CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

Threat and Vulnerability Intelligence Database

RSS Feed

Example Searches:

CVE-2025-1687

Description: The Cardealer theme for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.6.4. This is due to missing nonce validation on the 'update_user_profile' function. This makes it possible for unauthenticated attackers to update the user email and password via a forged request, granted they can trick a site administrator into performing an action such as clicking on a link.

CVSS: HIGH (8.8)

EPSS Score: 0.02%

Source: CVE
February 28th, 2025 (4 months ago)

CVE-2025-1682

Description: The Cardealer theme for WordPress is vulnerable to privilege escalation in versions up to, and including, 1.6.4 due to missing capability check on the 'save_settings' function. This makes it possible for authenticated attackers, with subscriber-level access and above, to modify the default user role.

CVSS: HIGH (8.8)

EPSS Score: 0.04%

Source: CVE
February 28th, 2025 (4 months ago)

CVE-2024-12811

Description: The Traveler theme for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.1.8 via the 'hotel_alone_slider' shortcode 'style' attribute. This makes it possible for authenticated attackers, with contributor-level and above permissions, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where php file type can be uploaded and included.

CVSS: HIGH (8.8)

EPSS Score: 0.1%

Source: CVE
February 28th, 2025 (4 months ago)

CVE-2024-31109

Description: Cross-Site Request Forgery (CSRF) vulnerability in Toastie Studio Woocommerce Social Media Share Buttons allows Stored XSS.This issue affects Woocommerce Social Media Share Buttons: from n/a through 1.3.0.

CVSS: HIGH (7.1)

EPSS Score: 0.07%

SSVC Exploitation: none

Source: CVE
February 27th, 2025 (4 months ago)

CVE-2024-30341

Description: Foxit PDF Reader Doc Object Out-Of-Bounds Read Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit PDF Reader. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of Doc objects. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-22709.

CVSS: HIGH (7.8)

EPSS Score: 0.22%

SSVC Exploitation: none

Source: CVE
February 27th, 2025 (4 months ago)

CVE-2024-30330

Description: Foxit PDF Reader AcroForm Use-After-Free Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit PDF Reader. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of Doc objects in AcroForms. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-22636.

CVSS: HIGH (7.8)

EPSS Score: 0.29%

SSVC Exploitation: none

Source: CVE
February 27th, 2025 (4 months ago)

CVE-2024-27335

Description: Kofax Power PDF PNG File Parsing Out-Of-Bounds Read Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Kofax Power PDF. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of PNG files. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated object. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-22018.

CVSS: HIGH (7.8)

EPSS Score: 0.16%

SSVC Exploitation: none

Source: CVE
February 27th, 2025 (4 months ago)

CVE-2025-1756

Description: mongosh may be susceptible to local privilege escalation under certain conditions potentially enabling unauthorized actions on a user's system with elevated privilege, when a crafted file is stored in C:\node_modules. This issue affects mongosh prior to 2.3.0. References https://nvd.nist.gov/vuln/detail/CVE-2025-1756 https://access.redhat.com/errata/RHSA-2025:1756 https://jira.mongodb.org/browse/MONGOSH-2028 https://github.com/advisories/GHSA-f5w3-73h4-jpcm

CVSS: HIGH (7.5)

EPSS Score: 0.01%

Source: Github Advisory Database (NPM)
February 27th, 2025 (4 months ago)

CVE-2024-3353

Description: A vulnerability was found in SourceCodester Aplaya Beach Resort Online Reservation System 1.0 and classified as critical. This issue affects some unknown processing of the file admin/mod_reports/index.php. The manipulation of the argument categ/end leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-259457 was assigned to this vulnerability. Eine kritische Schwachstelle wurde in SourceCodester Aplaya Beach Resort Online Reservation System 1.0 gefunden. Dies betrifft einen unbekannten Teil der Datei admin/mod_reports/index.php. Dank der Manipulation des Arguments categ/end mit unbekannten Daten kann eine sql injection-Schwachstelle ausgenutzt werden. Der Angriff kann über das Netzwerk passieren. Der Exploit steht zur öffentlichen Verfügung.

CVSS: HIGH (7.3)

EPSS Score: 0.21%

SSVC Exploitation: poc

Source: CVE
February 27th, 2025 (4 months ago)

CVE-2024-3347

Description: A vulnerability was found in SourceCodester Airline Ticket Reservation System 1.0. It has been rated as critical. This issue affects some unknown processing of the file activate_jet_details_form_handler.php. The manipulation of the argument jet_id leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-259451. Eine Schwachstelle wurde in SourceCodester Airline Ticket Reservation System 1.0 ausgemacht. Sie wurde als kritisch eingestuft. Es geht hierbei um eine nicht näher spezifizierte Funktion der Datei activate_jet_details_form_handler.php. Mittels dem Manipulieren des Arguments jet_id mit unbekannten Daten kann eine sql injection-Schwachstelle ausgenutzt werden. Der Angriff kann über das Netzwerk angegangen werden. Der Exploit steht zur öffentlichen Verfügung.

CVSS: HIGH (7.3)

EPSS Score: 0.3%

SSVC Exploitation: poc

Source: CVE
February 27th, 2025 (4 months ago)