CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!
Threat and Vulnerability Intelligence Database
Example Searches:
CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited
CVE-2024-51954 |
Description: There is an improper access control issue in ArcGIS Server versions 10.9.1 through 11.3 on Windows and Linux, which under unique circumstances, could potentially allow a remote, low privileged authenticated attacker to access secure services published a standalone (Unfederated)
ArcGIS Server instance. If successful this compromise would have a high impact on Confidentiality, low impact on integrity and no impact to availability of the software.
CVSS: HIGH (8.5) EPSS Score: 0.03%
March 3rd, 2025 (4 months ago)
|
|
CVE-2021-28861 |
Description: Summary
CodeChecker versions up to 6.24.5 contain an open redirect vulnerability due to missing protections against multiple slashes after the product name in the URL's path segment. This results in bypassing protections against CVE-2021-28861, leading to the same open redirect pathway.
Details
CodeChecker processes GET requests by first rewriting the path segment of the URL, and then passing the rewritten URL to the webserver framework.
When trimming the product name from the URL, no sanitization was performed on the remaining URL, which reintroduced the same issue as CVE-2021-28861, leading to the same open redirect pathway using URLs such as /Default//attacker.com/%2f...
Impact
The vulnerability allows an attacker to create a hyperlink that looks like a legitimate CodeChecker URL, but redirects to an attacker-supplied website when clicked.
References
https://github.com/Ericsson/codechecker/security/advisories/GHSA-g839-x3p3-g5fm
https://nvd.nist.gov/vuln/detail/CVE-2025-1300
https://github.com/advisories/GHSA-g839-x3p3-g5fm
CVSS: HIGH (7.4)
March 3rd, 2025 (4 months ago)
|
|
CVE-2025-27501 |
Description: OpenZiti is a free and open source project focused on bringing zero trust to any application. An endpoint on the admin panel can be accessed without any form of authentication. This endpoint accepts a user-supplied URL parameter to connect to an OpenZiti Controller and performs a server-side request, resulting in a potential Server-Side Request Forgery (SSRF) vulnerability. The fixed version has moved the request to the external controller from the server side to the client side, thereby eliminating the identity of the node from being used to gain any additional permissions. This vulnerability is fixed in 3.7.1.
CVSS: HIGH (8.6) EPSS Score: 0.04%
March 3rd, 2025 (4 months ago)
|
|
CVE-2025-27500 |
Description: OpenZiti is a free and open source project focused on bringing zero trust to any application. An endpoint(/api/upload) on the admin panel can be accessed without any form of authentication. This endpoint accepts an HTTP POST to upload a file which is then stored on the node and is available via URL. This can lead to a stored cross site scripting attack if the file uploaded contains malicious code and is then accessed and executed within the context of the user's browser. This function is no longer necessary as the ziti-console moves from a node server application to a single page application, and has been disabled. The vulnerability is fixed in 3.7.1.
CVSS: HIGH (8.2) EPSS Score: 0.04%
March 3rd, 2025 (4 months ago)
|
|
CVE-2025-1877 |
Description: A vulnerability, which was classified as critical, was found in D-Link DAP-1562 1.10. This affects the function pure_auth_check of the component HTTP POST Request Handler. The manipulation of the argument a1 leads to null pointer dereference. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. This vulnerability only affects products that are no longer supported by the maintainer. Es wurde eine kritische Schwachstelle in D-Link DAP-1562 1.10 gefunden. Hiervon betroffen ist die Funktion pure_auth_check der Komponente HTTP POST Request Handler. Durch die Manipulation des Arguments a1 mit unbekannten Daten kann eine null pointer dereference-Schwachstelle ausgenutzt werden. Der Angriff kann über das Netzwerk angegangen werden. Der Exploit steht zur öffentlichen Verfügung.
