Threat and Vulnerability Intelligence Database
Example Searches:
CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited
CVE-2025-29989 |
Description: Dell Client Platform BIOS contains a Security Version Number Mutable to Older Versions vulnerability. A high privileged attacker with local access could potentially exploit this vulnerability, leading to BIOS upgrade denial.
CVSS: LOW (3.1) EPSS Score: 0.01%
April 10th, 2025 (9 days ago)
|
|
CVE-2025-31003 |
Description: Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Bogdan Bendziukov Squeeze allows Retrieve Embedded Sensitive Data. This issue affects Squeeze: from n/a through 1.6.
CVSS: LOW (2.7) EPSS Score: 0.03%
April 9th, 2025 (10 days ago)
|
|
CVE-2025-27192 |
Description: Adobe Commerce versions 2.4.7-p4, 2.4.6-p9, 2.4.5-p11, 2.4.4-p12, 2.4.8-beta2 and earlier are affected by an Insufficiently Protected Credentials vulnerability that could lead to a security feature bypass. A high privileged attacker could exploit this vulnerability to gain unauthorized access to protected resources by obtaining sensitive credential information. Exploitation of this issue does not require user interaction.
CVSS: LOW (2.7) EPSS Score: 0.09%
April 8th, 2025 (10 days ago)
|
|
CVE-2025-32035 |
Description: DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Prior to 9.13.2, when uploading files (e.g. when uploading assets), the file extension is checked to see if it's an allowed file type but the actual contents of the file aren't checked. This means that it's possible to e.g. upload an executable file renamed to be a .jpg. This file could then be executed by another security vulnerability. This vulnerability is fixed in 9.13.2.
CVSS: LOW (2.6) EPSS Score: 0.02% SSVC Exploitation: none
April 8th, 2025 (10 days ago)
|
|
CVE-2025-27443 |
Description: Insecure default variable initialization in some Zoom Workplace Apps for Windows may allow an authenticated user to conduct a loss of integrity via local access.
CVSS: LOW (2.8) EPSS Score: 0.01%
April 8th, 2025 (11 days ago)
|
|
CVE-2025-32026 |
Description: Element Web is a Matrix web client built using the Matrix React SDK. Element Web, starting from version 1.11.16 up to version 1.11.96, can be configured to load Element Call from an external URL. Under certain conditions, the external page is able to get access to the media encryption keys used for an Element Call call. Version 1.11.97 fixes the problem.
CVSS: LOW (3.8) EPSS Score: 0.02%
April 8th, 2025 (11 days ago)
|
|
CVE-2025-22855 |
Description: An improper neutralization of input during web page generation ('Cross-site Scripting') [CWE-79] vulnerability in Fortinet FortiClient before 7.4.1 may allow the EMS administrator to send messages containing javascript code.
CVSS: LOW (2.6) EPSS Score: 0.04% SSVC Exploitation: none
April 8th, 2025 (11 days ago)
|
|
CVE-2024-50565 |
Description: A improper restriction of communication channel to intended endpoints vulnerability [CWE-923] in Fortinet FortiOS version 7.4.0 through 7.4.3, 7.2.0 through 7.2.7, 7.0.0 through 7.0.14, 6.4.0 through 6.4.15 and 6.2.0 through 6.2.16, Fortinet FortiProxy version 7.4.0 through 7.4.2, 7.2.0 through 7.2.9, 7.0.0 through 7.0.15 and 2.0.0 through 2.0.14, Fortinet FortiManager version 7.4.0 through 7.4.2, 7.2.0 through 7.2.4, 7.0.0 through 7.0.11, 6.4.0 through 6.4.14 and 6.2.0 through 6.2.13, Fortinet FortiAnalyzer version 7.4.0 through 7.4.2, 7.2.0 through 7.2.4, 7.0.0 through 7.0.11, 6.4.0 through 6.4.14 and 6.2.0 through 6.2.13, Fortinet FortiVoice version 7.0.0 through 7.0.2, 6.4.0 through 6.4.8 and 6.0.0 through 6.0.12 and Fortinet FortiWeb version 7.4.0 through 7.4.2, 7.2.0 through 7.2.10, 7.0.0 through 7.0.10 allows an unauthenticated attacker in a man-in-the-middle position to impersonate the management device (FortiCloud server or/and in certain conditions, FortiManager), via intercepting the FGFM authentication request between the management device and the managed device
CVSS: LOW (3.0) EPSS Score: 0.05% SSVC Exploitation: none
April 8th, 2025 (11 days ago)
|
|
CVE-2024-32122 |
Description: A storing passwords in a recoverable format in Fortinet FortiOS versions 7.2.0 through 7.2.1 allows attacker to information disclosure via modification of LDAP server IP to point to a malicious server.
CVSS: LOW (2.1) EPSS Score: 0.01% SSVC Exploitation: none
April 8th, 2025 (11 days ago)
|
|
Description: Summary
An HTML injection issue allows users with access to the email sending functionality to inject arbitrary HTML code into emails sent via the admin interface, potentially leading to session cookie theft and the alteration of page content.
Details
The vulnerability was discovered in the /admin/email/send-test-email endpoint using the POST method. The vulnerable parameter is content, which permits the injection of arbitrary HTML code during the email sending process. While JavaScript code injection is blocked through filtering, HTML code injection remains possible.
PoC
To reproduce the vulnerability, a user must fill out the email's content form with the desired HTML payload.
Impact
This HTML injection vulnerability can potentially enable phishing attacks by allowing the insertion of any html like fake login forms, etc.
All functionalities that process user input should be carefully reviewed to ensure that data is appropriately encoded as HTML entities in server responses. For instance, a reflected input paramete like just a test should be displayed in the HTML response as <h1> just a test </h1> <p> <img>.
References
https://github.com/pimcore/admin-ui-classic-bundle/security/advisories/GHSA-x82r-6j37-vrgg
https://nvd.nist.gov/vuln/detail/CVE-2025-30166
https://github.com/pimcore/admin-ui-classic-bundle/commit/76b690d4f8fcd9c9d41766bc5238c2513242e60e
https://github.com/advisories/GHSA-x82r-6j37-vrgg
CVSS: LOW (1.8) EPSS Score: 0.0%
April 8th, 2025 (11 days ago)
|