Threat and Vulnerability Intelligence Database

RSS Feed

Example Searches:

CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited

CVE-2024-0201
The Product Expiry for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the...
Description: The Product Expiry for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'save_settings' function in versions up to, and including, 2.5. This makes it possible for authenticated attackers, with subscriber-level permissions or above to update plugin settings.

CVSS: MEDIUM (5.4)

SSVC Exploitation: none

Source: CVE
April 17th, 2025 (about 3 hours ago)
[com.liferay.portal:release.portal.bom] Liferay Cross-site Scripting vulnerability
Description: A stored cross-site scripting (XSS) vulnerability exists with radio button type custom fields in Liferay Portal 7.2.0 through 7.4.3.129, and Liferay DXP 2024.Q4.1 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.9, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.12, 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10, 7.4 GA through update 92, 7.3 GA through update 36, and 7.2 GA through fix pack 20 allows remote authenticated attackers to inject malicious JavaScript into a page. References https://nvd.nist.gov/vuln/detail/CVE-2025-3760 https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-3760 https://github.com/advisories/GHSA-qhp6-vp7c-g7xp

CVSS: MEDIUM (4.8)

Source: Github Advisory Database (Maven)
April 17th, 2025 (about 3 hours ago)
[com.liferay.portal:release.dxp.bom] Liferay Cross-site Scripting vulnerability
Description: A stored cross-site scripting (XSS) vulnerability exists with radio button type custom fields in Liferay Portal 7.2.0 through 7.4.3.129, and Liferay DXP 2024.Q4.1 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.9, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.12, 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10, 7.4 GA through update 92, 7.3 GA through update 36, and 7.2 GA through fix pack 20 allows remote authenticated attackers to inject malicious JavaScript into a page. References https://nvd.nist.gov/vuln/detail/CVE-2025-3760 https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-3760 https://github.com/advisories/GHSA-qhp6-vp7c-g7xp

CVSS: MEDIUM (4.8)

Source: Github Advisory Database (Maven)
April 17th, 2025 (about 3 hours ago)

CVE-2024-0355
PHPGurukul Dairy Farm Shop Management System add-category.php sql injection
Description: A vulnerability, which was classified as critical, was found in PHPGurukul Dairy Farm Shop Management System up to 1.1. Affected is an unknown function of the file add-category.php. The manipulation of the argument category leads to sql injection. The exploit has been disclosed to the public and may be used. VDB-250122 is the identifier assigned to this vulnerability. Es wurde eine Schwachstelle in PHPGurukul Dairy Farm Shop Management System bis 1.1 gefunden. Sie wurde als kritisch eingestuft. Es geht dabei um eine nicht klar definierte Funktion der Datei add-category.php. Durch Manipulation des Arguments category mit unbekannten Daten kann eine sql injection-Schwachstelle ausgenutzt werden. Der Exploit steht zur öffentlichen Verfügung.

CVSS: MEDIUM (5.5)

SSVC Exploitation: poc

Source: CVE
April 17th, 2025 (about 4 hours ago)

CVE-2024-0345
CodeAstro Vehicle Booking System User Registration usr-register.php cross site scripting
Description: A vulnerability, which was classified as problematic, was found in CodeAstro Vehicle Booking System 1.0. This affects an unknown part of the file usr/usr-register.php of the component User Registration. The manipulation of the argument Full_Name/Last_Name/Address with the input alert(document.cookie) leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-250113 was assigned to this vulnerability. Es wurde eine problematische Schwachstelle in CodeAstro Vehicle Booking System 1.0 gefunden. Dabei betrifft es einen unbekannter Codeteil der Datei usr/usr-register.php der Komponente User Registration. Mittels Manipulieren des Arguments Full_Name/Last_Name/Address mit der Eingabe alert(document.cookie) mit unbekannten Daten kann eine cross site scripting-Schwachstelle ausgenutzt werden. Die Umsetzung des Angriffs kann dabei über das Netzwerk erfolgen. Der Exploit steht zur öffentlichen Verfügung.

CVSS: MEDIUM (4.3)

SSVC Exploitation: poc

Source: CVE
April 17th, 2025 (about 4 hours ago)

CVE-2025-2440
Schneider Electric Trio Q Licensed Data Radio
Description: View CSAF 1. EXECUTIVE SUMMARY CVSS v4 5.4 ATTENTION: Low attack complexity Vendor: Schneider Electric Equipment: Trio Q Licensed Data Radio Vulnerabilities: Insecure Storage of Sensitive Information, Initialization of a Resource with an Insecure Default 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow an attacker to access confidential information, compromise the integrity, or affect the availability of the affected product. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS Schneider Electric reports that the following products are affected: Schneider Electric Trio Q Licensed Data Radio: Versions prior to 2.7.2 3.2 VULNERABILITY OVERVIEW 3.2.1 INSECURE STORAGE OF SENSITIVE INFORMATION CWE-922 An insecure storage of sensitive information vulnerability exists that could potentially lead to unauthorized access to confidential data when a malicious user with physical access and advanced knowledge of the filesystem sets the radio to factory default mode. CVE-2025-2440 has been assigned to this vulnerability. A CVSS v3.1 base score of 4.2 has been calculated; the CVSS vector string is (CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N). A CVSS v4 score has also been calculated for CVE-2025-2440. A base score of 4.1 has been calculated; the CVSS vector string is (CVSS:4.0/AV:P/AC:H/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N). 3.2.2 INITIALIZATION OF A RESOURCE WITH AN INSECURE DEFAULT CWE-1188 An incorrect initialization of resource vulnerability exists ...

CVSS: MEDIUM (4.1)

Source: All CISA Advisories
April 17th, 2025 (about 4 hours ago)

CVE-2025-31201
Apple Multiple Products Arbitrary Read and Write Vulnerability
Description: Apple iOS, iPadOS, macOS, and other Apple products contain an arbitrary read and write vulnerability that allows an attacker to bypass Pointer Authentication.

CVSS: MEDIUM (6.8)

Source: CISA KEV
April 17th, 2025 (about 5 hours ago)

CVE-2025-24054
Microsoft Windows NTLM Hash Disclosure Spoofing Vulnerability
Description: Microsoft Windows NTLM contains an external control of file name or path vulnerability that allows an unauthorized attacker to perform spoofing over a network.

CVSS: MEDIUM (6.5)

Source: CISA KEV
April 17th, 2025 (about 5 hours ago)

CVE-2025-43014
In JetBrains Toolbox App before 2.6 the SSH plugin established connections without sufficient user confirmation
Description: In JetBrains Toolbox App before 2.6 the SSH plugin established connections without sufficient user confirmation

CVSS: MEDIUM (6.1)

Source: CVE
April 17th, 2025 (about 6 hours ago)

CVE-2025-43013
In JetBrains Toolbox App before 2.6 unencrypted credential transmission during SSH authentication was possible
Description: In JetBrains Toolbox App before 2.6 unencrypted credential transmission during SSH authentication was possible

CVSS: MEDIUM (6.9)

Source: CVE
April 17th, 2025 (about 6 hours ago)