CyberAlerts

CVE-2024-56810

Description: IBM EntireX 11.1 could allow a local user to obtain sensitive information when a detailed technical error message is returned. This information could be used in further attacks against the system.

CVSS: LOW (3.3)

EPSS Score: 0.01%

Source: CVE

February 27th, 2025 (about 2 months ago)

CVE-2024-56496

IBM EntireX information disclosure

Description: IBM EntireX 11.1 could allow a local user to obtain sensitive information when a detailed technical error message is returned. This information could be used in further attacks against the system.

CVSS: LOW (3.3)

EPSS Score: 0.01%

Source: CVE

February 27th, 2025 (about 2 months ago)

CVE-2024-56495

IBM EntireX information disclosure

Description: IBM EntireX 11.1 could allow a local user to obtain sensitive information when a detailed technical error message is returned. This information could be used in further attacks against the system.

CVSS: LOW (3.3)

EPSS Score: 0.01%

Source: CVE

February 27th, 2025 (about 2 months ago)

CVE-2024-56494

IBM EntireX information disclosure

Description: IBM EntireX 11.1 could allow a local user to obtain sensitive information when a detailed technical error message is returned. This information could be used in further attacks against the system.

CVSS: LOW (3.3)

EPSS Score: 0.01%

Source: CVE

February 27th, 2025 (about 2 months ago)

CVE-2024-56493

IBM EntireX information disclosure

Description: IBM EntireX 11.1 could allow a local user to obtain sensitive information when a detailed technical error message is returned. This information could be used in further attacks against the system.

CVSS: LOW (3.3)

EPSS Score: 0.01%

Source: CVE

February 27th, 2025 (about 2 months ago)

CVE-2025-1693

MongoDB Shell may be susceptible to control character Injection via shell output

Description: The MongoDB Shell may be susceptible to control character injection where an attacker with control over the database cluster contents can inject control characters into the shell output. This may result in the display of falsified messages that appear to originate from mongosh or the underlying operating system, potentially misleading users into executing unsafe actions. The vulnerability is exploitable only when mongosh is connected to a cluster that is partially or fully controlled by an attacker. This issue affects mongosh versions prior to 2.3.9

CVSS: LOW (3.9)

EPSS Score: 0.03%

Source: CVE

February 27th, 2025 (about 2 months ago)

CVE-2025-1215

CBL Mariner 2.0 Security Update: vim (CVE-2025-1215)

Description: Nessus Plugin ID 216887 with Low Severity Synopsis The remote CBL Mariner host is missing one or more security updates. Description The version of vim installed on the remote CBL Mariner 2.0 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the CVE-2025-1215 advisory. - A vulnerability classified as problematic was found in vim up to 9.1.1096. This vulnerability affects unknown code of the file src/main.c. The manipulation of the argument --log leads to memory corruption. It is possible to launch the attack on the local host. Upgrading to version 9.1.1097 is able to address this issue. The patch is identified as c5654b84480822817bb7b69ebc97c174c91185e9. It is recommended to upgrade the affected component. (CVE-2025-1215)Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number. Solution Update the affected packages. Read more at https://www.tenable.com/plugins/nessus/216887

CVSS: LOW (2.4)

EPSS Score: 0.04%

Source: Tenable Plugins

February 27th, 2025 (about 2 months ago)

CVE-2025-27113

CBL Mariner 2.0 Security Update: libxml2 (CVE-2025-27113)

Description: Nessus Plugin ID 216896 with Low Severity Synopsis The remote CBL Mariner host is missing one or more security updates. Description The version of libxml2 installed on the remote CBL Mariner 2.0 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the CVE-2025-27113 advisory. - libxml2 before 2.12.10 and 2.13.x before 2.13.6 has a NULL pointer dereference in xmlPatMatch in pattern.c. (CVE-2025-27113)Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number. Solution Update the affected packages. Read more at https://www.tenable.com/plugins/nessus/216896

CVSS: LOW (2.9)

EPSS Score: 0.03%

Source: Tenable Plugins

February 27th, 2025 (about 2 months ago)

CVE-2025-27145

[copyparty] copyparty renders unsanitized filenames as HTML when user uploads empty files

