CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!
Threat and Vulnerability Intelligence Database
Example Searches:
CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited
CVE-2025-21355 |
Description: CVE-2025-21355: Microsoft Bing Remote Code Execution Vulnerability
CVSS: HIGH (8.6) EPSS Score: 1.08%
February 19th, 2025 (5 months ago)
|
|
CVE-2025-0108 |
Description: Palo Alto Networks warns that hackers are actively exploiting a critical authentication bypass flaw (CVE-2025-0108) in PAN-OS firewalls, chaining it with two other vulnerabilities to breach devices in active attacks. [...]
CVSS: HIGH (8.8) EPSS Score: 96.76%
February 19th, 2025 (5 months ago)
|
|
CVE-2025-0994 |
Description: Learn about CVE-2025-0994 affecting Trimble Cityworks products. Patch now to prevent remote code execution.
CVSS: HIGH (8.6) EPSS Score: 1.32%
February 19th, 2025 (5 months ago)
|
|
CVE-2024-49860 |
Description:
Nessus Plugin ID 216437 with High Severity
Synopsis
The remote Amazon Linux AMI host is missing a security update.
Description
The version of kernel installed on the remote host is prior to 4.14.355-195.591. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS-2025-1960 advisory. In the Linux kernel, the following vulnerability has been resolved: ACPI: sysfs: validate return type of _STR method (CVE-2024-49860) In the Linux kernel, the following vulnerability has been resolved: driver core: bus: Fix double free in driver API bus_register() (CVE-2024-50055)Tenable has extracted the preceding description block directly from the tested product security advisory.Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.
Solution
Run 'yum update kernel' to update your system.
Read more at https://www.tenable.com/plugins/nessus/216437
CVSS: HIGH (7.1) EPSS Score: 0.04%
February 19th, 2025 (5 months ago)
|
|
CVE-2025-0108 |
Description: The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday added two security flaws impacting Palo Alto Networks PAN-OS and SonicWall SonicOS SSLVPN to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation.
The flaws are listed below -
CVE-2025-0108 (CVSS score: 7.8) - An authentication bypass vulnerability in the Palo Alto Networks PAN-OS
CVSS: HIGH (8.8) EPSS Score: 96.76%
February 19th, 2025 (5 months ago)
|
|
CVE-2025-26604 |
Description: Discord-Bot-Framework-Kernel is a Discord bot framework built with interactions.py, featuring modular extension management and secure execution. Because of the nature of arbitrary user-submited code execution, this allows user to execute potentially malicious code to perform damage or extract sensitive information. By loading the module containing the following code and run the command, the bot token can be extracted. Then the attacker can load a blocking module to sabotage the bot (DDoS attack) and the token can be used to make the fake bot act as the real one. If the bot has very high privilege, the attacker basically has full control before the user kicks the bot. Any Discord user that hosts Discord-Bot-Framework-Kernel before commit f0d9e70841a0e3170b88c4f8d562018ccd8e8b14 is affected. Users are advised to upgrade. Users unable to upgrade may attempt to limit their discord bot's access via configuration options.
CVSS: HIGH (8.3) EPSS Score: 0.04%
February 19th, 2025 (5 months ago)
|
|
CVE-2025-25305 |
Description: Home Assistant Core is an open source home automation that puts local control and privacy first. Affected versions are subject to a potential man-in-the-middle attacks due to missing SSL certificate verification in the project codebase and used third-party libraries. In the past, `aiohttp-session`/`request` had the parameter `verify_ssl` to control SSL certificate verification. This was a boolean value. In `aiohttp` 3.0, this parameter was deprecated in favor of the `ssl` parameter. Only when `ssl` is set to `None` or provided with a correct configured SSL context the standard SSL certificate verification will happen. When migrating integrations in Home Assistant and libraries used by Home Assistant, in some cases the `verify_ssl` parameter value was just moved to the new `ssl` parameter. This resulted in these integrations and 3rd party libraries using `request.ssl = True`, which unintentionally turned off SSL certificate verification and opened up a man-in-the-middle attack vector. This issue has been addressed in version 2024.1.6 and all users are advised to upgrade. There are no known workarounds for this vulnerability.
CVSS: HIGH (7.0) EPSS Score: 0.03%
February 19th, 2025 (5 months ago)
|
|
CVE-2025-25284 |
Description: The ZOO-Project is an open source processing platform, released under MIT/X11 Licence. A vulnerability in ZOO-Project's WPS (Web Processing Service) implementation allows unauthorized access to files outside the intended directory through path traversal. Specifically, the Gdal_Translate service, when processing VRT (Virtual Format) files, does not properly validate file paths referenced in the VRTRasterBand element, allowing attackers to read arbitrary files on the system. The vulnerability exists because the service doesn't properly sanitize the SourceFilename parameter in VRT files, allowing relative path traversal sequences (../). When combined with VRT's raw data handling capabilities, this allows reading arbitrary files as raw binary data and converting them to TIFF format, effectively exposing their contents. This vulnerability is particularly severe because it allows attackers to read sensitive system files, potentially exposing configuration data, credentials, or other confidential information stored on the server. An unauthenticated attacker can read arbitrary files from the system through path traversal, potentially accessing sensitive information such as configuration files, credentials, or other confidential data stored on the server. The vulnerability requires no authentication and can be exploited remotely through the WPS service. This issue has been addressed in commit `5f155a8` and all users are advised to upgrade. There are no known workarounds for this vu...
CVSS: HIGH (8.7) EPSS Score: 0.13%
February 19th, 2025 (5 months ago)
|
|
CVE-2025-25222 |
Description: The LuxCal Web Calendar prior to 5.3.3M (MySQL version) and prior to 5.3.3L (SQLite version) contains an SQL injection vulnerability in retrieve.php. If this vulnerability is exploited, information in a database may be deleted, altered, or retrieved.
CVSS: HIGH (7.3) EPSS Score: 0.04%
February 19th, 2025 (5 months ago)
|
|
CVE-2025-25221 |
Description: The LuxCal Web Calendar prior to 5.3.3M (MySQL version) and prior to 5.3.3L (SQLite version) contains an SQL injection vulnerability in pdf.php. If this vulnerability is exploited, information in a database may be deleted, altered, or retrieved.
CVSS: HIGH (7.3) EPSS Score: 0.04%
February 19th, 2025 (5 months ago)
|