CVSS: HIGH (7.1) EPSS Score: 0.08%
March 3rd, 2025 (4 months ago)
|
|
CVE-2024-8573 |
Description: A vulnerability, which was classified as critical, was found in TOTOLINK AC1200 T8 and AC1200 T10 4.1.5cu.861_B20230220/4.1.8cu.5207. This affects the function setParentalRules of the file /cgi-bin/cstecgi.cgi. The manipulation of the argument desc/week/sTime/eTime leads to buffer overflow. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. Other parameters might be affected as well. The vendor was contacted early about this disclosure but did not respond in any way. Es wurde eine kritische Schwachstelle in TOTOLINK AC1200 T8 and AC1200 T10 4.1.5cu.861_B20230220/4.1.8cu.5207 gefunden. Es geht dabei um die Funktion setParentalRules der Datei /cgi-bin/cstecgi.cgi. Durch die Manipulation des Arguments desc/week/sTime/eTime mit unbekannten Daten kann eine buffer overflow-Schwachstelle ausgenutzt werden. Der Angriff kann über das Netzwerk passieren. Der Exploit steht zur öffentlichen Verfügung.
CVSS: HIGH (8.7) EPSS Score: 0.22% SSVC Exploitation: poc
March 3rd, 2025 (4 months ago)
|
|
CVE-2025-1876 |
Description: A vulnerability, which was classified as critical, has been found in D-Link DAP-1562 1.10. Affected by this issue is the function http_request_parse of the component HTTP Header Handler. The manipulation of the argument Authorization leads to stack-based buffer overflow. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. This vulnerability only affects products that are no longer supported by the maintainer. Eine kritische Schwachstelle wurde in D-Link DAP-1562 1.10 entdeckt. Davon betroffen ist die Funktion http_request_parse der Komponente HTTP Header Handler. Mit der Manipulation des Arguments Authorization mit unbekannten Daten kann eine stack-based buffer overflow-Schwachstelle ausgenutzt werden. Der Angriff kann über das Netzwerk erfolgen. Der Exploit steht zur öffentlichen Verfügung.
CVSS: HIGH (7.3) EPSS Score: 0.08%
March 3rd, 2025 (4 months ago)
|
|
CVE-2025-27423 |
Description: Vim is an open source, command line text editor. Vim is distributed with the tar.vim plugin, that allows easy editing and viewing of (compressed or uncompressed) tar files. Starting with 9.1.0858, the tar.vim plugin uses the ":read" ex command line to append below the cursor position, however the is not sanitized and is taken literally from the tar archive. This allows to execute shell commands via special crafted tar archives. Whether this really happens, depends on the shell being used ('shell' option, which is set using $SHELL). The issue has been fixed as of Vim patch v9.1.1164
CVSS: HIGH (7.1) EPSS Score: 0.06%
March 3rd, 2025 (4 months ago)
|
|
CVE-2025-27422 |
Description: FACTION is a PenTesting Report Generation and Collaboration Framework. Authentication is bypassed when an attacker registers a new user with admin privileges. This is possible at any time without any authorization. The request must follow the validation rules (no missing information, secure password, etc) but there are no other controls stopping them. This vulnerability is fixed in 1.4.3.
CVSS: HIGH (7.5) EPSS Score: 0.09%
March 3rd, 2025 (4 months ago)
|
|
CVE-2025-27421 |
Description: Abacus is a highly scalable and stateless counting API. A critical goroutine leak vulnerability has been identified in the Abacus server's Server-Sent Events (SSE) implementation. The issue occurs when clients disconnect from the /stream endpoint, as the server fails to properly clean up resources and terminate associated goroutines. This leads to resource exhaustion where the server continues running but eventually stops accepting new SSE connections while maintaining high memory usage. The vulnerability specifically involves improper channel cleanup in the event handling mechanism, causing goroutines to remain blocked indefinitely. This vulnerability is fixed in 1.4.0.
CVSS: HIGH (7.5) EPSS Score: 0.06% SSVC Exploitation: poc
March 3rd, 2025 (4 months ago)
|