CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!
Threat and Vulnerability Intelligence Database
Example Searches:
CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited
CVE-2024-13622 |
Description: The File Uploads Addon for WooCommerce plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.7.1 via the 'uploads' directory. This makes it possible for unauthenticated attackers to extract sensitive data stored insecurely in the /wp-content/uploads directory which can contain file attachments uploaded by customers.
CVSS: HIGH (7.5) EPSS Score: 0.05%
February 19th, 2025 (5 months ago)
|
|
CVE-2024-13556 |
Description: The Affiliate Links: WordPress Plugin for Link Cloaking and Link Management plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.0.1 via deserialization of untrusted input from an file export. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present.
CVSS: HIGH (8.1) EPSS Score: 0.6%
February 19th, 2025 (5 months ago)
|
|
CVE-2024-13315 |
Description: The Shopwarden – Automated WooCommerce monitoring & testing plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.11. This is due to missing or incorrect nonce validation on the save_setting() function. This makes it possible for unauthenticated attackers to update arbitrary options and achieve privilege escalation via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
CVSS: HIGH (8.8) EPSS Score: 0.02%
February 19th, 2025 (5 months ago)
|
|
CVE-2024-12314 |
Description: The Rapid Cache plugin for WordPress is vulnerable to Cache Poisoning in all versions up to, and including, 1.2.3. This is due to plugin storing HTTP headers in the cached data. This makes it possible for unauthenticated attackers to poison the cache with custom HTTP headers that may be unsanitized which can lead to Cross-Site Scripting.
CVSS: HIGH (7.2) EPSS Score: 0.06%
February 19th, 2025 (5 months ago)
|
|
CVE-2025-24928 |
Description: Summary
Nokogiri v1.18.3 upgrades its dependency libxml2 to v2.13.6.
libxml2 v2.13.6 addresses:
CVE-2025-24928
described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/847
CVE-2024-56171
described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/828
Impact
CVE-2025-24928
Stack-buffer overflow is possible when reporting DTD validation errors if the input contains a long (~3kb) QName prefix.
CVE-2024-56171
Use-after-free is possible during validation against untrusted XML Schemas (.xsd) and, potentially, validation of untrusted documents against trusted Schemas if they make use of xsd:keyref in combination with recursively defined types that have additional identity constraints.
References
https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-vvfq-8hwr-qm4m
https://github.com/advisories/GHSA-vvfq-8hwr-qm4m
CVSS: HIGH (7.8) EPSS Score: 0.01%
February 18th, 2025 (5 months ago)
|
|
CVE-2025-0111 |
CVSS: HIGH (7.1) EPSS Score: 2.94%
February 18th, 2025 (5 months ago)
|
|
CVE-2025-0108 |
Description: CISA has added two vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.
CVE-2025-0108 Palo Alto PAN-OS Authentication Bypass Vulnerability
CVE-2024-53704 SonicWall SonicOS SSLVPN Improper Authentication Vulnerability
These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.
Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.
Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.
CVSS: HIGH (8.8) EPSS Score: 96.76%
February 18th, 2025 (5 months ago)
|
|
CVE-2025-0108 |
Description: Palo Alto PAN-OS contains an authentication bypass vulnerability in its management web interface. This vulnerability allows an unauthenticated attacker with network access to the management web interface to bypass the authentication normally required and invoke certain PHP scripts.
CVSS: HIGH (8.8) EPSS Score: 96.76%
February 18th, 2025 (5 months ago)
|
|
CVE-2024-20312 |
Description:
Nessus Plugin ID 216409 with High Severity
Synopsis
The remote device is missing a vendor-supplied security patch
Description
According to its self-reported version, Cisco IOS is affected by a vulnerability. - A vulnerability in the Intermediate System-to-Intermediate System (IS-IS) protocol of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, adjacent attacker to cause a denial of service (DoS) condition on an affected device. This vulnerability is due to insufficient input validation when parsing an ingress IS-IS packet. An attacker could exploit this vulnerability by sending a crafted IS-IS packet to an affected device after forming an adjacency. A successful exploit could allow the attacker to cause the affected device to reload, resulting in a denial of service (DoS) condition. Note: The IS-IS protocol is a routing protocol. To exploit this vulnerability, an attacker must be Layer 2-adjacent to the affected device and have formed an adjacency. (CVE-2024-20312)Please see the included Cisco BIDs and Cisco Security Advisory for more information.
Solution
Upgrade to the relevant fixed version referenced in Cisco bug ID CSCwf54007
Read more at https://www.tenable.com/plugins/nessus/216409
CVSS: HIGH (7.4)
February 18th, 2025 (5 months ago)
|
|
CVE-2024-20312 |
Description:
Nessus Plugin ID 216410 with High Severity
Synopsis
The remote device is missing a vendor-supplied security patch
Description
According to its self-reported version, Cisco IOS-XE Software is affected by a vulnerability. - A vulnerability in the Intermediate System-to-Intermediate System (IS-IS) protocol of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, adjacent attacker to cause a denial of service (DoS) condition on an affected device. This vulnerability is due to insufficient input validation when parsing an ingress IS-IS packet. An attacker could exploit this vulnerability by sending a crafted IS-IS packet to an affected device after forming an adjacency. A successful exploit could allow the attacker to cause the affected device to reload, resulting in a denial of service (DoS) condition. Note: The IS-IS protocol is a routing protocol. To exploit this vulnerability, an attacker must be Layer 2-adjacent to the affected device and have formed an adjacency. (CVE-2024-20312)Please see the included Cisco BIDs and Cisco Security Advisory for more information.
Solution
Upgrade to the relevant fixed version referenced in Cisco bug ID CSCwf54007
Read more at https://www.tenable.com/plugins/nessus/216410
CVSS: HIGH (7.4)
February 18th, 2025 (5 months ago)
|