CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

Threat and Vulnerability Intelligence Database

RSS Feed

Example Searches:

CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited

CVE-2025-30665
Zoom Workplace Apps for Windows - NULL Pointer Dereference
Description: NULL pointer dereference in some Zoom Workplace Apps for Windows may allow an authenticated user to conduct a denial of service via network access.

CVSS: MEDIUM (6.5)

EPSS Score: 0.04%

Source: CVE
May 14th, 2025 (about 1 month ago)

CVE-2025-30664
Zoom Workplace Apps - Improper Neutralization of Special Elements
Description: Improper neutralization of special elements in some Zoom Workplace Apps may allow an authenticated user to conduct an escalation of privilege via local access.

CVSS: MEDIUM (6.6)

EPSS Score: 0.02%

Source: CVE
May 14th, 2025 (about 1 month ago)

CVE-2025-44186
SourceCodester Best Employee Management System 1.0 is vulnerable to Cross Site Request Forgery (CSRF) in /admin/Operation/User.php page.
Description: SourceCodester Best Employee Management System 1.0 is vulnerable to Cross Site Request Forgery (CSRF) in /admin/Operation/User.php page.

CVSS: MEDIUM (5.4)

EPSS Score: 0.02%

Source: CVE
May 14th, 2025 (about 1 month ago)

CVE-2025-44184
SourceCodester Best Employee Management System V1.0 is vulnerable to Cross Site Scripting (XSS) in /admin/profile.php via the website_image, fname,...
Description: SourceCodester Best Employee Management System V1.0 is vulnerable to Cross Site Scripting (XSS) in /admin/profile.php via the website_image, fname, lname, contact, username, and address parameters.

CVSS: MEDIUM (4.8)

EPSS Score: 0.03%

Source: CVE
May 14th, 2025 (about 1 month ago)

CVE-2025-3932
It was possible to craft an email that showed a tracking link as an attachment. If the user attempted to open the attachment, Thunderbird...
Description: It was possible to craft an email that showed a tracking link as an attachment. If the user attempted to open the attachment, Thunderbird automatically accessed the link. The configuration to block remote content did not prevent that. Thunderbird has been fixed to no longer allow access to web pages listed in the X-Mozilla-External-Attachment-URL header of an email. This vulnerability affects Thunderbird < 128.10.1 and Thunderbird < 138.0.1.

CVSS: MEDIUM (6.5)

EPSS Score: 0.03%

Source: CVE
May 14th, 2025 (about 1 month ago)

CVE-2025-3909
Thunderbird's handling of the X-Mozilla-External-Attachment-URL header can be exploited to execute JavaScript in the file:/// context. By crafting...
Description: Thunderbird's handling of the X-Mozilla-External-Attachment-URL header can be exploited to execute JavaScript in the file:/// context. By crafting a nested email attachment (message/rfc822) and setting its content type to application/pdf, Thunderbird may incorrectly render it as HTML when opened, allowing the embedded JavaScript to run without requiring a file download. This behavior relies on Thunderbird auto-saving the attachment to /tmp and linking to it via the file:/// protocol, potentially enabling JavaScript execution as part of the HTML. This vulnerability affects Thunderbird < 128.10.1 and Thunderbird < 138.0.1.

CVSS: MEDIUM (6.5)

EPSS Score: 0.06%

Source: CVE
May 14th, 2025 (about 1 month ago)

CVE-2025-47778
Sulu vulnerable to XXE in SVG File upload Inspector
Description: Sulu is an open-source PHP content management system based on the Symfony framework. Starting in versions 2.5.21, 2.6.5, and 3.0.0-alpha1, an admin user can upload SVG which may load external data via XML DOM library. This can be used for insecure XML External Entity References. The problem has been patched in versions 2.6.9, 2.5.25, and 3.0.0-alpha3. As a workaround, one may patch the effect file `src/Sulu/Bundle/MediaBundle/FileInspector/SvgFileInspector.php` manually.

CVSS: MEDIUM (6.1)

EPSS Score: 0.07%

Source: CVE
May 14th, 2025 (about 1 month ago)

CVE-2025-47775
Bullfrog's DNS over TCP bypasses domain filtering
Description: Bullfrog is a GithHb Action to block unauthorized outbound traffic in GitHub workflows. Prior to version 0.8.4, using tcp breaks blocking and allows DNS exfiltration. This can result in sandbox bypass. Version 0.8.4 fixes the issue.

CVSS: MEDIUM (6.2)

EPSS Score: 0.02%

SSVC Exploitation: poc

Source: CVE
May 14th, 2025 (about 1 month ago)

CVE-2025-24969
iTop portal user can see any other contact's picture
Description: iTop is an web based IT Service Management tool. Prior to version 3.2.1, a portal user can see any other contacts picture by changing the picture ID in the URL. Version 3.2.1 contains a patch for the issue.

CVSS: MEDIUM (5.0)

EPSS Score: 0.03%

SSVC Exploitation: none

Source: CVE
May 14th, 2025 (about 1 month ago)

CVE-2025-24785
iTop dashboard vulnerable to denial of service
Description: iTop is an web based IT Service Management tool. In version 3.2.0, an attacker may send a URL to the server to trigger a PHP error. The next user trying to load this dashboard would encounter a crashed start page. Version 3.2.1 fixes the issue by checking the provided layout_class before saving the dashboard.

CVSS: MEDIUM (4.3)

EPSS Score: 0.06%

SSVC Exploitation: none

Source: CVE
May 14th, 2025 (about 1 month ago)