CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

Threat and Vulnerability Intelligence Database

RSS Feed

Example Searches:

CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited

CVE-2025-4210
Casdoor SCIM User Creation Endpoint scim.go HandleScim authorization
Description: A vulnerability classified as critical was found in Casdoor up to 1.811.0. This vulnerability affects the function HandleScim of the file controllers/scim.go of the component SCIM User Creation Endpoint. The manipulation leads to authorization bypass. The attack can be initiated remotely. Upgrading to version 1.812.0 is able to address this issue. The name of the patch is 3d12ac8dc2282369296c3386815c00a06c6a92fe. It is recommended to upgrade the affected component. In Casdoor bis 1.811.0 wurde eine Schwachstelle entdeckt. Sie wurde als kritisch eingestuft. Es geht um die Funktion HandleScim der Datei controllers/scim.go der Komponente SCIM User Creation Endpoint. Mittels dem Manipulieren mit unbekannten Daten kann eine authorization bypass-Schwachstelle ausgenutzt werden. Der Angriff kann über das Netzwerk erfolgen. Ein Aktualisieren auf die Version 1.812.0 vermag dieses Problem zu lösen. Der Patch wird als 3d12ac8dc2282369296c3386815c00a06c6a92fe bezeichnet. Als bestmögliche Massnahme wird das Einspielen eines Upgrades empfohlen.

CVSS: MEDIUM (6.9)

EPSS Score: 0.05%

Source: CVE
May 2nd, 2025 (about 2 months ago)

CVE-2025-4166
Vault May Include Sensitive Data in Error Logs When Using the KV v2 Plugin
Description: Vault Community and Vault Enterprise Key/Value (kv) Version 2 plugin may unintentionally expose sensitive information in server and audit logs when users submit malformed payloads during secret creation or update operations via the Vault REST API. This vulnerability, identified as CVE-2025-4166, is fixed in Vault Community 1.19.3 and Vault Enterprise 1.19.3, 1.18.9, 1.17.16, 1.16.20.

CVSS: MEDIUM (4.5)

EPSS Score: 0.03%

Source: CVE
May 2nd, 2025 (about 2 months ago)

CVE-2025-4186
Wangshen SecGate 3600 g=route_ispinfo_export_save path traversal
Description: A vulnerability, which was classified as critical, was found in Wangshen SecGate 3600 2024. Affected is an unknown function of the file /?g=route_ispinfo_export_save. The manipulation of the argument file_name leads to path traversal. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. Es wurde eine Schwachstelle in Wangshen SecGate 3600 2024 gefunden. Sie wurde als kritisch eingestuft. Betroffen hiervon ist ein unbekannter Ablauf der Datei /?g=route_ispinfo_export_save. Durch die Manipulation des Arguments file_name mit unbekannten Daten kann eine path traversal-Schwachstelle ausgenutzt werden. Umgesetzt werden kann der Angriff über das Netzwerk. Der Exploit steht zur öffentlichen Verfügung.

CVSS: MEDIUM (6.3)

EPSS Score: 0.05%

SSVC Exploitation: none

Source: CVE
May 2nd, 2025 (about 2 months ago)

CVE-2025-2488
XSS in Profelis Informatics' SambaBox
Description: Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Profelis Informatics SambaBox allows Cross-Site Scripting (XSS).This issue affects SambaBox: before 5.1.

CVSS: MEDIUM (4.0)

EPSS Score: 0.03%

SSVC Exploitation: none

Source: CVE
May 2nd, 2025 (about 2 months ago)

CVE-2024-11142
CSRF in Gosoft Software's Proticaret E-Commerce
Description: Cross-Site Request Forgery (CSRF) vulnerability in Gosoft Software Proticaret E-Commerce allows Cross Site Request Forgery.This issue affects Proticaret E-Commerce: before v6.0 NOTE: According to the vendor, fixing process is still ongoing for v4.05.

CVSS: MEDIUM (5.4)

EPSS Score: 0.02%

Source: CVE
May 2nd, 2025 (about 2 months ago)

CVE-2024-46784
net: mana: Fix error handling in mana_create_txq/rxq's NAPI cleanup
Description: In the Linux kernel, the following vulnerability has been resolved: net: mana: Fix error handling in mana_create_txq/rxq's NAPI cleanup Currently napi_disable() gets called during rxq and txq cleanup, even before napi is enabled and hrtimer is initialized. It causes kernel panic. ? page_fault_oops+0x136/0x2b0 ? page_counter_cancel+0x2e/0x80 ? do_user_addr_fault+0x2f2/0x640 ? refill_obj_stock+0xc4/0x110 ? exc_page_fault+0x71/0x160 ? asm_exc_page_fault+0x27/0x30 ? __mmdrop+0x10/0x180 ? __mmdrop+0xec/0x180 ? hrtimer_active+0xd/0x50 hrtimer_try_to_cancel+0x2c/0xf0 hrtimer_cancel+0x15/0x30 napi_disable+0x65/0x90 mana_destroy_rxq+0x4c/0x2f0 mana_create_rxq.isra.0+0x56c/0x6d0 ? mana_uncfg_vport+0x50/0x50 mana_alloc_queues+0x21b/0x320 ? skb_dequeue+0x5f/0x80

CVSS: MEDIUM (5.5)

EPSS Score: 0.04%

SSVC Exploitation: none

Source: CVE
May 2nd, 2025 (about 2 months ago)

CVE-2024-13860
BuddyBoss Platform <= 2.8.50 - Authenticated (Subscriber+) Stored Cross-Site Scripting via 'bbp_topic_title'
Description: The Buddyboss Platform plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘bbp_topic_title’ parameter in all versions up to, and including, 2.8.50 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The vulnerability was partially patched in version 2.8.41.

CVSS: MEDIUM (6.4)

EPSS Score: 0.03%

Source: CVE
May 2nd, 2025 (about 2 months ago)

CVE-2024-13859
BuddyBoss Platform <= 2.8.50 - Authenticated (Subscriber+) Stored Cross-Site Scripting via 'bp_nouveau_ajax_media_save' function
Description: The Buddyboss Platform plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘bp_nouveau_ajax_media_save’ function in all versions up to, and including, 2.8.50 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The vulnerability was partially patched in version 2.8.41.

CVSS: MEDIUM (6.4)

EPSS Score: 0.03%

Source: CVE
May 2nd, 2025 (about 2 months ago)

CVE-2024-13858
BuddyBoss Platform <= 2.8.50 - Authenticated (Subscriber+) Stored Cross-Site Scripting via 'invitee_name'
Description: The Buddyboss Platform plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘invitee_name’ parameter in all versions up to, and including, 2.8.50 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The vulnerability was partially patched in version 2.8.41.

CVSS: MEDIUM (6.4)

EPSS Score: 0.03%

Source: CVE
May 2nd, 2025 (about 2 months ago)

CVE-2025-47201
In Intrexx Portal Server before 12.0.4, multiple Velocity-Scripts are susceptible to the execution of unrequested JavaScript code in HTML, aka XSS.
Description: In Intrexx Portal Server before 12.0.4, multiple Velocity-Scripts are susceptible to the execution of unrequested JavaScript code in HTML, aka XSS.

CVSS: MEDIUM (4.4)

EPSS Score: 0.03%

Source: CVE
May 2nd, 2025 (about 2 months ago)