CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!
Threat and Vulnerability Intelligence Database
Example Searches:
CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited
CVE-2025-46611 |
Description: Cross Site Scripting vulnerability in ARTEC EMA Mail v6.92 allows an attacker to execute arbitrary code via a crafted script.
CVSS: MEDIUM (6.1) EPSS Score: 0.04%
May 12th, 2025 (about 1 month ago)
|
|
CVE-2024-25618 |
Description: Mastodon is a free, open-source social network server based on ActivityPub. Mastodon allows new identities from configured authentication providers (CAS, SAML, OIDC) to attach to existing local users with the same e-mail address. This results in a possible account takeover if the authentication provider allows changing the e-mail address or multiple authentication providers are configured. When a user logs in through an external authentication provider for the first time, Mastodon checks the e-mail address passed by the provider to find an existing account. However, using the e-mail address alone means that if the authentication provider allows changing the e-mail address of an account, the Mastodon account can immediately be hijacked. All users logging in through external authentication providers are affected. The severity is medium, as it also requires the external authentication provider to misbehave. However, some well-known OIDC providers (like Microsoft Azure) make it very easy to accidentally allow unverified e-mail changes. Moreover, OpenID Connect also allows dynamic client registration. This issue has been addressed in versions 4.2.6, 4.1.14, 4.0.14, and 3.5.18. Users are advised to upgrade. There are no known workarounds for this vulnerability.
CVSS: MEDIUM (4.2) EPSS Score: 0.22% SSVC Exploitation: poc
May 12th, 2025 (about 1 month ago)
|
|
CVE-2024-25224 |
Description: A cross-site scripting (XSS) vulnerability in Simple Admin Panel App v1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Size Number parameter under the Add Size function.
CVSS: MEDIUM (5.4) EPSS Score: 0.12% SSVC Exploitation: poc
May 12th, 2025 (about 1 month ago)
|
|
CVE-2024-25207 |
Description: Barangay Population Monitoring System v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability in the Add Resident function at /barangay-population-monitoring-system/masterlist.php. This vulnerabiity allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Contact Number parameter.
CVSS: MEDIUM (5.4) EPSS Score: 0.08% SSVC Exploitation: poc
May 12th, 2025 (about 1 month ago)
|
|
CVE-2024-21782 |
Description: BIG-IP or BIG-IQ Resource Administrators and Certificate Managers who have access to the secure copy (scp) utility but do not have access to Advanced shell (bash) can execute arbitrary commands with a specially crafted command string. This vulnerability is due to an incomplete fix for CVE-2020-5873.
Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated
CVSS: MEDIUM (6.7) EPSS Score: 0.05% SSVC Exploitation: none
May 12th, 2025 (about 1 month ago)
|
|
CVE-2024-20802 |
Description: Improper access control vulnerability in Samsung DeX prior to SMR Jan-2024 Release 1 allows owner to access other users' notification in a multi-user environment.
CVSS: MEDIUM (4.6) EPSS Score: 0.07% SSVC Exploitation: none
May 12th, 2025 (about 1 month ago)
|
|
CVE-2025-4526 |
Description: A vulnerability, which was classified as problematic, was found in Dígitro NGC Explorer 3.44.15. This affects an unknown part of the component Configuration Page. The manipulation leads to missing password field masking. It is possible to initiate the attack remotely. The vendor was contacted early about this disclosure but did not respond in any way. Es wurde eine problematische Schwachstelle in Dígitro NGC Explorer 3.44.15 gefunden. Hiervon betroffen ist ein unbekannter Codeblock der Komponente Configuration Page. Durch das Manipulieren mit unbekannten Daten kann eine missing password field masking-Schwachstelle ausgenutzt werden. Der Angriff kann über das Netzwerk angegangen werden.
CVSS: MEDIUM (4.3) EPSS Score: 0.03% SSVC Exploitation: none
May 12th, 2025 (about 1 month ago)
|
|
CVE-2025-40627 |
Description: Reflected Cross-Site Scripting (XSS) vulnerability in AbanteCart v1.4.0, that could allow an attacker to execute JavaScript code in a victim's browser by sending the victim a malicious URL. This vulnerability can be exploited to steal sensitive user data, such as session cookies, or to perform actions on behalf of the user, through "/eyes?
[XSS_PAYLOAD]".
CVSS: MEDIUM (5.1) EPSS Score: 0.06%
May 12th, 2025 (about 1 month ago)
|
|
CVE-2025-40626 |
Description: Reflected Cross-Site Scripting (XSS) vulnerability in AbanteCart v1.4.0, that could allow an attacker to execute JavaScript code in a victim's browser by sending the victim a malicious URL. This vulnerability can be exploited to steal sensitive user data, such as session cookies, or to perform actions on behalf of the user, through "/about_us?[XSS_PAYLOAD]".
CVSS: MEDIUM (5.1) EPSS Score: 0.06%
May 12th, 2025 (about 1 month ago)
|
|
CVE-2025-47271 |
Description: The OZI action is a GitHub Action that publishes releases to PyPI and mirror releases, signature bundles, and provenance in a tagged release. In versions 1.13.2 through 1.13.5, potentially untrusted data flows into PR creation logic. A malicious actor could construct a branch name that injects arbitrary code. This is patched in 1.13.6. As a workaround, one may downgrade to a version prior to 1.13.2.
CVSS: MEDIUM (6.3) EPSS Score: 0.05%
May 12th, 2025 (about 1 month ago)
|