CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!
Threat and Vulnerability Intelligence Database
Example Searches:
CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited
CVE-2024-9664 |
Description: The WP All Import Pro plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 4.9.7 via deserialization of untrusted input from an import file. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.
CVSS: HIGH (7.2) EPSS Score: 0.05%
February 8th, 2025 (5 months ago)
|
|
CVE-2024-7419 |
Description: The WP ALL Export Pro plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.9.1 via the custom export fields. This is due to the missing input validation and sanitization of user-supplied data. This makes it possible for unauthenticated attackers to inject arbitrary PHP code into form fields that get executed on the server during the export, potentially leading to a complete site compromise.
As a prerequisite, the custom export field should include fields containing user-supplied data.
CVSS: HIGH (8.3) EPSS Score: 0.08%
February 8th, 2025 (5 months ago)
|
|
CVE-2024-57357 |
Description: An issue in TPLINK TL-WPA 8630 TL-WPA8630(US)_V2_2.0.4 Build 20230427 allows a remote attacker to execute arbitrary code via function sub_4256CC, which allows command injection by injecting 'devpwd'.
CVSS: HIGH (8.0) EPSS Score: 0.04%
February 8th, 2025 (5 months ago)
|
|
CVE-2024-37455 |
Description: Improper Privilege Management vulnerability in Brainstorm Force Ultimate Addons for Elementor allows Privilege Escalation.This issue affects Ultimate Addons for Elementor: from n/a through 1.36.31.
CVSS: HIGH (8.8) EPSS Score: 0.05%
February 8th, 2025 (5 months ago)
|
|
CVE-2024-13352 |
Description: The Legull WordPress plugin through 1.2.2 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
CVSS: HIGH (7.1) EPSS Score: 0.04%
February 8th, 2025 (5 months ago)
|
|
CVE-2024-10383 |
Description: An issue has been discovered in the gitlab-web-ide-vscode-fork component distributed over CDN affecting all versions prior to 1.89.1-1.0.0-dev-20241118094343and used by all versions of GitLab CE/EE starting from 15.11 prior to 17.3 and which also temporarily affected versions 17.4, 17.5 and 17.6, where a XSS attack was possible when loading .ipynb files in the web IDE
CVSS: HIGH (8.7) EPSS Score: 0.04%
February 8th, 2025 (5 months ago)
|
|
CVE-2025-0994 |
Description: CISA has added one vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.
CVE-2025-0994 Trimble Cityworks Deserialization Vulnerability
These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.
Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.
Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.
CVSS: HIGH (8.6) EPSS Score: 1.32%
February 7th, 2025 (5 months ago)
|
|
CVE-2025-0994 |
Description:
CISA is collaborating with private industry partners to respond to reports of exploitation of a vulnerability (CVE-2025-0994) discovered by Trimble impacting its Cityworks Server AMS (Asset Management System). Trimble has released security updates and an advisory addressing a recently discovered a deserialization vulnerability enabling an external actor to potentially conduct remote code execution (RCE) against a customer’s Microsoft Internet Information Services (IIS) web server.
CISA has added CVE-2025-0994 to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.
CISA strongly encourages users and administrators to search for indicators of compromise (IOCs) and apply the necessary updates and workarounds.
Review the following article for more information:
Trimble Advisory and IOCs for Vulnerability Affecting Cityworks Deployments
The Symantec Threat Hunter team, part of Broadcom, contributed to this guidance.
CVSS: HIGH (8.6) EPSS Score: 1.32%
February 7th, 2025 (5 months ago)
|
|
CVE-2025-0994 |
Description: Trimble Cityworks contains a deserialization vulnerability. This could allow an authenticated user to perform a remote code execution attack against a customer's Microsoft Internet Information Services (IIS) web server.
CVSS: HIGH (8.6) EPSS Score: 1.32%
February 7th, 2025 (5 months ago)
|
|
CVE-2025-0994 |
Description: The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has warned that a security flaw impacting Trimble Cityworks GIS-centric asset management software has come under active exploitation in the wild.
The vulnerability in question is CVE-2025-0994 (CVSS v4 score: 8.6), a deserialization of untrusted data bug that could permit an attacker to conduct remote code execution.
"This could
CVSS: HIGH (8.6) EPSS Score: 1.32%
February 7th, 2025 (5 months ago)
|