CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!
Threat and Vulnerability Intelligence Database
Example Searches:
CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited
CVE-2025-22149 |
Description: JWK Set (JSON Web Key Set) is a JWK and JWK Set Go implementation. Prior to 0.6.0, the project's provided HTTP client's local JWK Set cache should do a full replacement when the goroutine refreshes the remote JWK Set. The current behavior is to overwrite or append. This is a security issue for use cases that utilize the provided auto-caching HTTP client and where key removal from a JWK Set is equivalent to revocation. The affected auto-caching HTTP client was added in version v0.5.0 and fixed in v0.6.0. The only workaround would be to remove the provided auto-caching HTTP client and replace it with a custom implementation. This involves setting the HTTPClientStorageOptions.RefreshInterval to zero (or not specifying the value).
CVSS: LOW (2.1) EPSS Score: 0.05%
January 10th, 2025 (5 months ago)
|
|
CVE-2024-5469 |
Description: DoS in KAS in GitLab CE/EE affecting all versions from 16.10.0 prior to 16.10.6 and 16.11.0 prior to 16.11.3 allows an attacker to crash KAS via crafted gRPC requests.
CVSS: LOW (3.1) EPSS Score: 0.04%
January 10th, 2025 (5 months ago)
|
|
CVE-2024-53564 |
Description: A vulnerability was discovered in FreePBX 17.0.19.17. It does not verify the type of uploaded (valid FreePBX module) files, allowing high-privilege administrators to insert unwanted files. NOTE: the Supplier's position is that there is no risk beyond what high-privilege administrators are intentionally allowed to do.
CVSS: LOW (2.2) EPSS Score: 0.04%
January 10th, 2025 (5 months ago)
|
|
CVE-2024-52286 |
Description: Stirling-PDF is a locally hosted web application that allows you to perform various operations on PDF files. In affected versions the Merge functionality takes untrusted user input (file name) and uses it directly in the creation of HTML pages allowing any unauthenticated to execute JavaScript code in the context of the user. The issue stems to the code starting at `Line 24` in `src/main/resources/static/js/merge.js`. The file name is directly being input into InnerHTML with no sanitization on the file name, allowing a malicious user to be able to upload files with names containing HTML tags. As HTML tags can include JavaScript code, this can be used to execute JavaScript code in the context of the user. This is a self-injection style attack and relies on a user uploading the malicious file themselves and it impact only them, not other users. A user might be social engineered into running this to launch a phishing attack. Nevertheless, this breaks the expected security restrictions in place by the application. This issue has been addressed in version 0.32.0 and all users are advised to upgrade. There are no known workarounds for this vulnerability.
CVSS: LOW (2.0) EPSS Score: 0.04%
January 10th, 2025 (5 months ago)
|
|
CVE-2024-4011 |
Description: An issue was discovered in GitLab CE/EE affecting all versions starting from 16.1 prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from 17.1 prior to 17.1.1, which allows non-project member to promote key results to objectives.
CVSS: LOW (3.1) EPSS Score: 0.05%
January 10th, 2025 (5 months ago)
|
|
CVE-2024-37372 |
Description: The Permission Model assumes that any path starting with two backslashes \ has a four-character prefix that can be ignored, which is not always true. This subtle bug leads to vulnerable edge cases.
CVSS: LOW (3.6) EPSS Score: 0.04%
January 10th, 2025 (5 months ago)
|
|
CVE-2024-10106 |
Description: A buffer overflow vulnerability in the packet handoff plugin allows an attacker to overwrite memory outside the plugin's buffer.
CVSS: LOW (3.7) EPSS Score: 0.04%
January 10th, 2025 (5 months ago)
|
|
CVE-2025-22449 |
Description: Mattermost versions 9.11.x <= 9.11.5 fail to enforce invite permissions, which allows team admins, with no permission to invite users to their team, to invite users by updating the "allow_open_invite" field via making their team public.
References
https://nvd.nist.gov/vuln/detail/CVE-2025-22449
https://mattermost.com/security-updates
https://github.com/advisories/GHSA-q8fg-cp3q-5jwm
CVSS: LOW (3.8) EPSS Score: 0.04%
January 9th, 2025 (5 months ago)
|
|
CVE-2024-54010 |
Description: A vulnerability in the firewall component of HPE Aruba Networking CX 10000 Series Switches exists. It could allow an unauthenticated adjacent attacker to conduct a packet forwarding attack against the ICMP and UDP protocol. For this attack to be successful an attacker requires a switch configuration that allows packets routing (at layer 3). Configurations that do not allow network traffic routing are not impacted. Successful exploitation could allow an attacker to bypass security policies, potentially leading to unauthorized data exposure.
CVSS: LOW (3.4) EPSS Score: 0.04%
January 9th, 2025 (5 months ago)
|
|
CVE-2024-53995 |
Description: SickChill is an automatic video library manager for TV shows. A user-controlled `login` endpoint's `next_` parameter takes arbitrary content. Prior to commit c7128a8946c3701df95c285810eb75b2de18bf82, an authenticated attacker may use this to redirect the user to arbitrary destinations, leading to open redirect. Commit c7128a8946c3701df95c285810eb75b2de18bf82 changes the login page to redirect to `settings.DEFAULT_PAGE` instead of to the `next` parameter.
CVSS: LOW (1.9) EPSS Score: 0.05%
January 9th, 2025 (5 months ago)
|