CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

Threat and Vulnerability Intelligence Database

RSS Feed

Example Searches:

CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited

CVE-2025-45862
TOTOLINK A3002R v4.0.0-B20230531.1404 was discovered to contain a buffer overflow via the interfacenameds parameter in the formDhcpv6s interface.
Description: TOTOLINK A3002R v4.0.0-B20230531.1404 was discovered to contain a buffer overflow via the interfacenameds parameter in the formDhcpv6s interface.

CVSS: MEDIUM (6.5)

EPSS Score: 0.06%

Source: CVE
May 20th, 2025 (about 1 month ago)

CVE-2024-28022
A vulnerability exists in the UNEM server / APIGateway that if exploited allows a malicious user to perform an arbitrary number of authentication...
Description: A vulnerability exists in the UNEM server / APIGateway that if exploited allows a malicious user to perform an arbitrary number of authentication attempts using different passwords, and eventually gain access to other components in the same security realm using the targeted account.

CVSS: MEDIUM (6.5)

EPSS Score: 0.1%

SSVC Exploitation: none

Source: CVE
May 20th, 2025 (about 1 month ago)

CVE-2025-4977
Netgear DGND3700 BRS_top.html information disclosure
Description: A vulnerability, which was classified as problematic, has been found in Netgear DGND3700 1.1.00.15_1.00.15NA. Affected by this issue is some unknown functionality of the file /BRS_top.html. The manipulation leads to information disclosure. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. Other products might be affected as well. The vendor was contacted early about this disclosure. Eine problematische Schwachstelle wurde in Netgear DGND3700 1.1.00.15_1.00.15NA entdeckt. Betroffen davon ist ein unbekannter Prozess der Datei /BRS_top.html. Durch Beeinflussen mit unbekannten Daten kann eine information disclosure-Schwachstelle ausgenutzt werden. Die Umsetzung des Angriffs kann dabei über das Netzwerk erfolgen. Der Exploit steht zur öffentlichen Verfügung.

CVSS: MEDIUM (5.3)

EPSS Score: 0.07%

Source: CVE
May 20th, 2025 (about 1 month ago)

CVE-2025-40633
Stored Cross-Site Scripting (XSS) in Koibox
Description: A Stored Cross-Site Scripting (XSS) vulnerability has been found in Koibox for versions prior to e8cbce2. This vulnerability allows an authenticated attacker to upload an image containing malicious JavaScript code as profile picture in the '/es/dashboard/clientes/ficha/' endpoint

CVSS: MEDIUM (5.1)

EPSS Score: 0.05%

Source: CVE
May 20th, 2025 (about 1 month ago)

CVE-2025-4951
Editions of Rapid7 AppSpider Pro before version 7.5.018 is vulnerable to a stored cross-site scripting vulnerability in the "ScanName"...
Description: Editions of Rapid7 AppSpider Pro before version 7.5.018 is vulnerable to a stored cross-site scripting vulnerability in the "ScanName" field. Despite the application preventing the inclusion of special characters within the "ScanName" field, this could be bypassed by modifying the configuration file directly. This is fixed as of version 7.5.018

CVSS: MEDIUM (4.6)

EPSS Score: 0.02%

Source: CVE
May 20th, 2025 (about 1 month ago)

CVE-2024-5878
Multiple Plugins <= (Various Versions) - Authenticated (Contributor+) Stored DOM-Based Cross-Site Scripting via SimpleLightbox JavaScript Library
Description: Multiple plugins for WordPress are vulnerable to Stored Cross-Site Scripting via the plugin's bundled SimpleLightbox JavaScript library (version 2.1.5) in various versions due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVSS: MEDIUM (6.4)

EPSS Score: 0.03%

Source: CVE
May 20th, 2025 (about 1 month ago)

CVE-2025-3079
A passback vulnerability which relates to office/small office multifunction printers and laser printers.
Description: A passback vulnerability which relates to office/small office multifunction printers and laser printers.

