Threat and Vulnerability Intelligence Database
Example Searches:
CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited
CVE-2024-34015 |
Description: Sensitive information disclosure during file browsing due to improper symbolic link handling. The following products are affected: Acronis Backup plugin for cPanel & WHM (Linux) before build 1.8.3.818, Acronis Backup plugin for cPanel & WHM (Linux) before build 1.9.1.892.
CVSS: LOW (3.3) EPSS Score: 0.02% SSVC Exploitation: none
February 27th, 2025 (about 2 months ago)
|
|
CVE-2024-30347 |
Description: Foxit PDF Reader U3D File Parsing Out-Of-Bounds Read Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Foxit PDF Reader. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
The specific flaw exists within the parsing of U3D files. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated object. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of the current process. Was ZDI-CAN-22910.
CVSS: LOW (3.3) EPSS Score: 0.1% SSVC Exploitation: none
February 27th, 2025 (about 2 months ago)
|
|
CVE-2024-27345 |
Description: Kofax Power PDF PDF File Parsing Out-Of-Bounds Read Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Kofax Power PDF. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
The specific flaw exists within the handling of PDF files. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated object. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of the current process. Was ZDI-CAN-22932.
CVSS: LOW (3.3) EPSS Score: 0.07% SSVC Exploitation: none
February 27th, 2025 (about 2 months ago)
|
|
CVE-2024-30252 |
Description: Livemarks is a browser extension that provides RSS feed bookmark folders. Versions of Livemarks prior to 3.7 are vulnerable to cross-site request forgery. A malicious website may be able to coerce the extension to send an authenticated GET request to an arbitrary URL. An authenticated request is a request where the cookies of the browser are sent along with the request. The `subscribe.js` script uses the first parameter from the current URL location as the URL of the RSS feed to subscribe to and checks that the RSS feed is valid XML. `subscribe.js` is accessible by an attacker website due to its use in `subscribe.html`, an HTML page that is declared as a `web_accessible_resource` in `manifest.json`. This issue may lead to `Privilege Escalation`. A CSRF breaks the integrity of servers running on a private network. A user of the browser extension may have a private server with dangerous functionality, which is assumed to be safe due to network segmentation. Upon receiving an authenticated request instantiated from an attacker, this integrity is broken. Version 3.7 fixes this issue by removing subscribe.html from `web_accessible_resources`.
CVSS: LOW (2.6) EPSS Score: 0.12% SSVC Exploitation: poc
February 27th, 2025 (about 2 months ago)
|
|
CVE-2024-21848 |
Description: Improper Access Control in Mattermost Server versions 8.1.x before 8.1.11 allows an attacker that is in a channel with an active call to keep participating in the call even if they are removed from the channel
CVSS: LOW (3.1) EPSS Score: 0.13% SSVC Exploitation: none
February 27th, 2025 (about 2 months ago)
|
|
CVE-2025-1693 |
Description: The MongoDB Shell may be susceptible to control character injection where an attacker with control over the database cluster contents can inject control characters into the shell output. This may result in the display of falsified messages that appear to originate from mongosh or the underlying operating system, potentially misleading users into executing unsafe actions.
The vulnerability is exploitable only when mongosh is connected to a cluster that is partially or fully controlled by an attacker.
This issue affects mongosh versions prior to 2.3.9.
References
https://nvd.nist.gov/vuln/detail/CVE-2025-1693
https://jira.mongodb.org/browse/MONGOSH-2026
https://github.com/advisories/GHSA-r95j-4jvf-mrrw
CVSS: LOW (3.9) EPSS Score: 0.03%
February 27th, 2025 (about 2 months ago)
|
|
CVE-2025-0914 |
Description: An improper access control issue in the VQL shell feature in Velociraptor Versions < 0.73.4 allowed authenticated users to execute the execve() plugin in deployments where this was explicitly forbidden by configuring the prevent_execve flag in the configuration file. This setting is not usually recommended and is uncommonly used, so this issue will only affect users who do set it. This issue is fixed in release 0.73.4.
CVSS: LOW (3.8) EPSS Score: 0.03% SSVC Exploitation: none
February 27th, 2025 (about 2 months ago)
|
|
CVE-2025-0759 |
Description: IBM EntireX 11.1 could allow a local user to unintentionally modify data timestamp integrity due to improper shared resource synchronization.
CVSS: LOW (3.3) EPSS Score: 0.01%
February 27th, 2025 (about 2 months ago)
|
|
CVE-2024-56812 |
Description: IBM EntireX 11.1 could allow a local user to obtain sensitive information when a detailed technical error message is returned. This information could be used in further attacks against the system.
CVSS: LOW (3.3) EPSS Score: 0.01%
February 27th, 2025 (about 2 months ago)
|
|
CVE-2024-56811 |
Description: IBM EntireX 11.1 could allow a local user to obtain sensitive information when a detailed technical error message is returned. This information could be used in further attacks against the system.
CVSS: LOW (3.3) EPSS Score: 0.01%
February 27th, 2025 (about 2 months ago)
|