Threat and Vulnerability Intelligence Database

RSS Feed

Example Searches:

CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited

CVE-2024-1215
SourceCodester CRUD without Page Reload fetch_data.php cross site scripting
Description: A vulnerability was found in SourceCodester CRUD without Page Reload 1.0. It has been rated as problematic. Affected by this issue is some unknown functionality of the file fetch_data.php. The manipulation of the argument username/city leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-252782 is the identifier assigned to this vulnerability. Eine problematische Schwachstelle wurde in SourceCodester CRUD without Page Reload 1.0 ausgemacht. Dies betrifft einen unbekannten Teil der Datei fetch_data.php. Mit der Manipulation des Arguments username/city mit unbekannten Daten kann eine cross site scripting-Schwachstelle ausgenutzt werden. Der Angriff kann über das Netzwerk passieren. Der Exploit steht zur öffentlichen Verfügung.

CVSS: LOW (3.5)

EPSS Score: 0.13%

SSVC Exploitation: poc

Source: CVE
May 15th, 2025 (23 days ago)

CVE-2024-1187
Munsoft Easy Outlook Express Recovery Registration Key denial of service
Description: A vulnerability, which was classified as problematic, has been found in Munsoft Easy Outlook Express Recovery 2.0. This issue affects some unknown processing of the component Registration Key Handler. The manipulation leads to denial of service. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used. The identifier VDB-252677 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. Eine Schwachstelle wurde in Munsoft Easy Outlook Express Recovery 2.0 entdeckt. Sie wurde als problematisch eingestuft. Dies betrifft einen unbekannten Teil der Komponente Registration Key Handler. Durch das Manipulieren mit unbekannten Daten kann eine denial of service-Schwachstelle ausgenutzt werden. Umgesetzt werden muss der Angriff lokal. Der Exploit steht zur öffentlichen Verfügung.

CVSS: LOW (3.3)

EPSS Score: 0.03%

SSVC Exploitation: poc

Source: CVE
May 15th, 2025 (23 days ago)

CVE-2025-47774
Vyper's `slice()` may elide side-effects when output length is 0
Description: Vyper is the Pythonic Programming Language for the Ethereum Virtual Machine. In versions up to and including 0.4.2rc1, the `slice()` builtin can elide side effects when the output length is 0, and the source bytestring is a builtin (`msg.data` or `.code`). The reason is that for these source locations, the check that `length >= 1` is skipped. The result is that a 0-length bytestring constructed with slice can be passed to `make_byte_array_copier`, which elides evaluation of its source argument when the max length is 0. The impact is that side effects in the `start` argument may be elided when the `length` argument is 0, e.g. `slice(msg.data, self.do_side_effect(), 0)`. The fix in pull request 4645 disallows any invocation of `slice()` with length 0, including for the ad hoc locations discussed in this advisory. The fix is expected to be part of version 0.4.2.

CVSS: LOW (2.9)

EPSS Score: 0.06%

Source: CVE
May 15th, 2025 (23 days ago)

CVE-2025-47285
Vyper's `concat()` builtin may elide side-effects for zero-length arguments
Description: Vyper is the Pythonic Programming Language for the Ethereum Virtual Machine. In versions up to and including 0.4.2rc1, `concat()` may skip evaluation of side effects when the length of an argument is zero. This is due to a fastpath in the implementation which skips evaluation of argument expressions when their length is zero. In practice, it would be very unusual in user code to construct zero-length bytestrings using an expression with side-effects, since zero-length bytestrings are typically constructed with the empty literal `b""`; the only way to construct an empty bytestring which has side effects would be with the ternary operator introduced in v0.3.8, e.g. `b"" if self.do_some_side_effect() else b""`. The fix is available in pull request 4644 and expected to be part of the 0.4.2 release. As a workaround, don't have side effects in expressions which construct zero-length bytestrings.

CVSS: LOW (2.9)

EPSS Score: 0.05%

Source: CVE
May 15th, 2025 (23 days ago)

CVE-2025-47279
undici Denial of Service attack via bad certificate data
Description: Undici is an HTTP/1.1 client for Node.js. Prior to versions 5.29.0, 6.21.2, and 7.5.0, applications that use undici to implement a webhook-like system are vulnerable. If the attacker set up a server with an invalid certificate, and they can force the application to call the webhook repeatedly, then they can cause a memory leak. This has been patched in versions 5.29.0, 6.21.2, and 7.5.0. As a workaound, avoid calling a webhook repeatedly if the webhook fails.

