CyberAlerts

CVE-2025-48481

Description: FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.180, an attacker with an unactivated email invitation containing invite_hash, can exploit this vulnerability to self-activate their account, despite it being blocked or deleted, by leveraging the invitation link from the email to gain initial access to the account. This issue has been patched in version 1.8.180.

CVSS: MEDIUM (6.1)

EPSS Score: 0.05%

Source: CVE

May 30th, 2025 (19 days ago)

CVE-2025-48478

FreeScout Has Business Logic Errors

Description: FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.180, insufficient input validation during user creation has resulted in a mass assignment vulnerability, allowing an attacker to manipulate all fields of the object, which are enumerated in the $fillable array (the User object), when creating a new user. This issue has been patched in version 1.8.180.

CVSS: MEDIUM (4.9)

EPSS Score: 0.04%

Source: CVE

May 30th, 2025 (19 days ago)

CVE-2025-48381

CVAT has information disclosure via browsable API

Description: Computer Vision Annotation Tool (CVAT) is an interactive video and image annotation tool for computer vision. In versions starting from 2.4.0 to before 2.38.0, an authenticated CVAT user may be able to retrieve the IDs and names of all tasks, projects, labels, and the IDs of all jobs and quality reports on the CVAT instance. In addition, if the instance contains many resources of a particular type, retrieving this information may tie up system resources, denying access to legitimate users. This issue has been patched in version 2.38.0.

CVSS: MEDIUM (5.3)

EPSS Score: 0.05%

Source: CVE

May 30th, 2025 (19 days ago)

CVE-2025-44612

Tinxy WiFi Lock Controller v1 RF was discovered to transmit sensitive information in plaintext, including control information and device...

Description: Tinxy WiFi Lock Controller v1 RF was discovered to transmit sensitive information in plaintext, including control information and device credentials, allowing attackers to possibly intercept and access sensitive information via a man-in-the-middle attack.

CVSS: MEDIUM (5.9)

EPSS Score: 0.02%

Source: CVE

May 30th, 2025 (19 days ago)

CVE-2024-12224

idna accepts Punycode labels that do not produce any non-ASCII when decoded

Description: Improper Validation of Unsafe Equivalence in punycode by the idna crate from Servo rust-url allows an attacker to create a punycode hostname that one part of a system might treat as distinct while another part of that system would treat as equivalent to another hostname.

CVSS: MEDIUM (5.1)

EPSS Score: 0.06%

Source: CVE

May 30th, 2025 (19 days ago)

CVE-2025-5331

PCMan FTP Server NLST Command buffer overflow

Description: A vulnerability has been found in PCMan FTP Server 2.0.7 and classified as critical. This vulnerability affects unknown code of the component NLST Command Handler. The manipulation leads to buffer overflow. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. In PCMan FTP Server 2.0.7 wurde eine kritische Schwachstelle gefunden. Hierbei betrifft es unbekannten Programmcode der Komponente NLST Command Handler. Durch das Manipulieren mit unbekannten Daten kann eine buffer overflow-Schwachstelle ausgenutzt werden. Umgesetzt werden kann der Angriff über das Netzwerk. Der Exploit steht zur öffentlichen Verfügung.

CVSS: MEDIUM (6.9)

EPSS Score: 0.05%

Source: CVE

May 29th, 2025 (20 days ago)

[github.com/mattermost/mattermost/server/v8] Mattermost improperly allows team administrators to modify team invites

Description: Mattermost versions 10.7.x <= 10.7.0, 10.6.x <= 10.6.2, 10.5.x <= 10.5.3, 9.11.x <= 9.11.12 fail to properly validate permissions when changing team privacy settings, allowing team administrators without the 'invite user' permission to access and modify team invite IDs via the /api/v4/teams/:teamId/privacy endpoint. References https://nvd.nist.gov/vuln/detail/CVE-2025-3913 https://mattermost.com/security-updates https://github.com/mattermost/mattermost/commit/02c76784380acb6802601bd24c205553b9a5a1be https://github.com/advisories/GHSA-4mmr-2w8p-whcr

