CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!
Threat and Vulnerability Intelligence Database
Example Searches:
CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited
CVE-2025-48739 |
Description: A Server-Side Request Forgery (SSRF) vulnerability in StrangeBee TheHive 5.2.0 before 5.2.16, 5.3.0 before 5.3.11, 5.4.0 before 5.4.10, and 5.5.0 before 5.5.1 allows remote authenticated attackers with admin permissions (allowing them to access specific API endpoints) to manipulate URLs to direct requests to unexpected hosts or ports. This allows the attacker to use a TheHive server as a proxy to reach internal or otherwise restricted resources. This could be exploited to access other servers on the internal network.
CVSS: MEDIUM (4.6) EPSS Score: 0.12%
May 23rd, 2025 (27 days ago)
|
|
CVE-2025-48738 |
Description: An e-mail flooding vulnerability in StrangeBee TheHive 5.2.0 before 5.2.16, 5.3.0 before 5.3.11, 5.4.0 before 5.4.10, and 5.5.0 before 5.5.1 allows unauthenticated remote attackers to use the password reset feature without limits. This can lead to several consequences, including mailbox storage exhaustion for targeted users, reputation damage to the SMTP server, potentially causing it to be blacklisted, and overload of the SMTP server's outbound mail queue.
CVSS: MEDIUM (6.9) EPSS Score: 0.14%
May 23rd, 2025 (27 days ago)
|
|
CVE-2025-48741 |
Description: A Broken Access Control vulnerability in StrangeBee TheHive 5.2.0 before 5.2.16, 5.3.0 before 5.3.11, and 5.4.0 before 5.4.10 allows remote, authenticated, and unprivileged users to retrieve alerts, cases, logs, observables, or tasks, regardless of the user's permissions, through a specific API endpoint.
CVSS: MEDIUM (6.8) EPSS Score: 0.03%
May 23rd, 2025 (27 days ago)
|
|
CVE-2025-48740 |
Description: A Cross-Site Request Forgery (CSRF) vulnerability in StrangeBee TheHive 5.2.0 before 5.2.16, 5.3.0 before 5.3.11, 5.4.0 before 5.4.10, and 5.5.0 before 5.5.1 allows a remote attacker to trigger requests on their victim's behalf, if the attacker lures a privileged user, authenticated with basic authentication.
CVSS: MEDIUM (5.9) EPSS Score: 0.05%
May 23rd, 2025 (27 days ago)
|
|
CVE-2025-48735 |
Description: A SQL Injection issue in the request body processing in BOS IPCs with firmware 21.45.8.2.2_220219 before 21.45.8.2.3_230220 allows remote attackers to obtain sensitive information from the database via crafted input in the request body.
CVSS: MEDIUM (4.3) EPSS Score: 0.03%
May 23rd, 2025 (27 days ago)
|
|
CVE-2025-44998 |
Description: A stored cross-site scripting (XSS) vulnerability in the component /tinyfilemanager.php of TinyFileManager v2.4.7 allows attackers to execute arbitrary JavaScript or HTML via injecting a crafted payload into the js-theme-3 parameter.
CVSS: MEDIUM (6.1) EPSS Score: 0.03% SSVC Exploitation: poc
May 23rd, 2025 (27 days ago)
|
|
CVE-2024-51102 |
Description: PHPGURUKUL Student Management System using PHP and MySQL v1 was discovered to contain multiple SQL injection vulnerabilities at /studentrecordms/login.php via the username and password parameters.
CVSS: MEDIUM (4.4) EPSS Score: 0.02% SSVC Exploitation: poc
May 23rd, 2025 (27 days ago)
|
|
Description: Overview
OpenFGA v1.8.0 to v1.8.12 ( openfga-0.2.16 <= Helm chart <= openfga-0.2.30, v1.8.0 <= docker <= v.1.8.12) are vulnerable to authorization bypass when certain Check and ListObject calls are executed.
Am I Affected?
If you are using OpenFGA v1.8.0 to v1.8.12, specifically under the following conditions, you are affected by this authorization bypass vulnerability:
Calling Check API or ListObjects with an authorization model that has a relationship directly assignable by both type bound public access and userset, and
There are check or list object queries with contextual tuples for the relationship that can be directly assignable by both type bound public access and userset, and
Those contextual tuples’s user field is an userset, and
Type bound public access tuples are not assigned to the relationship
Fix
Upgrade to v1.8.13. This upgrade is backwards compatible.
Acknowledgments
Okta would like to thank @udyvish for discovering this vulnerability.
References
https://github.com/openfga/openfga/security/advisories/GHSA-c72g-53hw-82q7
https://nvd.nist.gov/vuln/detail/CVE-2025-48371
https://github.com/openfga/openfga/commit/e5960d4eba92b723de8ff3a5346a07f50c1379ca
https://github.com/advisories/GHSA-c72g-53hw-82q7
CVSS: MEDIUM (5.8) EPSS Score: 0.04%
May 23rd, 2025 (27 days ago)
|
|
CVE-2024-23505 |
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in DearHive PDF Viewer & 3D PDF Flipbook – DearPDF allows Stored XSS.This issue affects PDF Viewer & 3D PDF Flipbook – DearPDF: from n/a through 2.0.38.
CVSS: MEDIUM (6.5) EPSS Score: 0.05% SSVC Exploitation: none
May 23rd, 2025 (27 days ago)
|
|
CVE-2024-22304 |
WordPress FreshMail For WordPress Plugin <= 2.3.2 is vulnerable to Cross Site Request Forgery (CSRF)
Description: Cross-Site Request Forgery (CSRF) vulnerability in Borbis Media FreshMail For WordPress.This issue affects FreshMail For WordPress: from n/a through 2.3.2.
CVSS: MEDIUM (5.4) EPSS Score: 0.05% SSVC Exploitation: none
May 23rd, 2025 (27 days ago)
|