CVSS: LOW (3.1)

EPSS Score: 0.03%

Source: CVE
May 15th, 2025 (23 days ago)

CVE-2025-2570
System Admin Cannot Access Environment settings in System Console While System Manager Can
Description: Mattermost versions 10.5.x <= 10.5.3, 9.11.x <= 9.11.11 fail to check `RestrictSystemAdmin` setting if user doesn't have access to `ExperimentalSettings` which allows a System Manager to access `ExperimentSettings` when `RestrictSystemAdmin` is true via System Console.

CVSS: LOW (2.7)

EPSS Score: 0.03%

SSVC Exploitation: none

Source: CVE
May 15th, 2025 (23 days ago)

CVE-2024-32122
Siemens RUGGEDCOM APE1808 Devices
Description: As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens' ProductCERT Security Advisories (CERT Services | Services | Siemens Global). View CSAF 1. EXECUTIVE SUMMARY CVSS v4 6.3 ATTENTION: Exploitable remotely/low attack complexity Vendor: Siemens Equipment: RUGGEDCOM APE1808 Devices Vulnerabilities: Insufficiently Protected Credentials, Out-of-bounds Write 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow an attacker to retrieve LDAP credentials via modifying the LDAP server IP address in the FortiOS configuration to point to a malicious attacker-controlled server or cause a denial-of-service condition. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS Siemens reports that the following products are affected: RUGGEDCOM APE1808: All versions 3.2 VULNERABILITY OVERVIEW 3.2.1 INSUFFICIENTLY PROTECTED CREDENTIALS CWE-522 An insufficiently protected credentials vulnerability in FortiOS may allow a privileged authenticated attacker to retrieve LDAP credentials via modifying the LDAP server IP address in the FortiOS configuration to point to a malicious attacker-controlled server. CVE-2024-32122 has been assigned to this vulnerability. A CVSS v3.1 base score of 2.3 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N). A CVSS v4 score h...

CVSS: LOW (2.1)

Source: All CISA Advisories
May 15th, 2025 (23 days ago)

CVE-2025-40571
Siemens Mendix OIDC SSO
Description: As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens' ProductCERT Security Advisories (CERT Services | Services | Siemens Global). View CSAF 1. EXECUTIVE SUMMARY CVSS v4 2.1 ATTENTION: Exploitable remotely Vendor: Siemens Equipment: Mendix OIDC SSO Vulnerability: Incorrect Privilege Assignment 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker to modify the system and gain administrator read/write privileges. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS Siemens reports the following products are affected: Siemens Mendix OIDC SSO (Mendix 9 compatible): All versions Siemens Mendix OIDC SSO (Mendix 10 compatible): All versions before V4.0.0 3.2 VULNERABILITY OVERVIEW 3.2.1 INCORRECT PRIVILEGE ASSIGNMENT CWE-266 The Mendix OIDC SSO module grants read and write access to all tokens exclusively to the Administrator role, which could result in privilege misuse by an adversary modifying the module during Mendix development. CVE-2025-40571 has been assigned to this vulnerability. A CVSS v3.1 base score of 2.2 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N). A CVSS v4 score has also been calculated for CVE-2025-40571. A base score of 2.1 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N...

CVSS: LOW (2.2)

EPSS Score: 0.03%

Source: All CISA Advisories
May 15th, 2025 (23 days ago)
[next] Next.js Race Condition to Cache Poisoning
Description: SummaryWe received a responsible disclosure from Allam Rachid (zhero) for a low-severity race-condition vulnerability in Next.js. This issue only affects the Pages Router under certain misconfigurations, causing normal endpoints to serve pageProps data instead of standard HTML. Learn more here CreditThank you to Allam Rachid (zhero) for the responsible disclosure. This research was rewarded as part of our bug bounty program. References https://github.com/vercel/next.js/security/advisories/GHSA-qpjv-v59x-3qc4 https://nvd.nist.gov/vuln/detail/CVE-2025-32421 https://vercel.com/changelog/cve-2025-32421 https://github.com/advisories/GHSA-qpjv-v59x-3qc4

CVSS: LOW (3.7)

EPSS Score: 0.03%

Source: Github Advisory Database (NPM)
May 15th, 2025 (23 days ago)

CVE-2025-4762
Insecure Direct Object Reference (IDOR) vulnerability in eSignaViewer
Description: Insecure Direct Object Reference (IDOR) vulnerability in the eSignaViewer component in eSigna product versions 1.0 to 1.5 on all platforms allow an unauthenticated attacker to access arbitrary files in the document system via manipulation of file paths and object identifiers.

CVSS: LOW (2.0)

EPSS Score: 0.12%

Source: CVE
May 15th, 2025 (23 days ago)