CVSS: MEDIUM (6.3)

EPSS Score: 0.04%

Source: CVE
May 20th, 2025 (about 1 month ago)

CVE-2025-3078
A passback vulnerability which relates to production printers and office multifunction printers.
Description: A passback vulnerability which relates to production printers and office multifunction printers.

CVSS: MEDIUM (6.3)

EPSS Score: 0.04%

Source: CVE
May 20th, 2025 (about 1 month ago)
[symfony/ux-twig-component] Symfony UX allows unsanitized HTML attribute injection via ComponentAttributes
Description: Impact Rendering {{ attributes }} or using any method that returns a ComponentAttributes instance (e.g. only(), defaults(), without()) ouputs attribute values directly without escaping. If these values are unsafe (e.g. contain user input), this can lead to HTML attribute injection and XSS vulnerabilities. Patches The issue is fixed in version 2.25.1 of symfony/ux-twig-component by using Twig's EscaperRuntime to properly escape HTML attributes in ComponentAttributes. If you use symfony/ux-live-component, you must also update it to 2.25.1 to benefit from the fix, as it reuses the ComponentAttributes class internally. Workarounds Until you can upgrade, avoid rendering {{ attributes }} or derived objects directly if it may contain untrusted values. Instead, use {{ attributes.render('name') }} for safe output of individual attributes. References GitHub repository: symfony/ux References https://github.com/symfony/ux/security/advisories/GHSA-5j3w-5pcr-f8hg https://nvd.nist.gov/vuln/detail/CVE-2025-47946 https://github.com/symfony/ux-live-component/commit/7ad44cf56d750b9f56658ed986286a10da132ee7 https://github.com/symfony/ux-twig-component/commit/b5d4e77db69315aeb18d2238e0e7c943d340ce76 https://github.com/symfony/ux/commit/b5d1c85995c128cb926d47a96cfbfbd500b643a8 https://github.com/symfony/ux/commit/c2f7738ee0969c31df7514025a7f5fc6e153932d https://github.com/advisories/GHSA-5j3w-5pcr-f8hg

CVSS: MEDIUM (6.1)

EPSS Score: 0.03%

Source: Github Advisory Database (Composer)
May 19th, 2025 (about 1 month ago)
[symfony/ux-live-component] Symfony UX allows unsanitized HTML attribute injection via ComponentAttributes
Description: Impact Rendering {{ attributes }} or using any method that returns a ComponentAttributes instance (e.g. only(), defaults(), without()) ouputs attribute values directly without escaping. If these values are unsafe (e.g. contain user input), this can lead to HTML attribute injection and XSS vulnerabilities. Patches The issue is fixed in version 2.25.1 of symfony/ux-twig-component by using Twig's EscaperRuntime to properly escape HTML attributes in ComponentAttributes. If you use symfony/ux-live-component, you must also update it to 2.25.1 to benefit from the fix, as it reuses the ComponentAttributes class internally. Workarounds Until you can upgrade, avoid rendering {{ attributes }} or derived objects directly if it may contain untrusted values. Instead, use {{ attributes.render('name') }} for safe output of individual attributes. References GitHub repository: symfony/ux References https://github.com/symfony/ux/security/advisories/GHSA-5j3w-5pcr-f8hg https://nvd.nist.gov/vuln/detail/CVE-2025-47946 https://github.com/symfony/ux-live-component/commit/7ad44cf56d750b9f56658ed986286a10da132ee7 https://github.com/symfony/ux-twig-component/commit/b5d4e77db69315aeb18d2238e0e7c943d340ce76 https://github.com/symfony/ux/commit/b5d1c85995c128cb926d47a96cfbfbd500b643a8 https://github.com/symfony/ux/commit/c2f7738ee0969c31df7514025a7f5fc6e153932d https://github.com/advisories/GHSA-5j3w-5pcr-f8hg

CVSS: MEDIUM (6.1)

EPSS Score: 0.03%

Source: Github Advisory Database (Composer)
May 19th, 2025 (about 1 month ago)