CyberAlerts

CVE-2025-48488

Description: FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.180, deleting the file .htaccess allows an attacker to upload an HTML file containing malicious JavaScript code to the server, which can result in a Cross-Site Scripting (XSS) vulnerability. This issue has been patched in version 1.8.180.

CVSS: MEDIUM (4.6)

EPSS Score: 0.03%

Source: CVE

May 30th, 2025 (19 days ago)

CVE-2025-48487

FreeScout Vulnerable to Stored XSS

Description: FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.180, when creating a translation of a phrase that appears in a flash-message after a completed action, it is possible to inject a payload to exploit XSS vulnerability. This issue has been patched in version 1.8.180.

CVSS: MEDIUM (4.8)

EPSS Score: 0.03%

Source: CVE

May 30th, 2025 (19 days ago)

CVE-2025-48486

FreeScout Vulnerable to Stored XSS

Description: FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.180, the cross-site scripiting (XSS) vulnerability is caused by the lack of input validation and sanitization in both \Session::flash and __, allowing user input to be executed without proper filtering. This issue has been patched in version 1.8.180.

CVSS: MEDIUM (5.4)

EPSS Score: 0.03%

Source: CVE

May 30th, 2025 (19 days ago)

CVE-2025-48485

FreeScout Vulnerable to Stored XSS

Description: FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.180, the application is vulnerable to Cross-Site Scripting (XSS) attacks due to incorrect input validation and sanitization of user-input data when an authenticated user updates the profile of an arbitrary customer. This issue has been patched in version 1.8.180.

CVSS: MEDIUM (5.4)

EPSS Score: 0.03%

Source: CVE

May 30th, 2025 (19 days ago)

CVE-2025-47697

Client-side enforcement of server-side security issue exists in wivia 5 all versions. If exploited, an unauthenticated attacker may bypass...

Description: Client-side enforcement of server-side security issue exists in wivia 5 all versions. If exploited, an unauthenticated attacker may bypass authentication and operate the affected device as the moderator user.

CVSS: MEDIUM (6.5)

EPSS Score: 0.12%

Source: CVE

May 30th, 2025 (19 days ago)

CVE-2025-41406

Cross-site scripting vulnerability exists in wivia 5 all versions. If exploited, when a user connects to the affected device with a specific...

Description: Cross-site scripting vulnerability exists in wivia 5 all versions. If exploited, when a user connects to the affected device with a specific operation, an arbitrary script may be executed on the web browser of the moderator user.

CVSS: MEDIUM (5.4)

EPSS Score: 0.03%

Source: CVE

May 30th, 2025 (19 days ago)

CVE-2025-41385

An OS Command Injection issue exists in wivia 5 all versions. If this vulnerability is exploited, an arbitrary OS command may be executed by a...

Description: An OS Command Injection issue exists in wivia 5 all versions. If this vulnerability is exploited, an arbitrary OS command may be executed by a logged-in administrative user.

CVSS: MEDIUM (6.7)

EPSS Score: 0.13%

Source: CVE

May 30th, 2025 (19 days ago)

CVE-2025-5259

Minimal Share Buttons <= 1.7.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via align Parameter

Description: The Minimal Share Buttons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘align’ parameter in all versions up to, and including, 1.7.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVSS: MEDIUM (6.4)

EPSS Score: 0.03%

Source: CVE

May 30th, 2025 (19 days ago)

CVE-2025-48490

Laravel Rest Api has a Search Validation Bypass

Description: Laravel Rest Api is an API generator. Prior to version 2.13.0, a validation bypass vulnerability was discovered where multiple validations defined for the same attribute could be silently overridden. Due to how the framework merged validation rules across multiple contexts (such as index, store, and update actions), malicious actors could exploit this behavior by crafting requests that bypass expected validation rules, potentially injecting unexpected or dangerous parameters into the application. This could lead to unauthorized data being accepted or processed by the API, depending on the context in which the validation was bypassed. This issue has been patched in version 2.13.0.

CVSS: MEDIUM (6.6)

EPSS Score: 0.09%

Source: CVE

May 30th, 2025 (19 days ago)

CVE-2025-4659

Integration for Salesforce and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms <= 1.4.4 - Unauthenticated Full Path Disclosure

Description: The Integration for Salesforce and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 1.4.4. This makes it possible for unauthenticated attackers to retrieve the full path of the web application, which can be used to aid other attacks. The information displayed is not useful on its own, and requires another vulnerability to be present for damage to an affected website.

