CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!
Threat and Vulnerability Intelligence Database
Example Searches:
CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited
CVE-2025-27609 |
Description: Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. A vulnerability in versions prior to 2.11.5 and 2.12.13 allows an attacker to craft a request that, once transmitted to a victim's Icinga Web, allows to embed arbitrary Javascript into it and to act on behalf of that user. This issue has been resolved in versions 2.11.5 and 2.12.3 of Icinga Web 2. As a workaround, those who have Icinga Web 2.12.2 may enable a content security policy in the application settings. Any modern browser with a working CORS implementation also sufficiently guards against the vulnerability.
CVSS: LOW (1.1) EPSS Score: 0.08%
March 26th, 2025 (3 months ago)
|
|
Description: Impact
This impact users of Shescape on Windows that explicitly configure shell: 'cmd.exe' or shell: true using any of quote/quoteAll/escape/escapeAll.
An attacker may be able to get read-only access to environment variables. Example:
import * as cp from "node:child_process";
import { Shescape } from "shescape";
// 1. Prerequisites
const shescape = new Shescape({
shell: "cmd.exe",
// Or
shell: true, // Only if the default shell is CMD
});
// 2. Payload
const payload = '"%PATH%';
// 3. Usage
let escapedPayload;
escapedPayload = shescape.quote(payload);
// Or
escapedPayload = shescape.quoteAll([payload]);
// Or
escapedPayload = shescape.escape(payload);
// Or
escapedPayload = shescape.escapeAll([payload]);
// And (example)
const result = cp.execSync(`echo Hello ${escapedPayload}`, options);
// 4. Impact
console.log(result.toString());
// Outputs "Hello" followed by the contents of the PATH environment variable
For Shescape prior to v2.0.0, the options object must have shell: 'cmd.exe' or shell: undefined and interpolation: true.
Patches
This bug has been patched in v2.1.2 which you can upgrade to now.
If you are already using v2 of Shescape, no further changes are required. If you are using v1 of Shescape, follow the migration guide to upgrade to v2. There is no plan to release a patch compatible with v1 of Shescape.
Workarounds
Alternatively, users can remove all instances of % from user input before using Shescape.
References
Shescape Pull Request #1916...
CVSS: LOW (2.1) EPSS Score: 0.02%
March 26th, 2025 (3 months ago)
|
|
CVE-2025-1911 |
Description: The Product Import Export for WooCommerce – Import Export Product CSV Suite plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the admin_log_page() function in all versions up to, and including, 2.5.0. This makes it possible for authenticated attackers, with Administrator-level access and above, to delete arbitrary log files on the server.
CVSS: LOW (2.7) EPSS Score: 0.04%
March 26th, 2025 (3 months ago)
|
|
CVE-2025-2596 |
Description: Session logout could be overwritten in Checkmk GmbH's Checkmk versions <2.3.0p30, <2.2.0p41, and 2.1.0p49 (EOL)
CVSS: LOW (2.3) EPSS Score: 0.04%
March 26th, 2025 (3 months ago)
|
|
CVE-2025-30222 |
Description: Shescape is a simple shell escape library for JavaScript. Versions 1.7.2 through 2.1.1 are vulnerable to potential environment variable exposure on Windows with CMD. This impact users of Shescape on Windows that explicitly configure `shell: 'cmd.exe'` or `shell: true` using any of `quote`/`quoteAll`/`escape`/`escapeAll`. An attacker may be able to get read-only access to environment variables. This bug has been patched in v2.1.2. For those who are already using v2 of Shescape, no further changes are required. Those who are are using v1 of Shescape should follow the migration guide to upgrade to v2. There is no plan to release a patch compatible with v1 of Shescape. As a workaround, users can remove all instances of `%` from user input before using Shescape.
CVSS: LOW (2.1) EPSS Score: 0.02%
March 26th, 2025 (3 months ago)
|
|
CVE-2024-21244 |
Description: Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Telemetry). Supported versions that are affected are 8.4.2 and prior and 9.0.1 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized read access to a subset of MySQL Server accessible data. CVSS 3.1 Base Score 2.2 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N).
CVSS: LOW (2.2) EPSS Score: 0.04% SSVC Exploitation: none
March 25th, 2025 (3 months ago)
|
|
CVE-2024-21237 |
Description: Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Group Replication GCS). Supported versions that are affected are 8.0.39 and prior, 8.4.2 and prior and 9.0.1 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Server. CVSS 3.1 Base Score 2.2 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:L).
CVSS: LOW (2.2) EPSS Score: 0.06% SSVC Exploitation: none
March 25th, 2025 (3 months ago)
|
|
CVE-2024-21243 |
Description: Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Telemetry). Supported versions that are affected are 8.4.2 and prior and 9.0.1 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized read access to a subset of MySQL Server accessible data. CVSS 3.1 Base Score 2.2 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N).
CVSS: LOW (2.2) EPSS Score: 0.04% SSVC Exploitation: none
March 25th, 2025 (3 months ago)
|
|
CVE-2025-30163 |
Description: Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Node based network policies (`fromNodes` and `toNodes`) will incorrectly permit traffic to/from non-node endpoints that share the labels specified in `fromNodes` and `toNodes` sections of network policies. Node based network policy is disabled by default in Cilium. This issue affects: Cilium v1.16 between v1.16.0 and v1.16.7 inclusive and v1.17 between v1.17.0 and v1.17.1 inclusive. This issue is fixed in Cilium v1.16.8 and v1.17.2. Users can work around this issue by ensuring that the labels used in `fromNodes` and `toNodes` fields are used exclusively by nodes and not by other endpoints.
CVSS: LOW (3.4) EPSS Score: 0.02%
March 24th, 2025 (3 months ago)
|
|
CVE-2025-30162 |
Description: Cilium is a networking, observability, and security solution with an eBPF-based dataplane. For Cilium users who use Gateway API for Ingress for some services and use LB-IPAM or BGP for LB Service implementation and use network policies to block egress traffic from workloads in a namespace to workloads in other namespaces, egress traffic from workloads covered by such network policies to LoadBalancers configured by `Gateway` resources will incorrectly be allowed. LoadBalancer resources not deployed via a Gateway API configuration are not affected by this issue. This issue affects: Cilium v1.15 between v1.15.0 and v1.15.14 inclusive, v1.16 between v1.16.0 and v1.16.7 inclusive, and v1.17 between v1.17.0 and v1.17.1 inclusive. This issue is fixed in Cilium v1.15.15, v1.16.8, and v1.17.2. A Clusterwide Cilium Network Policy can be used to work around this issue for users who are unable to upgrade.
CVSS: LOW (3.2) EPSS Score: 0.02%
March 24th, 2025 (3 months ago)
|