CyberAlerts

CVE-2024-47784

Description: Unverified Password Change for ANC software that allows an authenticated attacker to bypass the old Password check in the password change form via a web HMI This issue affects ANC software version 1.1.4 and earlier.

CVSS: LOW (2.1)

EPSS Score: 0.03%

Source: CVE

April 30th, 2025 (about 1 month ago)

CVE-2025-32972

The lesscss script service allows cache clearing without programming right

Description: XWiki is a generic wiki platform. In versions starting from 6.1-milestone-1 to before 15.10.12, from 16.0.0-rc-1 to before 16.4.3, and from 16.5.0-rc-1 to before 16.8.0-rc-1, the script API of the LESS compiler in XWiki is incorrectly checking for rights when calling the cache cleaning API, making it possible to clean the cache without having programming right. The only impact of this is a slowdown in XWiki execution as the caches are re-filled. As this vulnerability requires script right to exploit, and script right already allows unlimited execution of scripts, the additional impact due to this vulnerability is low. This issue has been patched in versions 15.10.12, 16.4.3, and 16.8.0-rc-1.

CVSS: LOW (2.7)

EPSS Score: 0.07%

Source: CVE

April 30th, 2025 (about 1 month ago)

CVE-2025-32971

XWiki Solr script service doesn't take dropped programming right into account

Description: XWiki is a generic wiki platform. In versions starting from 4.5.1 to before 15.10.13, from 16.0.0-rc-1 to before 16.4.4, and from 16.5.0-rc-1 to before 16.8.0-rc-1, the Solr script service doesn't take dropped programming rights into account. The Solr script service that is accessible in XWiki's scripting API normally requires programming rights to be called. Due to using the wrong API for checking rights, it doesn't take the fact into account that programming rights might have been dropped by calling `$xcontext.dropPermissions()`. If some code relies on this for the safety of executing Velocity code with the wrong author context, this could allow a user with script rights to either cause a high load by indexing documents or to temporarily remove documents from the search index. This issue has been patched in versions 15.10.13, 16.4.4, and 16.8.0-rc-1.

CVSS: LOW (3.8)

EPSS Score: 0.06%

Source: CVE

April 30th, 2025 (about 1 month ago)

CVE-2025-46350

Yeswiki Vulnerable to Authenticated Reflected Cross-site Scripting

Description: YesWiki is a wiki system written in PHP. Prior to version 4.5.4, an attacker can use a reflected cross-site scripting attack to steal cookies from an authenticated user by having them click on a malicious link. Stolen cookies allow the attacker to take over the user’s session. This vulnerability may also allow attackers to deface the website or embed malicious content. This issue has been patched in version 4.5.4.

CVSS: LOW (3.5)

EPSS Score: 0.03%

Source: CVE

April 29th, 2025 (about 1 month ago)

CVE-2025-46672

NASA CryptoLib before 1.3.2 does not check the OTAR crypto function returned status, potentially leading to spacecraft hijacking.

Description: NASA CryptoLib before 1.3.2 does not check the OTAR crypto function returned status, potentially leading to spacecraft hijacking.

CVSS: LOW (3.5)

EPSS Score: 0.03%

SSVC Exploitation: poc

Source: CVE

April 29th, 2025 (about 1 month ago)

CVE-2025-3301

DPA Countermeasures Unavailable for Certain Cryptographic Operations on Series 2 Devices

Description: DPA countermeasures are unavailable for ECDH key agreement and EdDSA signing operations on Curve25519 and Curve448 on all Series 2 modules and SoCs due to a lack of hardware and software support. A successful DPA attack may result in exposure of confidential information. The best practice is to use the impacted crypto curves and operations with ephemeral keys to reduce the number of DPA traces that can be collected.

CVSS: LOW (1.0)

EPSS Score: 0.02%

Source: CVE

April 29th, 2025 (about 1 month ago)

Written by: Casey Charrier, James Sadowski, Clement Lecigne, Vlad Stolyarov Executive Summary Google Threat Intelligence Group (GTIG) tracked 75...

🚨 Marked as known exploited on April 29th, 2025 (about 1 month ago).

