CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!
Threat and Vulnerability Intelligence Database
Example Searches:
CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited
CVE-2025-46834 |
Description: Alchemy's Modular Account is a smart contract account that is compatible with ERC-4337 and ERC-6900. In versions on the 2.x branch prior to commit 5e6f540d249afcaeaf76ab95517d0359fde883b0, owners of Modular Accounts can grant session keys (scoped external keys) to external parties and would use the allowlist module to restrict which external contracts can be accessed by the session key. There is a bug in the allowlist module in that we don't check for the `executeUserOp` -> `execute` or `executeBatch` path, effectively allowing any session key to bypass any access control restrictions set on the session key. Session keys are able to access ERC20 and ERC721 token contracts amongst others, transferring all tokens from the account out andonfigure the permissions on external modules on session keys. They would be able to remove all restrictions set on themselves this way, or rotate the keys of other keys with higher privileges into keys that they control. Commit 5e6f540d249afcaeaf76ab95517d0359fde883b0 fixes this issue.
CVSS: MEDIUM (6.6) EPSS Score: 0.06%
May 15th, 2025 (about 1 month ago)
|
|
CVE-2024-25146 |
Description: Liferay Portal 7.2.0 through 7.4.1, and older unsupported versions, and Liferay DXP 7.3 before service pack 3, 7.2 before fix pack 18, and older unsupported versions returns with different responses depending on whether a site does not exist or if the user does not have permission to access the site, which allows remote attackers to discover the existence of sites by enumerating URLs. This vulnerability occurs if locale.prepend.friendly.url.style=2 and if a custom 404 page is used.
CVSS: MEDIUM (5.3) EPSS Score: 0.24% SSVC Exploitation: none
May 15th, 2025 (about 1 month ago)
|
|
CVE-2024-24819 |
Description: icingaweb2-module-incubator is a working project of bleeding edge Icinga Web 2 libraries. In affected versions the class `gipfl\Web\Form` is the base for various concrete form implementations [1] and provides protection against cross site request forgery (CSRF) by default. This is done by automatically adding an element with a CSRF token to any form, unless explicitly disabled, but even if enabled, the CSRF token (sent during a client's submission of a form relying on it) is not validated. This enables attackers to perform changes on behalf of a user which, unknowingly, interacts with a prepared link or website. The version 0.22.0 is available to remedy this issue. Users are advised to upgrade. There are no known workarounds for this vulnerability.
CVSS: MEDIUM (5.3) EPSS Score: 0.03% SSVC Exploitation: none
May 15th, 2025 (about 1 month ago)
|
|
CVE-2024-24595 |
Description: Allegro AI’s open-source version of ClearML stores passwords in plaintext within the MongoDB instance, resulting in a compromised server leaking all user emails and passwords.
CVSS: MEDIUM (6.0) EPSS Score: 0.02% SSVC Exploitation: none
May 15th, 2025 (about 1 month ago)
|
|
CVE-2024-24494 |
Description: Cross Site Scripting vulnerability in Daily Habit Tracker v.1.0 allows a remote attacker to execute arbitrary code via the day, exercise, pray, read_book, vitamins, laundry, alcohol and meat parameters in the add-tracker.php and update-tracker.php components.
CVSS: MEDIUM (6.1) EPSS Score: 19.79% SSVC Exploitation: poc
May 15th, 2025 (about 1 month ago)
|
|
CVE-2024-23764 |
Description: Certain WithSecure products allow Local Privilege Escalation. This affects WithSecure Client Security 15 and later, WithSecure Server Security 15 and later, WithSecure Email and Server Security 15 and later, and WithSecure Elements Endpoint Protection 17 and later.
CVSS: MEDIUM (6.7) EPSS Score: 0.02% SSVC Exploitation: none
May 15th, 2025 (about 1 month ago)
|
|
CVE-2024-22240 |
Description: Aria Operations for Networks contains a local file read vulnerability. A malicious actor with admin privileges may exploit this vulnerability leading to unauthorized access to sensitive information.
CVSS: MEDIUM (4.9) EPSS Score: 0.4% SSVC Exploitation: none
May 15th, 2025 (about 1 month ago)
|
|
CVE-2024-22239 |
Description: Aria Operations for Networks contains a local privilege escalation vulnerability. A console user with access to Aria Operations for Networks may exploit this vulnerability to escalate privileges to gain regular shell access.
CVSS: MEDIUM (5.3) EPSS Score: 0.05% SSVC Exploitation: none
May 15th, 2025 (about 1 month ago)
|
|
CVE-2024-22208 |
Description: phpMyFAQ is an Open Source FAQ web application for PHP 8.1+ and MySQL, PostgreSQL and other databases. The 'sharing FAQ' functionality allows any unauthenticated actor to misuse the phpMyFAQ application to send arbitrary emails to a large range of targets. The phpMyFAQ application has a functionality where anyone can share a FAQ item to others. The front-end of this functionality allows any phpMyFAQ articles to be shared with 5 email addresses. Any unauthenticated actor can perform this action. There is a CAPTCHA in place, however the amount of people you email with a single request is not limited to 5 by the backend. An attacker can thus solve a single CAPTCHA and send thousands of emails at once. An attacker can utilize the target application's email server to send phishing messages. This can get the server on a blacklist, causing all emails to end up in spam. It can also lead to reputation damages. This issue has been patched in version 3.2.5.
CVSS: MEDIUM (6.5) EPSS Score: 0.91% SSVC Exploitation: poc
May 15th, 2025 (about 1 month ago)
|
|
CVE-2024-21869 |
Description: In Rapid Software LLC's Rapid SCADA versions prior to Version 5.8.4, the affected product stores plaintext credentials in various places. This may allow an attacker with local access to see them.
CVSS: MEDIUM (6.2) EPSS Score: 0.02% SSVC Exploitation: none
May 15th, 2025 (about 1 month ago)
|