Description: Summary A DOM-Based XSS was discovered in copyparty, a portable fileserver. The vulnerability is considered low-risk. Details By handing someone a maliciously-named file, and then tricking them into dragging the file into copyparty's Web-UI, an attacker could execute arbitrary javascript with the same privileges as that user. For example, this could give unintended read-access to files owned by that user. The bug is triggered by the drag-drop action itself; it is not necessary to actually initiate the upload. The file must be empty (zero bytes). Note: As a general-purpose webserver, it is intentionally possible to upload HTML-files with arbitrary javascript in tags, which will execute when the file is opened. The difference is that this vulnerability would trigger execution of javascript during the act of uploading, and not when the uploaded file was opened. Proof of Concept (POC) Create an empty file named Drag-and-drop the file into the browser to initiate an upload The alert(1) is executed References https://github.com/9001/copyparty/security/advisories/GHSA-m2jw-cj8v-937r https://nvd.nist.gov/vuln/detail/CVE-2025-27145 https://github.com/9001/copyparty/commit/438ea6ccb06f39d7cbb4b6ee7ad44606e21a63dd https://github.com/9001/copyparty/releases/tag/v1.16.15 https://github.com/advisories/GHSA-m2jw-cj8v-937r

CVSS: LOW (3.6)

EPSS Score: 0.05%

Source: Github Advisory Database (PIP)

February 26th, 2025 (about 2 months ago)

CVE-2024-3414

SourceCodester Human Resource Information System addcorporate_process.php cross site scripting

Description: A vulnerability was found in SourceCodester Human Resource Information System 1.0 and classified as problematic. This issue affects some unknown processing of the file Superadmin_Dashboard/process/addcorporate_process.php. The manipulation of the argument corporate_name leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-259583. Eine problematische Schwachstelle wurde in SourceCodester Human Resource Information System 1.0 gefunden. Betroffen davon ist ein unbekannter Prozess der Datei Superadmin_Dashboard/process/addcorporate_process.php. Mittels dem Manipulieren des Arguments corporate_name mit unbekannten Daten kann eine cross site scripting-Schwachstelle ausgenutzt werden. Die Umsetzung des Angriffs kann dabei über das Netzwerk erfolgen. Der Exploit steht zur öffentlichen Verfügung.

CVSS: LOW (3.5)

EPSS Score: 0.24%

SSVC Exploitation: none

Source: CVE

February 26th, 2025 (about 2 months ago)

Threat and Vulnerability Intelligence Database

Example Searches:

CVE-2024-56810	IBM EntireX information disclosure Description: IBM EntireX 11.1 could allow a local user to obtain sensitive information when a detailed technical error message is returned. This information could be used in further attacks against the system. CVSS: LOW (3.3) EPSS Score: 0.01% Source: CVE February 27th, 2025 (about 2 months ago)
CVE-2024-56496	IBM EntireX information disclosure Description: IBM EntireX 11.1 could allow a local user to obtain sensitive information when a detailed technical error message is returned. This information could be used in further attacks against the system. CVSS: LOW (3.3) EPSS Score: 0.01% Source: CVE February 27th, 2025 (about 2 months ago)
CVE-2024-56495	IBM EntireX information disclosure Description: IBM EntireX 11.1 could allow a local user to obtain sensitive information when a detailed technical error message is returned. This information could be used in further attacks against the system. CVSS: LOW (3.3) EPSS Score: 0.01% Source: CVE February 27th, 2025 (about 2 months ago)
CVE-2024-56494	IBM EntireX information disclosure Description: IBM EntireX 11.1 could allow a local user to obtain sensitive information when a detailed technical error message is returned. This information could be used in further attacks against the system. CVSS: LOW (3.3) EPSS Score: 0.01% Source: CVE February 27th, 2025 (about 2 months ago)
CVE-2024-56493	IBM EntireX information disclosure Description: IBM EntireX 11.1 could allow a local user to obtain sensitive information when a detailed technical error message is returned. This information could be used in further attacks against the system. CVSS: LOW (3.3) EPSS Score: 0.01% Source: CVE February 27th, 2025 (about 2 months ago)
CVE-2025-1693	MongoDB Shell may be susceptible to control character Injection via shell output Description: The MongoDB Shell may be susceptible to control character injection where an attacker with control over the database cluster contents can inject control characters into the shell output. This may result in the display of falsified messages that appear to originate from mongosh or the underlying operating system, potentially misleading users into executing unsafe actions. The vulnerability is exploitable only when mongosh is connected to a cluster that is partially or fully controlled by an attacker. This issue affects mongosh versions prior to 2.3.9 CVSS: LOW (3.9) EPSS Score: 0.03% Source: CVE February 27th, 2025 (about 2 months ago)
CVE-2025-1215	CBL Mariner 2.0 Security Update: vim (CVE-2025-1215) Description: Nessus Plugin ID 216887 with Low Severity Synopsis The remote CBL Mariner host is missing one or more security updates. Description The version of vim installed on the remote CBL Mariner 2.0 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the CVE-2025-1215 advisory. - A vulnerability classified as problematic was found in vim up to 9.1.1096. This vulnerability affects unknown code of the file src/main.c. The manipulation of the argument --log leads to memory corruption. It is possible to launch the attack on the local host. Upgrading to version 9.1.1097 is able to address this issue. The patch is identified as c5654b84480822817bb7b69ebc97c174c91185e9. It is recommended to upgrade the affected component. (CVE-2025-1215)Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number. Solution Update the affected packages. Read more at https://www.tenable.com/plugins/nessus/216887 CVSS: LOW (2.4) EPSS Score: 0.04% Source: Tenable Plugins February 27th, 2025 (about 2 months ago)
CVE-2025-27113	CBL Mariner 2.0 Security Update: libxml2 (CVE-2025-27113) Description: Nessus Plugin ID 216896 with Low Severity Synopsis The remote CBL Mariner host is missing one or more security updates. Description The version of libxml2 installed on the remote CBL Mariner 2.0 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the CVE-2025-27113 advisory. - libxml2 before 2.12.10 and 2.13.x before 2.13.6 has a NULL pointer dereference in xmlPatMatch in pattern.c. (CVE-2025-27113)Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number. Solution Update the affected packages. Read more at https://www.tenable.com/plugins/nessus/216896 CVSS: LOW (2.9) EPSS Score: 0.03% Source: Tenable Plugins February 27th, 2025 (about 2 months ago)
CVE-2025-27145	[copyparty] copyparty renders unsanitized filenames as HTML when user uploads empty files Description: Summary A DOM-Based XSS was discovered in copyparty, a portable fileserver. The vulnerability is considered low-risk. Details By handing someone a maliciously-named file, and then tricking them into dragging the file into copyparty's Web-UI, an attacker could execute arbitrary javascript with the same privileges as that user. For example, this could give unintended read-access to files owned by that user. The bug is triggered by the drag-drop action itself; it is not necessary to actually initiate the upload. The file must be empty (zero bytes). Note: As a general-purpose webserver, it is intentionally possible to upload HTML-files with arbitrary javascript in tags, which will execute when the file is opened. The difference is that this vulnerability would trigger execution of javascript during the act of uploading, and not when the uploaded file was opened. Proof of Concept (POC) Create an empty file named Drag-and-drop the file into the browser to initiate an upload The alert(1) is executed References https://github.com/9001/copyparty/security/advisories/GHSA-m2jw-cj8v-937r https://nvd.nist.gov/vuln/detail/CVE-2025-27145 https://github.com/9001/copyparty/commit/438ea6ccb06f39d7cbb4b6ee7ad44606e21a63dd https://github.com/9001/copyparty/releases/tag/v1.16.15 https://github.com/advisories/GHSA-m2jw-cj8v-937r CVSS: LOW (3.6) EPSS Score: 0.05% Source: Github Advisory Database (PIP) February 26th, 2025 (about 2 months ago)
CVE-2024-3414	SourceCodester Human Resource Information System addcorporate_process.php cross site scripting Description: A vulnerability was found in SourceCodester Human Resource Information System 1.0 and classified as problematic. This issue affects some unknown processing of the file Superadmin_Dashboard/process/addcorporate_process.php. The manipulation of the argument corporate_name leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-259583. Eine problematische Schwachstelle wurde in SourceCodester Human Resource Information System 1.0 gefunden. Betroffen davon ist ein unbekannter Prozess der Datei Superadmin_Dashboard/process/addcorporate_process.php. Mittels dem Manipulieren des Arguments corporate_name mit unbekannten Daten kann eine cross site scripting-Schwachstelle ausgenutzt werden. Die Umsetzung des Angriffs kann dabei über das Netzwerk erfolgen. Der Exploit steht zur öffentlichen Verfügung. CVSS: LOW (3.5) EPSS Score: 0.24% SSVC Exploitation: none Source: CVE February 26th, 2025 (about 2 months ago)