CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

Threat and Vulnerability Intelligence Database

RSS Feed

Example Searches:

CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited

CVE-2025-23392
Reflected XSS in SystemsController.java in spacewalk-java
Description: A Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in spacewalk-java allows execution of arbitrary Javascript code on target systems.This issue affects Container suse/manager/5.0/x86_64/server:5.0.4.7.19.1: from ? before 5.0.24-150600.3.25.1; Container suse/manager/5.0/x86_64/server:5.0.4.7.19.1: from ? before 5.0.24-150600.3.25.1; Container suse/manager/5.0/x86_64/server:5.0.4.7.19.1: from ? before 5.0.24-150600.3.25.1; Container suse/manager/5.0/x86_64/server:5.0.4.7.19.1: from ? before 5.0.24-150600.3.25.1; SUSE Manager Server Module 4.3: from ? before 4.3.85-150400.3.105.3; SUSE Manager Server Module 4.3: from ? before 4.3.85-150400.3.105.3; SUSE Manager Server Module 4.3: from ? before 4.3.85-150400.3.105.3; SUSE Manager Server Module 4.3: from ? before 4.3.85-150400.3.105.3.

CVSS: MEDIUM (5.2)

EPSS Score: 0.04%

Source: CVE
May 26th, 2025 (24 days ago)

CVE-2025-46803
Screen creates by default world-writable PTYs
Description: The default mode of pseudo terminals (PTYs) allocated by Screen was changed from 0620 to 0622, thereby allowing anyone to write to any Screen PTYs in the system.

CVSS: MEDIUM (5.0)

EPSS Score: 0.01%

Source: CVE
May 26th, 2025 (24 days ago)

CVE-2025-46802
Temporary chown() of users' TTY to mode 0666 allows PTY hijacking in screen
Description: For a short time they PTY is set to mode 666, allowing any user on the system to connect to the screen session.

CVSS: MEDIUM (6.0)

EPSS Score: 0.01%

Source: CVE
May 26th, 2025 (24 days ago)

CVE-2025-39498
WordPress Spotlight - Social Media Feeds (Premium) plugin <= 1.7.1 - Sensitive Data Exposure vulnerability
Description: Insertion of Sensitive Information Into Sent Data vulnerability in Spotlight Spotlight - Social Media Feeds (Premium) allows Retrieve Embedded Sensitive Data.This issue affects Spotlight - Social Media Feeds (Premium): from n/a through 1.7.1.

CVSS: MEDIUM (5.3)

EPSS Score: 0.04%

Source: CVE
May 26th, 2025 (24 days ago)

CVE-2025-5196
Wing FTP Server Lua Admin Console unnecessary privileges
Description: A vulnerability has been found in Wing FTP Server up to 7.4.3 and classified as critical. Affected by this vulnerability is an unknown functionality of the component Lua Admin Console. The manipulation leads to execution with unnecessary privileges. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. Upgrading to version 7.4.4 is able to address this issue. It is recommended to upgrade the affected component. The vendor explains: "[W]e do not consider it as a security vulnerability, because the system admin in WingFTP has full permissions [...], but you can suggest the user run WingFTP service as Normal User rather than SYSTEM/Root, it will be safer." In Wing FTP Server bis 7.4.3 wurde eine Schwachstelle gefunden. Sie wurde als kritisch eingestuft. Hierbei betrifft es unbekannten Programmcode der Komponente Lua Admin Console. Mit der Manipulation mit unbekannten Daten kann eine execution with unnecessary privileges-Schwachstelle ausgenutzt werden. Umgesetzt werden kann der Angriff über das Netzwerk. Die Komplexität eines Angriffs ist eher hoch. Sie gilt als schwierig ausnutzbar. Ein Aktualisieren auf die Version 7.4.4 vermag dieses Problem zu lösen. Als bestmögliche Massnahme wird das Einspielen eines Upgrades empfohlen.

