CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!
Threat and Vulnerability Intelligence Database
Example Searches:
CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited
CVE-2025-48069 |
Description: ejson2env allows users to decrypt EJSON secrets and export them as environment variables. Prior to version 2.0.8, the `ejson2env` tool has a vulnerability related to how it writes to `stdout`. Specifically, the tool is intended to write an export statement for environment variables and their values. However, due to inadequate output sanitization, there is a potential risk where variable names or values may include malicious content, resulting in additional unintended commands being output to `stdout`. If this output is improperly utilized in further command execution, it could lead to command injection, allowing an attacker to execute arbitrary commands on the host system. Version 2.0.8 sanitizes output during decryption. Other mitigations involve avoiding use of `ejson2env` to decrypt untrusted user secrets and/or avoiding evaluating or executing the direct output from `ejson2env` without removing nonprintable characters.
CVSS: MEDIUM (6.6) EPSS Score: 0.15%
May 21st, 2025 (30 days ago)
|
|
CVE-2025-48063 |
Description: XWiki is a generic wiki platform. In XWiki 16.10.0, required rights were introduced as a way to limit which rights a document can have. Part of the security model of required rights is that a user who doesn't have a right also cannot define that right as required right. That way, users who are editing documents on which required rights are enforced can be sure that they're not giving a right to a script or object that it didn't have before. A bug in the implementation of the enforcement of this rule means that in fact, it was possible for any user with edit right on a document to set programming right as required right. If then a user with programming right edited that document, the content of that document would gain programming right, allowing remote code execution. This thereby defeats most of the security benefits of required rights. As XWiki still performs the required rights analysis when a user edits a page even when required rights are enforced, the user with programming right would still be warned about the dangerous content unless the attacker managed to bypass this check. Note also that none of the affected versions include a UI for enabling the enforcing of required rights so it seems unlikely that anybody relied on them for security in the affected versions. As this vulnerability provides no additional attack surface unless all documents in the wiki enforce required rights, we consider the impact of this attack to be low even though gaining programming right c...
CVSS: MEDIUM (4.8) EPSS Score: 0.11%
May 21st, 2025 (30 days ago)
|
|
CVE-2025-47291 |
Description: containerd is an open-source container runtime. A bug was found in the containerd's CRI implementation where containerd, starting in version 2.0.1 and prior to version 2.0.5, doesn't put usernamespaced containers under the Kubernetes' cgroup hierarchy, therefore some Kubernetes limits are not honored. This may cause a denial of service of the Kubernetes node. This bug has been fixed in containerd 2.0.5+ and 2.1.0+. Users should update to these versions to resolve the issue. As a workaround, disable usernamespaced pods in Kubernetes temporarily.
CVSS: MEDIUM (4.6) EPSS Score: 0.02%
May 21st, 2025 (30 days ago)
|
|
CVE-2025-45754 |
Description: A stored cross-site scripting (XSS) vulnerability exists in SeedDMS 6.0.32. This vulnerability allows an attacker to inject malicious JavaScript payloads by creating a document with an XSS payload as the document name.
CVSS: MEDIUM (5.4) EPSS Score: 0.03%
May 21st, 2025 (30 days ago)
|
|
CVE-2025-2102 |
Description: Improper Link Resolution Before File Access ('Link Following') vulnerability in HYPR Passwordless on Windows allows Privilege Escalation.This issue affects HYPR Passwordless: before 10.1.
CVSS: MEDIUM (5.7) EPSS Score: 0.02%
May 21st, 2025 (30 days ago)
|
|
CVE-2025-0372 |
Description: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') vulnerability in HYPR Passwordless on Windows allows Privilege Escalation.This issue affects HYPR Passwordless: before 10.1.
CVSS: MEDIUM (5.9) EPSS Score: 0.02%
May 21st, 2025 (30 days ago)
|
|
Description: Cross-site scripting (XSS) vulnerability in the [clickstorm] SEO (cs_seo) TYPO3 extension allows backend users to execute arbitrary script via the JSON-LD output.
References
https://github.com/clickstorm/cs_seo/commit/1cf6c40821102b1f1508fe4e76825569340c8f90
https://github.com/FriendsOfPHP/security-advisories/blob/master/clickstorm/cs-seo/CVE-2025-48203.yaml
https://typo3.org/security/advisory/typo3-ext-sa-2025-005
https://github.com/advisories/GHSA-6p8w-pc35-mqv8
CVSS: MEDIUM (6.4) EPSS Score: 0.03%
May 21st, 2025 (30 days ago)
|
|
|
Description: Insecure Direct Object Reference (IDOR) in the femanager TYPO3 extension allows attackers to view frontend user data via a user parameter in the newAction of the newController.
References
https://github.com/in2code-de/femanager/commit/54851f8f60254bd8060bdf7bc16d56f4de7bd828
https://github.com/FriendsOfPHP/security-advisories/blob/master/in2code/femanager/CVE-2025-48202.yaml
https://typo3.org/security/advisory/typo3-ext-sa-2025-006
https://github.com/advisories/GHSA-xxwr-wv9g-7jw3
CVSS: MEDIUM (5.3) EPSS Score: 0.04%
May 21st, 2025 (30 days ago)
|
|
|
Description: Impact
A network attacker could inject malicious control characters into Hubble CLI terminal output, potentially leading to loss of integrity and manipulation of the output. This could be leveraged to conceal log entries, rewrite output, or even make the terminal temporarily unusable. Exploitation of this attack would require the victim to be monitoring Kafka traffic using Layer 7 Protocol Visibility at the time of the attack.
Patches
This issue affects all versions of Hubble CLI before v1.17.2. The issue is patched in Hubble CLI v1.17.2, via https://github.com/cilium/cilium/pull/37401.
Workarounds
Hubble CLI users who are unable to upgrade can direct their Hubble flows to a log file and inspect the output within a text editor.
Acknowledgements
The Cilium community has worked together with members of Isovalent and the Cisco ASIG team to prepare these mitigations. Special thanks to @bipierce-cisco and @kokelley-cisco for reporting the issue and to @devodev for the fix.
For more information
If you have any questions or comments about this advisory, please reach out on Slack.
If you think you have found a vulnerability affecting Cilium, we strongly encourage you to report it to our security mailing list at [email protected]. This is a private mailing list for the Cilium security team, and your report will be treated as top priority.
References
https://github.com/cilium/hubble/security/advisories/GHSA-274q-79q9-52j7
https://nvd.nist.gov/vuln/detail/CVE-2025-48056
https://git...
CVSS: MEDIUM (5.3) EPSS Score: 0.04%
May 21st, 2025 (30 days ago)
|
|
Description: This vulnerability allows local attackers to escalate privileges on affected installations of Microsoft Windows. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The ZDI has assigned a CVSS rating of 6.1. The following CVEs are assigned: CVE-2025-29837.
CVSS: MEDIUM (5.5) EPSS Score: 0.06%
May 21st, 2025 (30 days ago)
|