CVSS: MEDIUM (5.3)

EPSS Score: 0.04%

Source: Github Advisory Database (Go)

May 29th, 2025 (20 days ago)

CVE-2025-5330

FreeFloat FTP Server RETR Command buffer overflow

Description: A vulnerability, which was classified as critical, was found in FreeFloat FTP Server 1.0. This affects an unknown part of the component RETR Command Handler. The manipulation leads to buffer overflow. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. Es wurde eine kritische Schwachstelle in FreeFloat FTP Server 1.0 gefunden. Dabei betrifft es einen unbekannter Codeteil der Komponente RETR Command Handler. Mittels Manipulieren mit unbekannten Daten kann eine buffer overflow-Schwachstelle ausgenutzt werden. Die Umsetzung des Angriffs kann dabei über das Netzwerk erfolgen. Der Exploit steht zur öffentlichen Verfügung.

CVSS: MEDIUM (6.9)

EPSS Score: 0.05%

Source: CVE

May 29th, 2025 (20 days ago)

CVE-2025-31261

A permissions issue was addressed with additional sandbox restrictions. This issue is fixed in macOS Ventura 13.7.5, macOS Sequoia 15.4, macOS...

Description: A permissions issue was addressed with additional sandbox restrictions. This issue is fixed in macOS Ventura 13.7.5, macOS Sequoia 15.4, macOS Sonoma 14.7.5. An app may be able to access protected user data.

CVSS: MEDIUM (5.5)

EPSS Score: 0.01%

Source: CVE

May 29th, 2025 (20 days ago)

CVE-2025-31231

A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Sequoia 15.4. An app may be able to read sensitive...

Description: A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Sequoia 15.4. An app may be able to read sensitive location information.

CVSS: MEDIUM (5.5)

EPSS Score: 0.01%

Source: CVE

May 29th, 2025 (20 days ago)

Threat and Vulnerability Intelligence Database

Example Searches:

CVE-2025-48481	FreeScout Has Business Logic Errors Description: FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.180, an attacker with an unactivated email invitation containing invite_hash, can exploit this vulnerability to self-activate their account, despite it being blocked or deleted, by leveraging the invitation link from the email to gain initial access to the account. This issue has been patched in version 1.8.180. CVSS: MEDIUM (6.1) EPSS Score: 0.05% Source: CVE May 30th, 2025 (19 days ago)
CVE-2025-48478	FreeScout Has Business Logic Errors Description: FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.180, insufficient input validation during user creation has resulted in a mass assignment vulnerability, allowing an attacker to manipulate all fields of the object, which are enumerated in the $fillable array (the User object), when creating a new user. This issue has been patched in version 1.8.180. CVSS: MEDIUM (4.9) EPSS Score: 0.04% Source: CVE May 30th, 2025 (19 days ago)
CVE-2025-48381	CVAT has information disclosure via browsable API Description: Computer Vision Annotation Tool (CVAT) is an interactive video and image annotation tool for computer vision. In versions starting from 2.4.0 to before 2.38.0, an authenticated CVAT user may be able to retrieve the IDs and names of all tasks, projects, labels, and the IDs of all jobs and quality reports on the CVAT instance. In addition, if the instance contains many resources of a particular type, retrieving this information may tie up system resources, denying access to legitimate users. This issue has been patched in version 2.38.0. CVSS: MEDIUM (5.3) EPSS Score: 0.05% Source: CVE May 30th, 2025 (19 days ago)
CVE-2025-44612	Tinxy WiFi Lock Controller v1 RF was discovered to transmit sensitive information in plaintext, including control information and device... Description: Tinxy WiFi Lock Controller v1 RF was discovered to transmit sensitive information in plaintext, including control information and device credentials, allowing attackers to possibly intercept and access sensitive information via a man-in-the-middle attack. CVSS: MEDIUM (5.9) EPSS Score: 0.02% Source: CVE May 30th, 2025 (19 days ago)
CVE-2024-12224	idna accepts Punycode labels that do not produce any non-ASCII when decoded Description: Improper Validation of Unsafe Equivalence in punycode by the idna crate from Servo rust-url allows an attacker to create a punycode hostname that one part of a system might treat as distinct while another part of that system would treat as equivalent to another hostname. CVSS: MEDIUM (5.1) EPSS Score: 0.06% Source: CVE May 30th, 2025 (19 days ago)
CVE-2025-5331	PCMan FTP Server NLST Command buffer overflow Description: A vulnerability has been found in PCMan FTP Server 2.0.7 and classified as critical. This vulnerability affects unknown code of the component NLST Command Handler. The manipulation leads to buffer overflow. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. In PCMan FTP Server 2.0.7 wurde eine kritische Schwachstelle gefunden. Hierbei betrifft es unbekannten Programmcode der Komponente NLST Command Handler. Durch das Manipulieren mit unbekannten Daten kann eine buffer overflow-Schwachstelle ausgenutzt werden. Umgesetzt werden kann der Angriff über das Netzwerk. Der Exploit steht zur öffentlichen Verfügung. CVSS: MEDIUM (6.9) EPSS Score: 0.05% Source: CVE May 29th, 2025 (20 days ago)
	[github.com/mattermost/mattermost/server/v8] Mattermost improperly allows team administrators to modify team invites Description: Mattermost versions 10.7.x <= 10.7.0, 10.6.x <= 10.6.2, 10.5.x <= 10.5.3, 9.11.x <= 9.11.12 fail to properly validate permissions when changing team privacy settings, allowing team administrators without the 'invite user' permission to access and modify team invite IDs via the /api/v4/teams/:teamId/privacy endpoint. References https://nvd.nist.gov/vuln/detail/CVE-2025-3913 https://mattermost.com/security-updates https://github.com/mattermost/mattermost/commit/02c76784380acb6802601bd24c205553b9a5a1be https://github.com/advisories/GHSA-4mmr-2w8p-whcr CVSS: MEDIUM (5.3) EPSS Score: 0.04% Source: Github Advisory Database (Go) May 29th, 2025 (20 days ago)
CVE-2025-5330	FreeFloat FTP Server RETR Command buffer overflow Description: A vulnerability, which was classified as critical, was found in FreeFloat FTP Server 1.0. This affects an unknown part of the component RETR Command Handler. The manipulation leads to buffer overflow. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. Es wurde eine kritische Schwachstelle in FreeFloat FTP Server 1.0 gefunden. Dabei betrifft es einen unbekannter Codeteil der Komponente RETR Command Handler. Mittels Manipulieren mit unbekannten Daten kann eine buffer overflow-Schwachstelle ausgenutzt werden. Die Umsetzung des Angriffs kann dabei über das Netzwerk erfolgen. Der Exploit steht zur öffentlichen Verfügung. CVSS: MEDIUM (6.9) EPSS Score: 0.05% Source: CVE May 29th, 2025 (20 days ago)
CVE-2025-31261	A permissions issue was addressed with additional sandbox restrictions. This issue is fixed in macOS Ventura 13.7.5, macOS Sequoia 15.4, macOS... Description: A permissions issue was addressed with additional sandbox restrictions. This issue is fixed in macOS Ventura 13.7.5, macOS Sequoia 15.4, macOS Sonoma 14.7.5. An app may be able to access protected user data. CVSS: MEDIUM (5.5) EPSS Score: 0.01% Source: CVE May 29th, 2025 (20 days ago)
CVE-2025-31231	A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Sequoia 15.4. An app may be able to read sensitive... Description: A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Sequoia 15.4. An app may be able to read sensitive location information. CVSS: MEDIUM (5.5) EPSS Score: 0.01% Source: CVE May 29th, 2025 (20 days ago)