CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!
Threat and Vulnerability Intelligence Database
Example Searches:
CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited
CVE-2024-10635 |
Description: Enterprise Protection contains an improper input validation vulnerability in attachment defense that allows an unauthenticated remote attacker to bypass attachment scanning security policy by sending a malicious S/MIME attachment with an opaque signature. When opened by a recipient in a downstream email client, the malicious attachment could cause partial loss of integrity and confidentiality to their system.
CVSS: MEDIUM (6.1) EPSS Score: 0.04%
April 28th, 2025 (2 months ago)
|
|
Description: A vulnerability was found in Apereo CAS 5.2.6 and classified as critical. Affected by this issue is the function saveService of the file cas-5.2.6\webapp-mgmt\cas-management-webapp-support\src\main\java\org\apereo\cas\mgmt\services\web\RegisteredServiceSimpleFormController.java of the component Groovy Code Handler. The manipulation leads to code injection. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
References
https://nvd.nist.gov/vuln/detail/CVE-2025-3984
https://vuldb.com/?ctiid.306320
https://vuldb.com/?id.306320
https://vuldb.com/?submit.557100
https://wx.mail.qq.com/s?k=ilW4ixcMaVgGU49Dij
https://github.com/advisories/GHSA-37pq-893f-g7q5
CVSS: MEDIUM (5.0) EPSS Score: 0.05%
April 28th, 2025 (2 months ago)
|
|
|
Description: A vulnerability was found in Apereo CAS 5.2.6. It has been declared as problematic. This vulnerability affects unknown code of the file cas-5.2.6\core\cas-server-core-configuration-metadata-repository\src\main\java\org\apereo\cas\metadata\rest\CasConfigurationMetadataServerController.java. The manipulation of the argument Name leads to inefficient regular expression complexity. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
References
https://nvd.nist.gov/vuln/detail/CVE-2025-3986
https://vuldb.com/?ctiid.306322
https://vuldb.com/?id.306322
https://vuldb.com/?submit.557473
https://wx.mail.qq.com/s?k=rk-m8GwRMVMcOjBY1a
https://github.com/advisories/GHSA-mvwq-hcrj-f5x9
CVSS: MEDIUM (5.3) EPSS Score: 0.04%
April 28th, 2025 (2 months ago)
|
|
CVE-2025-4036 |
Description: A vulnerability was found in 201206030 Novel 3.5.0 and classified as critical. This issue affects the function updateBookChapter of the file src/main/java/io/github/xxyopen/novel/controller/author/AuthorController.java of the component Chapter Handler. The manipulation leads to improper access controls. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. Eine kritische Schwachstelle wurde in 201206030 Novel 3.5.0 gefunden. Es geht hierbei um die Funktion updateBookChapter der Datei src/main/java/io/github/xxyopen/novel/controller/author/AuthorController.java der Komponente Chapter Handler. Durch das Manipulieren mit unbekannten Daten kann eine improper access controls-Schwachstelle ausgenutzt werden. Der Angriff kann über das Netzwerk angegangen werden. Der Exploit steht zur öffentlichen Verfügung.
CVSS: MEDIUM (5.3) EPSS Score: 0.04%
April 28th, 2025 (2 months ago)
|
|
CVE-2025-4034 |
Description: A vulnerability classified as critical was found in projectworlds Online Examination System 1.0. Affected by this vulnerability is an unknown functionality of the file /inser_doc_process.php. The manipulation of the argument Doc_ID leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. In projectworlds Online Examination System 1.0 wurde eine kritische Schwachstelle entdeckt. Betroffen ist eine unbekannte Verarbeitung der Datei /inser_doc_process.php. Durch die Manipulation des Arguments Doc_ID mit unbekannten Daten kann eine sql injection-Schwachstelle ausgenutzt werden. Der Angriff kann über das Netzwerk passieren. Der Exploit steht zur öffentlichen Verfügung.
CVSS: MEDIUM (6.9) EPSS Score: 0.03%
April 28th, 2025 (2 months ago)
|
|
CVE-2025-34490 |
Description: GFI MailEssentials prior to version 21.8 is vulnerable to an XML External Entity (XXE) issue. An authenticated and remote attacker can send crafted HTTP requests to read arbitrary system files.
CVSS: MEDIUM (6.5) EPSS Score: 0.05% SSVC Exploitation: none
April 28th, 2025 (2 months ago)
|
|
CVE-2025-3955 |
Description: A vulnerability, which was classified as critical, was found in codeprojects Patient Record Management System 1.0. This affects an unknown part of the file /edit_rpatient.php.php. The manipulation of the argument id/lastname leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. Es wurde eine kritische Schwachstelle in codeprojects Patient Record Management System 1.0 gefunden. Hiervon betroffen ist ein unbekannter Codeblock der Datei /edit_rpatient.php.php. Durch das Manipulieren des Arguments id/lastname mit unbekannten Daten kann eine sql injection-Schwachstelle ausgenutzt werden. Der Angriff kann über das Netzwerk angegangen werden. Der Exploit steht zur öffentlichen Verfügung.
CVSS: MEDIUM (6.3) EPSS Score: 0.03% SSVC Exploitation: poc
April 28th, 2025 (2 months ago)
|
|
CVE-2025-4029 |
Description: A vulnerability was found in code-projects Personal Diary Management System 1.0 and classified as critical. Affected by this issue is the function addrecord of the component New Record Handler. The manipulation of the argument filename leads to stack-based buffer overflow. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used. Eine Schwachstelle wurde in code-projects Personal Diary Management System 1.0 gefunden. Sie wurde als kritisch eingestuft. Dies betrifft die Funktion addrecord der Komponente New Record Handler. Durch das Beeinflussen des Arguments filename mit unbekannten Daten kann eine stack-based buffer overflow-Schwachstelle ausgenutzt werden. Der Angriff muss lokal passieren. Der Exploit steht zur öffentlichen Verfügung.
CVSS: MEDIUM (5.3) EPSS Score: 0.02% SSVC Exploitation: poc
April 28th, 2025 (2 months ago)
|
|
CVE-2025-43857 |
Description: Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Prior to versions 0.5.7, 0.4.20, 0.3.9, and 0.2.5, there is a possibility for denial of service by memory exhaustion when net-imap reads server responses. At any time while the client is connected, a malicious server can send can send a "literal" byte count, which is automatically read by the client's receiver thread. The response reader immediately allocates memory for the number of bytes indicated by the server response. This should not be an issue when securely connecting to trusted IMAP servers that are well-behaved. It can affect insecure connections and buggy, untrusted, or compromised servers (for example, connecting to a user supplied hostname). This issue has been patched in versions 0.5.7, 0.4.20, 0.3.9, and 0.2.5.
CVSS: MEDIUM (6.0) EPSS Score: 0.08%
April 28th, 2025 (2 months ago)
|
|
CVE-2025-4028 |
Description: A vulnerability has been found in PHPGurukul COVID19 Testing Management System 1.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /profile.php. The manipulation of the argument mobilenumber leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. Other parameters might be affected as well. In PHPGurukul COVID19 Testing Management System 1.0 wurde eine Schwachstelle gefunden. Sie wurde als kritisch eingestuft. Das betrifft eine unbekannte Funktionalität der Datei /profile.php. Durch Manipulieren des Arguments mobilenumber mit unbekannten Daten kann eine sql injection-Schwachstelle ausgenutzt werden. Der Angriff kann über das Netzwerk angegangen werden. Der Exploit steht zur öffentlichen Verfügung.
CVSS: MEDIUM (6.9) EPSS Score: 0.03%
April 28th, 2025 (2 months ago)
|