CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!
Threat and Vulnerability Intelligence Database
Example Searches:
CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited
CVE-2025-24928 |
Description: libxml2 before 2.12.10 and 2.13.x before 2.13.6 has a stack-based buffer overflow in xmlSnprintfElements in valid.c. To exploit this, DTD validation must occur for an untrusted document or untrusted DTD. NOTE: this is similar to CVE-2017-9047.
CVSS: HIGH (7.8) EPSS Score: 0.01%
February 19th, 2025 (5 months ago)
|
|
CVE-2025-22663 |
Description: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in videowhisper Paid Videochat Turnkey Site allows Path Traversal. This issue affects Paid Videochat Turnkey Site: from n/a through 7.2.12.
CVSS: HIGH (8.6) EPSS Score: 0.07%
February 19th, 2025 (5 months ago)
|
|
CVE-2025-22657 |
Description: Missing Authorization vulnerability in Vito Peleg Atarim allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Atarim: from n/a through 4.0.9.
CVSS: HIGH (7.5) EPSS Score: 0.06%
February 19th, 2025 (5 months ago)
|
|
CVE-2025-22656 |
Description: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Oscar Alvarez Cookie Monster allows PHP Local File Inclusion. This issue affects Cookie Monster: from n/a through 1.2.2.
CVSS: HIGH (8.1) EPSS Score: 0.14%
February 19th, 2025 (5 months ago)
|
|
CVE-2025-22639 |
Description: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in NotFound Distance Rate Shipping for WooCommerce allows Blind SQL Injection. This issue affects Distance Rate Shipping for WooCommerce: from n/a through 1.3.4.
CVSS: HIGH (8.5) EPSS Score: 0.04%
February 19th, 2025 (5 months ago)
|
|
CVE-2025-20075 |
Description: Server-side request forgery (SSRF) vulnerability exists in FileMegane versions above 3.0.0.0 prior to 3.4.0.0. Executing arbitrary backend Web API requests could potentially lead to rebooting the services.
CVSS: HIGH (7.2) EPSS Score: 0.05%
February 19th, 2025 (5 months ago)
|
|
CVE-2025-0981 |
Description: A vulnerability exists in ChurchCRM 5.13.0 and prior that allows an attacker to hijack a user's session by exploiting a Stored Cross Site Scripting (XSS) vulnerability in the Group Editor page. This allows admin users to inject malicious JavaScript, which captures the session cookie of authenticated users. The cookie can then be sent to an external server, enabling session hijacking. It can also lead to information disclosure, as exposed session cookies can be used to impersonate users and gain unauthorised access to sensitive information.
CVSS: HIGH (8.4) EPSS Score: 0.03%
February 19th, 2025 (5 months ago)
|
|
CVE-2025-0817 |
Description: The FormCraft plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 3.9.11 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.
CVSS: HIGH (7.2) EPSS Score: 0.11%
February 19th, 2025 (5 months ago)
|
|
CVE-2025-0521 |
Description: The Post SMTP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the from and subject parameter in all versions up to, and including, 3.0.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVSS: HIGH (7.2) EPSS Score: 0.08%
February 19th, 2025 (5 months ago)
|
|
CVE-2025-0425 |
Description: Via the GUI of the "bestinformed Infoclient", a low-privileged user is by default able to change the server address of the "bestinformed Server" to which this client connects. This is dangerous as the "bestinformed Infoclient" runs with elevated permissions ("nt authority\system"). By changing the server address to a malicious server, or a script simulating a server, the user is able to escalate his privileges by abusing certain features of the "bestinformed Web" server. Those features include:
* Pushing of malicious update packages
* Arbitrary Registry Read as "nt authority\system"
An attacker is able to escalate his privileges to "nt authority\system" on the Windows client running the "bestinformed Infoclient".
This attack is not possible if a custom configuration ("Infoclient.ini") containing the flags "ShowOnTaskbar=false" or "DisabledItems=stPort,stAddress" is deployed.
CVSS: HIGH (8.5) EPSS Score: 0.01%
February 19th, 2025 (5 months ago)
|