CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

Threat and Vulnerability Intelligence Database

RSS Feed

Example Searches:

CVE-2024-31277

Description: Deserialization of Untrusted Data vulnerability in PickPlugins Product Designer.This issue affects Product Designer: from n/a through 1.0.32.

CVSS: HIGH (8.7)

EPSS Score: 0.61%

SSVC Exploitation: poc

Source: CVE
February 26th, 2025 (4 months ago)

CVE-2024-27899

Description: Self-Registration and Modify your own profile in User Admin Application of NetWeaver AS Java does not enforce proper security requirements for the content of the newly defined security answer. This can be leveraged by an attacker to cause profound impact on confidentiality and low impact on both integrity and availability.

CVSS: HIGH (8.8)

EPSS Score: 0.23%

SSVC Exploitation: none

Source: CVE
February 26th, 2025 (4 months ago)

CVE-2024-2125

Description: The EnvíaloSimple: Email Marketing y Newsletters plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.3. This is due to missing or incorrect nonce validation on the gallery_add function. This makes it possible for unauthenticated attackers to upload malicious files via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CVSS: HIGH (8.8)

EPSS Score: 1.22%

SSVC Exploitation: none

Source: CVE
February 26th, 2025 (4 months ago)

CVE-2024-1990

Description: The RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login plugin for WordPress is vulnerable to blind SQL Injection via the ‘id’ parameter of the RM_Form shortcode in all versions up to, and including, 5.3.1.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

CVSS: HIGH (8.8)

EPSS Score: 1.11%

SSVC Exploitation: none

Source: CVE
February 26th, 2025 (4 months ago)

CVE-2025-20111

Description: A vulnerability in the health monitoring diagnostics of Cisco Nexus 3000 Series Switches and Cisco Nexus 9000 Series Switches in standalone NX-OS mode could allow an unauthenticated, adjacent attacker to cause the device to reload unexpectedly, resulting in a denial of service (DoS) condition. This vulnerability is due to the incorrect handling of specific Ethernet frames. An attacker could exploit this vulnerability by sending a sustained rate of crafted Ethernet frames to an affected device. A successful exploit could allow the attacker to cause the device to reload.

CVSS: HIGH (7.4)

EPSS Score: 0.04%

Source: CVE
February 26th, 2025 (4 months ago)

CVE-2024-33568

Description: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'), Deserialization of Untrusted Data vulnerability in BdThemes Element Pack Pro allows Path Traversal, Object Injection.This issue affects Element Pack Pro: from n/a before 7.19.3.

CVSS: HIGH (8.5)

EPSS Score: 0.61%

SSVC Exploitation: none

Source: CVE
February 26th, 2025 (5 months ago)

CVE-2024-47053

Description: This advisory addresses an authorization vulnerability in Mautic's HTTP Basic Authentication implementation. This flaw could allow unauthorized access to sensitive report data. * Improper Authorization: An authorization flaw exists in Mautic's API Authorization implementation. Any authenticated user, regardless of assigned roles or permissions, can access all reports and their associated data via the API. This bypasses the intended access controls governed by the "Reporting Permissions > View Own" and "Reporting Permissions > View Others" permissions, which should restrict access to non-System Reports.

CVSS: HIGH (7.7)

EPSS Score: 0.06%

Source: CVE
February 26th, 2025 (5 months ago)

CVE-2024-53270

Description: Nessus Plugin ID 216790 with High Severity Synopsis The remote Amazon Linux 2023 host is missing a security update. Description It is, therefore, affected by a vulnerability as referenced in the ALAS2023-2025-850 advisory. Envoy is a cloud-native high-performance edge/middle/service proxy. In affected versions `sendOverloadError` is going to assume the active request exists when `envoy.load_shed_points.http1_server_abort_dispatch` is configured. If `active_request` is nullptr, only onMessageBeginImpl() is called. However, the `onMessageBeginImpl` will directly return ok status if the stream is already reset leading to the nullptr reference. The downstream reset can actually happen during the H/2 upstream reset. As a result envoy may crash. This issue has been addressed in releases 1.32.3, 1.31.5, 1.30.9, and 1.29.12. Users are advised to upgrade. Users unable to upgrade may disable `http1_server_abort_dispatch` load shed point and/or use a high threshold. (CVE-2024-53270)Tenable has extracted the preceding description block directly from the tested product security advisory.Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number. Solution Run 'dnf update ecs-service-connect-agent --releasever 2023.6.20250218' to update your system. Read more at https://www.tenable.com/plugins/nessus/216790

CVSS: HIGH (7.5)

Source: Tenable Plugins
February 26th, 2025 (5 months ago)

CVE-2024-10979

Description: Nessus Plugin ID 216794 with High Severity Synopsis The remote Amazon Linux 2 host is missing a security update. Description The version of postgresql installed on the remote host is prior to 9.2.24-8. It is, therefore, affected by a vulnerability as referenced in the ALAS2-2025-2764 advisory. Incorrect control of environment variables in PostgreSQL PL/Perl allows an unprivileged database user to change sensitive process environment variables (e.g. PATH). That often suffices to enable arbitrary code execution, even if the attacker lacks a database server operating system user. Versions before PostgreSQL 17.1, 16.5, 15.9, 14.14, 13.17, and 12.21 are affected. (CVE-2024-10979)Tenable has extracted the preceding description block directly from the tested product security advisory.Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number. Solution Run 'yum update postgresql' to update your system. Read more at https://www.tenable.com/plugins/nessus/216794

CVSS: HIGH (8.8)

Source: Tenable Plugins
February 26th, 2025 (5 months ago)

CVE-2025-21172

Description: Nessus Plugin ID 216799 with High Severity Synopsis The remote Amazon Linux 2023 host is missing a security update. Description It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2025-844 advisory. .NET and Visual Studio Remote Code Execution Vulnerability (CVE-2025-21172) .NET Elevation of Privilege Vulnerability (CVE-2025-21173) .NET, .NET Framework, and Visual Studio Remote Code Execution Vulnerability (CVE-2025-21176)Tenable has extracted the preceding description block directly from the tested product security advisory.Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number. Solution Run 'dnf update dotnet8.0 --releasever 2023.6.20250218' to update your system. Read more at https://www.tenable.com/plugins/nessus/216799

CVSS: HIGH (7.5)

Source: Tenable Plugins
February 26th, 2025 (5 months ago)