CyberAlerts

CVE-2024-13955

Description: 2nd Order SQL injection vulnerabilities in ASPECT allow unintended access and manipulation of database repositories if administrator credentials become compromised.This issue affects ASPECT-Enterprise: through 3.*; NEXUS Series: through 3.*; MATRIX Series: through 3.*.

CVSS: HIGH (8.8)

EPSS Score: 0.03%

SSVC Exploitation: none

Source: CVE

May 22nd, 2025 (24 days ago)

CVE-2024-13952

Remote Code Execution

Description: Predictable filename vulnerabilities in ASPECT may expose sensitive information to a potential attacker if administrator credentials become compromisedThis issue affects ASPECT-Enterprise: through 3.*; NEXUS Series: through 3.*; MATRIX Series: through 3.*.

CVSS: HIGH (8.4)

EPSS Score: 0.04%

SSVC Exploitation: none

Source: CVE

May 22nd, 2025 (24 days ago)

CVE-2024-13951

One way hash with predictable salt

Description: One way hash with predictable salt vulnerabilities in ASPECT may expose sensitive information to a potential attackerThis issue affects ASPECT-Enterprise: through 3.*; NEXUS Series: through 3.*; MATRIX Series: through 3.*.

CVSS: HIGH (7.6)

EPSS Score: 0.02%

SSVC Exploitation: none

Source: CVE

May 22nd, 2025 (24 days ago)

CVE-2024-13948

Insecure Permissions

Description: Windows permissions for ASPECT configuration toolsets are not fully secured allow-ing exposure of configuration informationThis issue affects ASPECT-Enterprise: through 3.*; NEXUS Series: through 3.*; MATRIX Series: through 3.*.

CVSS: HIGH (7.3)

EPSS Score: 0.01%

SSVC Exploitation: none

Source: CVE

May 22nd, 2025 (24 days ago)

[github.com/grafana/grafana] Grafana Cross-Site-Scripting (XSS) via custom loaded frontend plugin

Description: A cross-site scripting (XSS) vulnerability exists in Grafana caused by combining a client path traversal and open redirect. This allows attackers to redirect users to a website that hosts a frontend plugin that will execute arbitrary JavaScript. This vulnerability does not require editor permissions and if anonymous access is enabled, the XSS will work. If the Grafana Image Renderer plugin is installed, it is possible to exploit the open redirect to achieve a full read SSRF. The default Content-Security-Policy (CSP) in Grafana will block the XSS though the connect-src directive. References https://nvd.nist.gov/vuln/detail/CVE-2025-4123 https://grafana.com/security/security-advisories/cve-2025-4123 https://github.com/grafana/grafana/commit/c7a690348df761d41b659224cbc50a46a0c0e4cc https://github.com/advisories/GHSA-q53q-gxq9-mgrj

CVSS: HIGH (7.6)

EPSS Score: 2.43%

Source: Github Advisory Database (Go)

May 22nd, 2025 (24 days ago)

CVE-2025-48075

Fiber panics when fiber.Ctx.BodyParser parses invalid range index

Description: Fiber is an Express-inspired web framework written in Go. Starting in version 2.52.6 and prior to version 2.52.7, `fiber.Ctx.BodyParser` can map flat data to nested slices using `key[idx]value` syntax, but when idx is negative, it causes a panic instead of returning an error stating it cannot process the data. Since this data is user-provided, this could lead to denial of service for anyone relying on this `fiber.Ctx.BodyParser` functionality. Version 2.52.7 fixes the issue.

CVSS: HIGH (7.7)

EPSS Score: 0.05%

Source: CVE

May 22nd, 2025 (24 days ago)

CVE-2025-30172

Admin Authorized Remote Code Execution

Description: Remote Code Execution vulnerabilities are present in ASPECT if session administrator credentials become compromised This issue affects ASPECT-Enterprise: through 3.08.03; NEXUS Series: through 3.08.03; MATRIX Series: through 3.08.03.

CVSS: HIGH (8.0)

EPSS Score: 0.31%

Source: CVE

May 22nd, 2025 (24 days ago)

CVE-2025-30171

Admin Authorized System File Deletion

Description: System File Deletion vulnerabilities in ASPECT provide attackers access to delete system files if session administrator credentials become compromised. This issue affects ASPECT-Enterprise: through 3.08.03; NEXUS Series: through 3.08.03; MATRIX Series: through 3.08.03.

CVSS: HIGH (7.3)

EPSS Score: 0.07%

Source: CVE

May 22nd, 2025 (24 days ago)

CVE-2024-9639

Authenticated Remote Code Execution

Description: Remote Code Execution vulnerabilities are present in ASPECT if session administra-tor credentials become compromised. This issue affects ASPECT-Enterprise: through 3.08.03; NEXUS Series: through 3.08.03; MATRIX Series: through 3.08.03.

CVSS: HIGH (8.0)

EPSS Score: 0.31%

SSVC Exploitation: none

Source: CVE

May 22nd, 2025 (24 days ago)

CVE-2024-52874

In Infoblox NETMRI before 7.6.1, authenticated users can perform SQL injection attacks.

Description: In Infoblox NETMRI before 7.6.1, authenticated users can perform SQL injection attacks.

