Threat and Vulnerability Intelligence Database
Example Searches:
CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited
CVE-2025-23253 |
Description: NVIDIA NvContainer service for Windows contains a vulnerability in its usage of OpenSSL, where an attacker could exploit a hard-coded constant issue by copying a malicious DLL in a hard-coded path. A successful exploit of this vulnerability might lead to code execution, denial of service, escalation of privileges, information disclosure, or data tampering.
CVSS: LOW (2.5) EPSS Score: 0.02% SSVC Exploitation: none
April 22nd, 2025 (about 2 months ago)
|
|
CVE-2024-1952 |
Description: Mattermost version 8.1.x before 8.1.9 fails to sanitize data associated with permalinks when a plugin updates an ephemeral post, allowing an authenticated attacker who can control the ephemeral post update to access individual posts' contents in channels they are not a member of.
CVSS: LOW (3.1) EPSS Score: 0.19% SSVC Exploitation: none
April 22nd, 2025 (about 2 months ago)
|
|
CVE-2025-29931 |
Description: As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens' ProductCERT Security Advisories (CERT Services | Services | Siemens Global).
View CSAF
1. EXECUTIVE SUMMARY
CVSS v4 6.3
ATTENTION: Exploitable remotely
Vendor: Siemens
Equipment: TeleControl Server Basic
Vulnerability: Improper Handling of Length Parameter Inconsistency
2. RISK EVALUATION
Successful exploitation of this vulnerability could allow an attacker to cause the application to allocate exhaustive amounts of memory and subsequently create a denial-of-service condition.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
Siemens reports that the following products are affected:
TeleControl Server Basic: Versions prior to V3.1.2.2
3.2 VULNERABILITY OVERVIEW
3.2.1 IMPROPER HANDLING OF LENGTH PARAMETER INCONSISTENCY CWE-130
The affected product does not properly validate a length field in a serialized message, which it uses to determine the amount of memory to be allocated for deserialization. This could allow an unauthenticated remote attacker to cause the application to allocate exhaustive amounts of memory and subsequently create a partial denial-of-service condition. Successful exploitation is only possible in redundant TeleControl Server Basic setups and only if the connection between the redundant servers has been disrupted.
CVE-2025-2...
CVSS: LOW (3.7) EPSS Score: 0.12%
April 22nd, 2025 (about 2 months ago)
|
|
CVE-2025-3850 |
Description: A vulnerability, which was classified as problematic, has been found in YXJ2018 SpringBoot-Vue-OnlineExam 1.0. This issue affects some unknown processing of the component API. The manipulation leads to improper authentication. The attack may be initiated remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. Eine Schwachstelle wurde in YXJ2018 SpringBoot-Vue-OnlineExam 1.0 entdeckt. Sie wurde als problematisch eingestuft. Dies betrifft einen unbekannten Teil der Komponente API. Durch Beeinflussen mit unbekannten Daten kann eine improper authentication-Schwachstelle ausgenutzt werden. Der Angriff kann über das Netzwerk passieren. Die Komplexität eines Angriffs ist eher hoch. Die Ausnutzbarkeit gilt als schwierig. Der Exploit steht zur öffentlichen Verfügung.
CVSS: LOW (3.7) EPSS Score: 0.1% SSVC Exploitation: none
April 22nd, 2025 (about 2 months ago)
|
|
CVE-2025-2987 |
Description: IBM Maximo Asset Management 7.6.1.3 is vulnerable to server-side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks.
CVSS: LOW (3.8) EPSS Score: 0.03%
April 22nd, 2025 (about 2 months ago)
|
|
CVE-2025-2517 |
Description: Reference to Expired Domain Vulnerability in OpenText™ ArcSight Enterprise Security Manager.
CVSS: LOW (2.3) EPSS Score: 0.06% SSVC Exploitation: none
April 21st, 2025 (about 2 months ago)
|
|
CVE-2025-43916 |
Description: Sonos api.sonos.com through 2025-04-21, when the /login/v3/oauth endpoint is used, accepts a redirect_uri containing userinfo in the authority component, which is not consistent with RFC 6819 section 5.2.3.5. An authorization code may be sent to an attacker-controlled destination. This might have further implications in conjunction with "Decompiling the app revealed a hardcoded secret."
CVSS: LOW (3.4) EPSS Score: 0.03%
April 21st, 2025 (about 2 months ago)
|
|
CVE-2025-3840 |
Description: An improper neutralization of input vulnerability was identified in the End of Life (EOL) OVA based connect installer component which is deployed for installation purposes in a customer network. This EOL component was deprecated in September 2023 with end of support extended till January 2024. An actor can manipulate the action parameter of the login form to inject malicious scripts which would lead to a XSS attack under certain conditions.
CVSS: LOW (2.1) EPSS Score: 0.03%
April 21st, 2025 (about 2 months ago)
|
|
CVE-2024-51744 |
Description:
Nessus Plugin ID 234644 with Low Severity
Synopsis
The remote openSUSE host is missing a security update.
Description
The remote openSUSE 15 host has packages installed that are affected by a vulnerability as referenced in the openSUSE- SU-2025:0131-1 advisory. - Update to version 1.12.1: * core: Increase CNAME lookup limit from 7 to 10 (#7153) * plugin/kubernetes: Fix handling of pods having DeletionTimestamp set * plugin/kubernetes: Revert 'only create PTR records for endpoints with hostname defined' * plugin/forward: added option failfast_all_unhealthy_upstreams to return servfail if all upstreams are down * bump dependencies, fixing boo#1239294 and boo#1239728 - Update to version 1.12.0: * New multisocket plugin - allows CoreDNS to listen on multiple sockets * bump deps - Update to version 1.11.4: * forward plugin: new option next, to try alternate upstreams when receiving specified response codes upstreams on (functions like the external plugin alternate) * dnssec plugin: new option to load keys from AWS Secrets Manager * rewrite plugin: new option to revert EDNS0 option rewrites in responses - Update to version 1.11.3+git129.387f34d: * fix CVE-2024-51744 (bsc#1232991) build(deps): bump github.com/golang-jwt/jwt/v4 from 4.5.0 to 4.5.1 (#6955) * core: set cache-control max-age as integer, not float (#6764) * Issue-6671: Fix...
CVSS: LOW (3.1)
April 21st, 2025 (about 2 months ago)
|
|
CVE-2025-43967 |
Description: libheif before 1.19.6 has a NULL pointer dereference in ImageItem_Grid::get_decoder in image-items/grid.cc because a grid image can reference a nonexistent image item.
CVSS: LOW (2.9) EPSS Score: 0.03%
April 21st, 2025 (about 2 months ago)
|