_release+0x68/0x80
__fput+0x414/0xb60
Eric says:
It seems that bpf was able to defer the __nf_unregister_net_hook()
after exit()/close() time.
Perhaps a netns reference is missing, because the netns has been
dismantled/freed already.
bpf_nf_link_attach() does :
link->net = net;
But I do not see a reference being taken on net.
Add such a reference and release it after hook unreg.
Note that I was unable to get syzbot reproducer to work, so I
do not know if this resolves this splat.
CVSS: HIGH (7.8) EPSS Score: 0.04% SSVC Exploitation: none
March 6th, 2025 (4 months ago)
|
|
CVE-2024-12742 |
Description: A deserialization of untrusted data vulnerability exists in NI G Web Development Software that may result in arbitrary code execution. Successful exploitation requires an attacker to get a user to open a specially crafted project file. This vulnerability affects G Web Development Software 2022 Q3 and prior versions.
CVSS: HIGH (7.8) EPSS Score: 0.05% SSVC Exploitation: none
March 6th, 2025 (4 months ago)
|