CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!
Threat and Vulnerability Intelligence Database
Example Searches:
CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited
CVE-2024-11390 |
Description: Unrestricted upload of a file with dangerous type in Kibana can lead to arbitrary JavaScript execution in a victim’s browser (XSS) via crafted HTML and JavaScript files.
The attacker must have access to the Synthetics app AND/OR have access to write to the synthetics indices.
CVSS: MEDIUM (5.4) EPSS Score: 0.03% SSVC Exploitation: none
May 1st, 2025 (about 2 months ago)
|
|
CVE-2024-13381 |
Description: The Calculated Fields Form WordPress plugin before 5.2.62 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
CVSS: MEDIUM (4.8) EPSS Score: 0.03%
May 1st, 2025 (about 2 months ago)
|
|
CVE-2024-13845 |
Description: The Gravity Forms WebHooks plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.6.0 via the 'process_feed' method of the GF_Webhooks class This makes it possible for authenticated attackers, with Administrator-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
CVSS: MEDIUM (5.5) EPSS Score: 0.04%
May 1st, 2025 (about 2 months ago)
|
|
CVE-2025-4144 |
Description: PKCE was implemented in the OAuth implementation in workers-oauth-provider that is part of MCP framework https://github.com/cloudflare/workers-mcp . However, it was found that an attacker could cause the check to be skipped.
Fixed in:
https://github.com/cloudflare/workers-oauth-provider/pull/27 https://github.com/cloudflare/workers-oauth-provider/pull/27
Impact:
PKCE is a defense-in-depth mechanism against certain kinds of attacks and was an optional extension in OAuth 2.0 which became required in the OAuth 2.1 draft. (Note that the MCP specification requires OAuth 2.1.). This bug completely bypasses PKCE protection.
CVSS: MEDIUM (5.3) EPSS Score: 0.05%
May 1st, 2025 (about 2 months ago)
|
|
CVE-2024-30146 |
Description: Improper access control of endpoint in HCL Domino Leap
allows certain admin users to import applications from the
server's filesystem.
CVSS: MEDIUM (4.1) EPSS Score: 0.04%
April 30th, 2025 (about 2 months ago)
|
|
CVE-2024-30145 |
Description: Multiple vectors in HCL Domino Volt and Domino Leap allow client-side
script injection in the authoring environment and deployed applications.
CVSS: MEDIUM (6.5) EPSS Score: 0.03%
April 30th, 2025 (about 2 months ago)
|
|
CVE-2024-30115 |
Description: Insufficient sanitization policy in HCL Leap
allows client-side script injection in the deployed application through the
HTML widget.
CVSS: MEDIUM (6.3) EPSS Score: 0.03%
April 30th, 2025 (about 2 months ago)
|
|
CVE-2025-24132 |
Description: The issue was addressed with improved memory handling. This issue is fixed in AirPlay audio SDK 2.7.1, AirPlay video SDK 3.6.0.126, CarPlay Communication Plug-in R18.1. An attacker on the local network may cause an unexpected app termination.
CVSS: MEDIUM (6.5) EPSS Score: 0.01%
April 30th, 2025 (about 2 months ago)
|
|
CVE-2025-4136 |
Description: A vulnerability was found in Weitong Mall 1.0.0. It has been classified as critical. This affects an unknown part of the component Sale Endpoint. The manipulation of the argument ID leads to improper authorization. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. Es wurde eine Schwachstelle in Weitong Mall 1.0.0 ausgemacht. Sie wurde als kritisch eingestuft. Es geht dabei um eine nicht klar definierte Funktion der Komponente Sale Endpoint. Mit der Manipulation des Arguments ID mit unbekannten Daten kann eine improper authorization-Schwachstelle ausgenutzt werden. Der Angriff kann über das Netzwerk passieren. Der Exploit steht zur öffentlichen Verfügung.
CVSS: MEDIUM (5.3) EPSS Score: 0.04%
April 30th, 2025 (about 2 months ago)
|
|
CVE-2024-6029 |
Description: Tesla Model S Iris Modem Race Condition Firewall Bypass Vulnerability. This vulnerability allows network-adjacent attackers to bypass the firewall on the Iris modem in affected Tesla Model S vehicles. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the firewall service. The issue results from a failure to obtain the xtables lock. An attacker can leverage this vulnerability to bypass firewall rules. Was ZDI-CAN-23197.
CVSS: MEDIUM (5.0) EPSS Score: 0.03%
April 30th, 2025 (about 2 months ago)
|