CVSS: MEDIUM (6.6)

EPSS Score: 0.09%

Source: CVE
May 26th, 2025 (24 days ago)

CVE-2025-5186
thinkgem JeeSite URI Scheme form ResourceLoader.getResource server-side request forgery
Description: A vulnerability was found in thinkgem JeeSite up to 5.11.1. It has been rated as critical. Affected by this issue is the function ResourceLoader.getResource of the file /cms/fileTemplate/form of the component URI Scheme Handler. The manipulation of the argument Name leads to server-side request forgery. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. Eine kritische Schwachstelle wurde in thinkgem JeeSite bis 5.11.1 ausgemacht. Hierbei geht es um die Funktion ResourceLoader.getResource der Datei /cms/fileTemplate/form der Komponente URI Scheme Handler. Durch Manipulieren des Arguments Name mit unbekannten Daten kann eine server-side request forgery-Schwachstelle ausgenutzt werden. Umgesetzt werden kann der Angriff über das Netzwerk. Der Exploit steht zur öffentlichen Verfügung.

CVSS: MEDIUM (6.3)

EPSS Score: 0.04%

Source: CVE
May 26th, 2025 (24 days ago)

CVE-2025-46805
Screen has a TOCTOU race potentially allowing to send SIGHUP, SIGCONT to privileged processes when installed setuid-root
Description: Screen version 5.0.0 and older version 4 releases have a TOCTOU race potentially allowing to send SIGHUP, SIGCONT to privileged processes when installed setuid-root.

CVSS: MEDIUM (5.5)

EPSS Score: 0.01%

Source: CVE
May 26th, 2025 (24 days ago)

CVE-2025-5185
Summer Pearl Group Vacation Rental Management Platform cross-site request forgery
Description: A vulnerability was found in Summer Pearl Group Vacation Rental Management Platform up to 1.0.1. It has been declared as problematic. Affected by this vulnerability is an unknown functionality. The manipulation leads to cross-site request forgery. The attack can be launched remotely. Upgrading to version 1.0.2 is able to address this issue. It is recommended to upgrade the affected component. In Summer Pearl Group Vacation Rental Management Platform bis 1.0.1 wurde eine problematische Schwachstelle ausgemacht. Dabei geht es um eine nicht genauer bekannte Funktion. Durch das Manipulieren mit unbekannten Daten kann eine cross-site request forgery-Schwachstelle ausgenutzt werden. Die Umsetzung des Angriffs kann dabei über das Netzwerk erfolgen. Ein Aktualisieren auf die Version 1.0.2 vermag dieses Problem zu lösen. Als bestmögliche Massnahme wird das Einspielen eines Upgrades empfohlen.

CVSS: MEDIUM (4.3)

EPSS Score: 0.02%

Source: CVE
May 26th, 2025 (24 days ago)

CVE-2025-5184
Summer Pearl Group Vacation Rental Management Platform HTTP Response Header information disclosure
Description: A vulnerability was found in Summer Pearl Group Vacation Rental Management Platform up to 1.0.1. It has been classified as problematic. Affected is an unknown function of the component HTTP Response Header Handler. The manipulation leads to information disclosure. It is possible to launch the attack remotely. Upgrading to version 1.0.2 is able to address this issue. It is recommended to upgrade the affected component. Es wurde eine problematische Schwachstelle in Summer Pearl Group Vacation Rental Management Platform bis 1.0.1 ausgemacht. Es geht dabei um eine nicht klar definierte Funktion der Komponente HTTP Response Header Handler. Mittels Manipulieren mit unbekannten Daten kann eine information disclosure-Schwachstelle ausgenutzt werden. Der Angriff kann über das Netzwerk passieren. Ein Aktualisieren auf die Version 1.0.2 vermag dieses Problem zu lösen. Als bestmögliche Massnahme wird das Einspielen eines Upgrades empfohlen.

CVSS: MEDIUM (4.3)

EPSS Score: 0.03%

Source: CVE
May 26th, 2025 (24 days ago)

CVE-2025-40663
Stored Cross-Site Scripting (XSS) in i2A-Cronos by i2A
Description: Stored Cross-Site Scripting (XSS) vulnerability in i2A-Cronos version 23.02.01.17, from i2A. It allows an authenticated attacker to upload a malicious SVG image into the user's personal space in /CronosWeb/Modules/Persons/PersonalDocuments/PersonalDocuments. There is no reported fix at this time.

CVSS: MEDIUM (5.1)

EPSS Score: 0.05%

Source: CVE
May 26th, 2025 (24 days ago)