Description: Written by: Casey Charrier, James Sadowski, Clement Lecigne, Vlad Stolyarov Executive Summary Google Threat Intelligence Group (GTIG) tracked 75 zero-day vulnerabilities exploited in the wild in 2024, a decrease from the number we identified in 2023 (98 vulnerabilities), but still an increase from 2022 (63 vulnerabilities). We divided the reviewed vulnerabilities into two main categories: end-user platforms and products (e.g., mobile devices, operating systems, and browsers) and enterprise-focused technologies, such as security software and appliances. Vendors continue to drive improvements that make some zero-day exploitation harder, demonstrated by both dwindling numbers across multiple categories and reduced observed attacks against previously popular targets. At the same time, commercial surveillance vendors (CSVs) appear to be increasing their operational security practices, potentially leading to decreased attribution and detection. We see zero-day exploitation targeting a greater number and wider variety of enterprise-specific technologies, although these technologies still remain a smaller proportion of overall exploitation when compared to end-user technologies. While the historic focus on the exploitation of popular end-user technologies and their users continues, the shift toward increased targeting of enterprise-focused products will require a wider and more diverse set of vendors to increase proactive security measures in order to reduce future zero-day expl...

CVSS: LOW (0.0)

Source: Google Threat Intelligence

April 29th, 2025 (about 1 month ago)

CVE-2024-12273

Calculated Fields Form < 5.2.62 - Admin+ Stored XSS

Description: The Calculated Fields Form WordPress plugin before 5.2.62 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

CVSS: LOW (3.5)

EPSS Score: 0.03%

Source: CVE

April 29th, 2025 (about 1 month ago)

CVE-2025-46330

Snowflake Connector for C/C++ retries malformed requests

Description: libsnowflakeclient is the Snowflake Connector for C/C++. Versions starting from 0.5.0 to before 2.2.0, incorrectly treat malformed requests that caused the HTTP response status code 400, as able to be retried. This could hang the application until SF_CON_MAX_RETRY requests were sent. This issue has been patched in version 2.2.0.

CVSS: LOW (3.3)

EPSS Score: 0.02%

Source: CVE

April 29th, 2025 (about 1 month ago)

CVE-2025-46329

Snowflake Connector for C/C++ inserts client-side encryption key in DEBUG logs

Description: libsnowflakeclient is the Snowflake Connector for C/C++. Versions starting from 0.5.0 to before 2.2.0, are vulnerable to local logging of sensitive information. When the logging level was set to DEBUG, the Connector would log locally the client-side encryption master key of the target stage during the execution of GET/PUT commands. This key by itself does not grant access to any sensitive data without additional access authorizations, and is not logged server-side by Snowflake. This issue has been patched in version 2.2.0.

CVSS: LOW (3.3)

EPSS Score: 0.01%

Source: CVE

April 29th, 2025 (about 1 month ago)

Threat and Vulnerability Intelligence Database

Example Searches:

CVE-2024-47784	Unverified Password Change Description: Unverified Password Change for ANC software that allows an authenticated attacker to bypass the old Password check in the password change form via a web HMI This issue affects ANC software version 1.1.4 and earlier. CVSS: LOW (2.1) EPSS Score: 0.03% Source: CVE April 30th, 2025 (about 1 month ago)
CVE-2025-32972	The lesscss script service allows cache clearing without programming right Description: XWiki is a generic wiki platform. In versions starting from 6.1-milestone-1 to before 15.10.12, from 16.0.0-rc-1 to before 16.4.3, and from 16.5.0-rc-1 to before 16.8.0-rc-1, the script API of the LESS compiler in XWiki is incorrectly checking for rights when calling the cache cleaning API, making it possible to clean the cache without having programming right. The only impact of this is a slowdown in XWiki execution as the caches are re-filled. As this vulnerability requires script right to exploit, and script right already allows unlimited execution of scripts, the additional impact due to this vulnerability is low. This issue has been patched in versions 15.10.12, 16.4.3, and 16.8.0-rc-1. CVSS: LOW (2.7) EPSS Score: 0.07% Source: CVE April 30th, 2025 (about 1 month ago)
CVE-2025-32971	XWiki Solr script service doesn't take dropped programming right into account Description: XWiki is a generic wiki platform. In versions starting from 4.5.1 to before 15.10.13, from 16.0.0-rc-1 to before 16.4.4, and from 16.5.0-rc-1 to before 16.8.0-rc-1, the Solr script service doesn't take dropped programming rights into account. The Solr script service that is accessible in XWiki's scripting API normally requires programming rights to be called. Due to using the wrong API for checking rights, it doesn't take the fact into account that programming rights might have been dropped by calling `$xcontext.dropPermissions()`. If some code relies on this for the safety of executing Velocity code with the wrong author context, this could allow a user with script rights to either cause a high load by indexing documents or to temporarily remove documents from the search index. This issue has been patched in versions 15.10.13, 16.4.4, and 16.8.0-rc-1. CVSS: LOW (3.8) EPSS Score: 0.06% Source: CVE April 30th, 2025 (about 1 month ago)
CVE-2025-46350	Yeswiki Vulnerable to Authenticated Reflected Cross-site Scripting Description: YesWiki is a wiki system written in PHP. Prior to version 4.5.4, an attacker can use a reflected cross-site scripting attack to steal cookies from an authenticated user by having them click on a malicious link. Stolen cookies allow the attacker to take over the user’s session. This vulnerability may also allow attackers to deface the website or embed malicious content. This issue has been patched in version 4.5.4. CVSS: LOW (3.5) EPSS Score: 0.03% Source: CVE April 29th, 2025 (about 1 month ago)
CVE-2025-46672	NASA CryptoLib before 1.3.2 does not check the OTAR crypto function returned status, potentially leading to spacecraft hijacking. Description: NASA CryptoLib before 1.3.2 does not check the OTAR crypto function returned status, potentially leading to spacecraft hijacking. CVSS: LOW (3.5) EPSS Score: 0.03% SSVC Exploitation: poc Source: CVE April 29th, 2025 (about 1 month ago)
CVE-2025-3301	DPA Countermeasures Unavailable for Certain Cryptographic Operations on Series 2 Devices Description: DPA countermeasures are unavailable for ECDH key agreement and EdDSA signing operations on Curve25519 and Curve448 on all Series 2 modules and SoCs due to a lack of hardware and software support. A successful DPA attack may result in exposure of confidential information. The best practice is to use the impacted crypto curves and operations with ephemeral keys to reduce the number of DPA traces that can be collected. CVSS: LOW (1.0) EPSS Score: 0.02% Source: CVE April 29th, 2025 (about 1 month ago)
	Written by: Casey Charrier, James Sadowski, Clement Lecigne, Vlad Stolyarov Executive Summary Google Threat Intelligence Group (GTIG) tracked 75... 🚨 Marked as known exploited on April 29th, 2025 (about 1 month ago). Description: Written by: Casey Charrier, James Sadowski, Clement Lecigne, Vlad Stolyarov Executive Summary Google Threat Intelligence Group (GTIG) tracked 75 zero-day vulnerabilities exploited in the wild in 2024, a decrease from the number we identified in 2023 (98 vulnerabilities), but still an increase from 2022 (63 vulnerabilities). We divided the reviewed vulnerabilities into two main categories: end-user platforms and products (e.g., mobile devices, operating systems, and browsers) and enterprise-focused technologies, such as security software and appliances. Vendors continue to drive improvements that make some zero-day exploitation harder, demonstrated by both dwindling numbers across multiple categories and reduced observed attacks against previously popular targets. At the same time, commercial surveillance vendors (CSVs) appear to be increasing their operational security practices, potentially leading to decreased attribution and detection. We see zero-day exploitation targeting a greater number and wider variety of enterprise-specific technologies, although these technologies still remain a smaller proportion of overall exploitation when compared to end-user technologies. While the historic focus on the exploitation of popular end-user technologies and their users continues, the shift toward increased targeting of enterprise-focused products will require a wider and more diverse set of vendors to increase proactive security measures in order to reduce future zero-day expl... CVSS: LOW (0.0) Source: Google Threat Intelligence April 29th, 2025 (about 1 month ago)
CVE-2024-12273	Calculated Fields Form < 5.2.62 - Admin+ Stored XSS Description: The Calculated Fields Form WordPress plugin before 5.2.62 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). CVSS: LOW (3.5) EPSS Score: 0.03% Source: CVE April 29th, 2025 (about 1 month ago)
CVE-2025-46330	Snowflake Connector for C/C++ retries malformed requests Description: libsnowflakeclient is the Snowflake Connector for C/C++. Versions starting from 0.5.0 to before 2.2.0, incorrectly treat malformed requests that caused the HTTP response status code 400, as able to be retried. This could hang the application until SF_CON_MAX_RETRY requests were sent. This issue has been patched in version 2.2.0. CVSS: LOW (3.3) EPSS Score: 0.02% Source: CVE April 29th, 2025 (about 1 month ago)
CVE-2025-46329	Snowflake Connector for C/C++ inserts client-side encryption key in DEBUG logs Description: libsnowflakeclient is the Snowflake Connector for C/C++. Versions starting from 0.5.0 to before 2.2.0, are vulnerable to local logging of sensitive information. When the logging level was set to DEBUG, the Connector would log locally the client-side encryption master key of the target stage during the execution of GET/PUT commands. This key by itself does not grant access to any sensitive data without additional access authorizations, and is not logged server-side by Snowflake. This issue has been patched in version 2.2.0. CVSS: LOW (3.3) EPSS Score: 0.01% Source: CVE April 29th, 2025 (about 1 month ago)