CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!
Threat and Vulnerability Intelligence Database
Example Searches:
CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited
CVE-2025-25071 |
Description: Cross-Site Request Forgery (CSRF) vulnerability in topplugins Vignette Ads allows Stored XSS. This issue affects Vignette Ads: from n/a through 0.2.
CVSS: HIGH (7.1) EPSS Score: 0.04%
February 8th, 2025 (5 months ago)
|
|
CVE-2025-24366 |
Description: SFTPGo is an open source, event-driven file transfer solution. SFTPGo supports execution of a defined set of commands via SSH. Besides a set of default commands some optional commands can be activated, one of them being `rsync`. It is disabled in the default configuration and it is limited to the local filesystem, it does not work with cloud/remote storage backends. Due to missing sanitization of the client provided `rsync` command, an authenticated remote user can use some options of the rsync command to read or write files with the permissions of the SFTPGo server process. This issue was fixed in version v2.6.5 by checking the client provided arguments. Users are advised to upgrade. There are no known workarounds for this vulnerability.
CVSS: HIGH (7.5) EPSS Score: 0.04%
February 8th, 2025 (5 months ago)
|
|
CVE-2025-24028 |
Description: Joplin is a free, open source note taking and to-do application, which can handle a large number of notes organised into notebooks. This vulnerability is caused by differences between how Joplin's HTML sanitizer handles comments and how the browser handles comments. This affects both the Rich Text Editor and the Markdown viewer. However, unlike the Rich Text Editor, the Markdown viewer is `cross-origin isolated`, which prevents JavaScript from directly accessing functions/variables in the toplevel Joplin `window`. This issue is not present in Joplin 3.1.24 and may have been introduced in `9b50539`. This is an XSS vulnerability that impacts users that open untrusted notes in the Rich Text Editor. This vulnerability has been addressed in version 3.2.12 and all users are advised to upgrade. There are no known workarounds for this vulnerability.
CVSS: HIGH (7.8) EPSS Score: 0.05%
February 8th, 2025 (5 months ago)
|
|
CVE-2025-22880 |
Description: Delta Electronics CNCSoft-G2 lacks proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. If a target visits a malicious page or opens a malicious file an attacker can leverage this vulnerability to execute code in the context of the current process.
CVSS: HIGH (7.8) EPSS Score: 0.04%
February 8th, 2025 (5 months ago)
|
|
CVE-2025-1108 |
Description: Insufficient data authenticity verification vulnerability in Janto, versions prior to r12. This allows an unauthenticated attacker to modify the content of emails sent to reset the password. To exploit the vulnerability, the attacker must create a POST request by injecting malicious content into the ‘Xml’ parameter on the ‘/public/cgi/Gateway.php’ endpoint.
CVSS: HIGH (8.6) EPSS Score: 0.04%
February 8th, 2025 (5 months ago)
|
|
CVE-2025-1103 |
Description: A vulnerability, which was classified as problematic, was found in D-Link DIR-823X 240126/240802. This affects the function set_wifi_blacklists of the file /goform/set_wifi_blacklists of the component HTTP POST Request Handler. The manipulation of the argument macList leads to null pointer dereference. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. Es wurde eine problematische Schwachstelle in D-Link DIR-823X 240126/240802 gefunden. Dabei betrifft es die Funktion set_wifi_blacklists der Datei /goform/set_wifi_blacklists der Komponente HTTP POST Request Handler. Dank Manipulation des Arguments macList mit unbekannten Daten kann eine null pointer dereference-Schwachstelle ausgenutzt werden. Die Umsetzung des Angriffs kann dabei über das Netzwerk erfolgen. Der Exploit steht zur öffentlichen Verfügung.
CVSS: HIGH (7.1) EPSS Score: 0.05%
February 8th, 2025 (5 months ago)
|
|
CVE-2025-0304 |
Description: in OpenHarmony v4.1.2 and prior versions allow a local attacker cause the common permission is upgraded to root and sensitive information leak through use after free.
CVSS: HIGH (8.8) EPSS Score: 0.04%
February 8th, 2025 (5 months ago)
|
|
CVE-2025-0303 |
Description: in OpenHarmony v4.1.2 and prior versions allow a local attacker cause the common permission is upgraded to root and sensitive information leak through buffer overflow.
CVSS: HIGH (8.8) EPSS Score: 0.04%
February 8th, 2025 (5 months ago)
|
|
CVE-2024-9664 |
Description: The WP All Import Pro plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 4.9.7 via deserialization of untrusted input from an import file. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.
CVSS: HIGH (7.2) EPSS Score: 0.05%
February 8th, 2025 (5 months ago)
|
|
CVE-2024-7419 |
Description: The WP ALL Export Pro plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.9.1 via the custom export fields. This is due to the missing input validation and sanitization of user-supplied data. This makes it possible for unauthenticated attackers to inject arbitrary PHP code into form fields that get executed on the server during the export, potentially leading to a complete site compromise.
As a prerequisite, the custom export field should include fields containing user-supplied data.
CVSS: HIGH (8.3) EPSS Score: 0.08%
February 8th, 2025 (5 months ago)
|