CVSS: HIGH (8.8)

EPSS Score: 0.03%

Source: CVE

May 22nd, 2025 (24 days ago)

Threat and Vulnerability Intelligence Database

Example Searches:

CVE-2024-13955	SQL Injection 2nd Order Description: 2nd Order SQL injection vulnerabilities in ASPECT allow unintended access and manipulation of database repositories if administrator credentials become compromised.This issue affects ASPECT-Enterprise: through 3.; NEXUS Series: through 3.; MATRIX Series: through 3.*. CVSS: HIGH (8.8) EPSS Score: 0.03% SSVC Exploitation: none Source: CVE May 22nd, 2025 (24 days ago)
CVE-2024-13952	Remote Code Execution Description: Predictable filename vulnerabilities in ASPECT may expose sensitive information to a potential attacker if administrator credentials become compromisedThis issue affects ASPECT-Enterprise: through 3.; NEXUS Series: through 3.; MATRIX Series: through 3.*. CVSS: HIGH (8.4) EPSS Score: 0.04% SSVC Exploitation: none Source: CVE May 22nd, 2025 (24 days ago)
CVE-2024-13951	One way hash with predictable salt Description: One way hash with predictable salt vulnerabilities in ASPECT may expose sensitive information to a potential attackerThis issue affects ASPECT-Enterprise: through 3.; NEXUS Series: through 3.; MATRIX Series: through 3.*. CVSS: HIGH (7.6) EPSS Score: 0.02% SSVC Exploitation: none Source: CVE May 22nd, 2025 (24 days ago)
CVE-2024-13948	Insecure Permissions Description: Windows permissions for ASPECT configuration toolsets are not fully secured allow-ing exposure of configuration informationThis issue affects ASPECT-Enterprise: through 3.; NEXUS Series: through 3.; MATRIX Series: through 3.*. CVSS: HIGH (7.3) EPSS Score: 0.01% SSVC Exploitation: none Source: CVE May 22nd, 2025 (24 days ago)
	[github.com/grafana/grafana] Grafana Cross-Site-Scripting (XSS) via custom loaded frontend plugin Description: A cross-site scripting (XSS) vulnerability exists in Grafana caused by combining a client path traversal and open redirect. This allows attackers to redirect users to a website that hosts a frontend plugin that will execute arbitrary JavaScript. This vulnerability does not require editor permissions and if anonymous access is enabled, the XSS will work. If the Grafana Image Renderer plugin is installed, it is possible to exploit the open redirect to achieve a full read SSRF. The default Content-Security-Policy (CSP) in Grafana will block the XSS though the connect-src directive. References https://nvd.nist.gov/vuln/detail/CVE-2025-4123 https://grafana.com/security/security-advisories/cve-2025-4123 https://github.com/grafana/grafana/commit/c7a690348df761d41b659224cbc50a46a0c0e4cc https://github.com/advisories/GHSA-q53q-gxq9-mgrj CVSS: HIGH (7.6) EPSS Score: 2.43% Source: Github Advisory Database (Go) May 22nd, 2025 (24 days ago)
CVE-2025-48075	Fiber panics when fiber.Ctx.BodyParser parses invalid range index Description: Fiber is an Express-inspired web framework written in Go. Starting in version 2.52.6 and prior to version 2.52.7, `fiber.Ctx.BodyParser` can map flat data to nested slices using `key[idx]value` syntax, but when idx is negative, it causes a panic instead of returning an error stating it cannot process the data. Since this data is user-provided, this could lead to denial of service for anyone relying on this `fiber.Ctx.BodyParser` functionality. Version 2.52.7 fixes the issue. CVSS: HIGH (7.7) EPSS Score: 0.05% Source: CVE May 22nd, 2025 (24 days ago)
CVE-2025-30172	Admin Authorized Remote Code Execution Description: Remote Code Execution vulnerabilities are present in ASPECT if session administrator credentials become compromised This issue affects ASPECT-Enterprise: through 3.08.03; NEXUS Series: through 3.08.03; MATRIX Series: through 3.08.03. CVSS: HIGH (8.0) EPSS Score: 0.31% Source: CVE May 22nd, 2025 (24 days ago)
CVE-2025-30171	Admin Authorized System File Deletion Description: System File Deletion vulnerabilities in ASPECT provide attackers access to delete system files if session administrator credentials become compromised. This issue affects ASPECT-Enterprise: through 3.08.03; NEXUS Series: through 3.08.03; MATRIX Series: through 3.08.03. CVSS: HIGH (7.3) EPSS Score: 0.07% Source: CVE May 22nd, 2025 (24 days ago)
CVE-2024-9639	Authenticated Remote Code Execution Description: Remote Code Execution vulnerabilities are present in ASPECT if session administra-tor credentials become compromised. This issue affects ASPECT-Enterprise: through 3.08.03; NEXUS Series: through 3.08.03; MATRIX Series: through 3.08.03. CVSS: HIGH (8.0) EPSS Score: 0.31% SSVC Exploitation: none Source: CVE May 22nd, 2025 (24 days ago)
CVE-2024-52874	In Infoblox NETMRI before 7.6.1, authenticated users can perform SQL injection attacks. Description: In Infoblox NETMRI before 7.6.1, authenticated users can perform SQL injection attacks. CVSS: HIGH (8.8) EPSS Score: 0.03% Source: CVE May 22nd, 2025 (24 days ago)