CVSS: MEDIUM (5.3)

EPSS Score: 0.05%

Source: CVE

May 30th, 2025 (19 days ago)

Threat and Vulnerability Intelligence Database

Example Searches:

CVE-2025-48488	FreeScout Vulnerable to Stored XSS Description: FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.180, deleting the file .htaccess allows an attacker to upload an HTML file containing malicious JavaScript code to the server, which can result in a Cross-Site Scripting (XSS) vulnerability. This issue has been patched in version 1.8.180. CVSS: MEDIUM (4.6) EPSS Score: 0.03% Source: CVE May 30th, 2025 (19 days ago)
CVE-2025-48487	FreeScout Vulnerable to Stored XSS Description: FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.180, when creating a translation of a phrase that appears in a flash-message after a completed action, it is possible to inject a payload to exploit XSS vulnerability. This issue has been patched in version 1.8.180. CVSS: MEDIUM (4.8) EPSS Score: 0.03% Source: CVE May 30th, 2025 (19 days ago)
CVE-2025-48486	FreeScout Vulnerable to Stored XSS Description: FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.180, the cross-site scripiting (XSS) vulnerability is caused by the lack of input validation and sanitization in both \Session::flash and __, allowing user input to be executed without proper filtering. This issue has been patched in version 1.8.180. CVSS: MEDIUM (5.4) EPSS Score: 0.03% Source: CVE May 30th, 2025 (19 days ago)
CVE-2025-48485	FreeScout Vulnerable to Stored XSS Description: FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.180, the application is vulnerable to Cross-Site Scripting (XSS) attacks due to incorrect input validation and sanitization of user-input data when an authenticated user updates the profile of an arbitrary customer. This issue has been patched in version 1.8.180. CVSS: MEDIUM (5.4) EPSS Score: 0.03% Source: CVE May 30th, 2025 (19 days ago)
CVE-2025-47697	Client-side enforcement of server-side security issue exists in wivia 5 all versions. If exploited, an unauthenticated attacker may bypass... Description: Client-side enforcement of server-side security issue exists in wivia 5 all versions. If exploited, an unauthenticated attacker may bypass authentication and operate the affected device as the moderator user. CVSS: MEDIUM (6.5) EPSS Score: 0.12% Source: CVE May 30th, 2025 (19 days ago)
CVE-2025-41406	Cross-site scripting vulnerability exists in wivia 5 all versions. If exploited, when a user connects to the affected device with a specific... Description: Cross-site scripting vulnerability exists in wivia 5 all versions. If exploited, when a user connects to the affected device with a specific operation, an arbitrary script may be executed on the web browser of the moderator user. CVSS: MEDIUM (5.4) EPSS Score: 0.03% Source: CVE May 30th, 2025 (19 days ago)
CVE-2025-41385	An OS Command Injection issue exists in wivia 5 all versions. If this vulnerability is exploited, an arbitrary OS command may be executed by a... Description: An OS Command Injection issue exists in wivia 5 all versions. If this vulnerability is exploited, an arbitrary OS command may be executed by a logged-in administrative user. CVSS: MEDIUM (6.7) EPSS Score: 0.13% Source: CVE May 30th, 2025 (19 days ago)
CVE-2025-5259	Minimal Share Buttons <= 1.7.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via align Parameter Description: The Minimal Share Buttons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘align’ parameter in all versions up to, and including, 1.7.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. CVSS: MEDIUM (6.4) EPSS Score: 0.03% Source: CVE May 30th, 2025 (19 days ago)
CVE-2025-48490	Laravel Rest Api has a Search Validation Bypass Description: Laravel Rest Api is an API generator. Prior to version 2.13.0, a validation bypass vulnerability was discovered where multiple validations defined for the same attribute could be silently overridden. Due to how the framework merged validation rules across multiple contexts (such as index, store, and update actions), malicious actors could exploit this behavior by crafting requests that bypass expected validation rules, potentially injecting unexpected or dangerous parameters into the application. This could lead to unauthorized data being accepted or processed by the API, depending on the context in which the validation was bypassed. This issue has been patched in version 2.13.0. CVSS: MEDIUM (6.6) EPSS Score: 0.09% Source: CVE May 30th, 2025 (19 days ago)
CVE-2025-4659	Integration for Salesforce and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms <= 1.4.4 - Unauthenticated Full Path Disclosure Description: The Integration for Salesforce and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 1.4.4. This makes it possible for unauthenticated attackers to retrieve the full path of the web application, which can be used to aid other attacks. The information displayed is not useful on its own, and requires another vulnerability to be present for damage to an affected website. CVSS: MEDIUM (5.3) EPSS Score: 0.05% Source: CVE May 30th, 2025 (19 days ago)