CyberAlerts

CVE-2025-24887

OpenCTI bypass of protected attribute update

Description: OpenCTI is an open-source cyber threat intelligence platform. In versions starting from 6.4.8 to before 6.4.10, the allow/deny lists can be bypassed, allowing a user to change attributes that are intended to be unmodifiable by the user. It is possible to toggle the `external` flag on/off and change the own token value for a user. It is also possible to edit attributes that are not in the allow list, such as `otp_qr` and `otp_activated`. If external users exist in the OpenCTI setup and the information about these users identities is sensitive, the above vulnerabilities can be used to enumerate existing user accounts as a standard low privileged user. This issue has been patched in version 6.4.10.

CVSS: MEDIUM (6.3)

EPSS Score: 0.04%

Source: CVE

April 30th, 2025 (8 days ago)

CVE-2024-9877

Sensitive information submitted using GET method

Description: : Use of GET Request Method With Sensitive Query Strings vulnerability in ABB ANC, ABB ANC-L, ABB ANC-mini.This issue affects ANC: through 1.1.4; ANC-L: through 1.1.4; ANC-mini: through 1.1.4.

CVSS: MEDIUM (5.3)

EPSS Score: 0.02%

SSVC Exploitation: none

Source: CVE

April 30th, 2025 (8 days ago)

CVE-2024-5920

PAN-OS: Stored Cross-Site Scripting (XSS) Vulnerability in PAN-OS Enables Impersonation of a Legitimate Administrator

Description: A cross-site scripting (XSS) vulnerability in Palo Alto Networks PAN-OS software enables an authenticated read-write Panorama administrator to push a specially crafted configuration to a PAN-OS node. This enables impersonation of a legitimate PAN-OS administrator who can perform restricted actions on the PAN-OS node after the execution of JavaScript in the legitimate PAN-OS administrator's browser.

CVSS: MEDIUM (4.6)

EPSS Score: 0.05%

SSVC Exploitation: none

Source: CVE

April 30th, 2025 (8 days ago)

CVE-2024-5916

PAN-OS: Cleartext Exposure of External System Secrets

Description: An information exposure vulnerability in Palo Alto Networks PAN-OS software enables a local system administrator to unintentionally disclose secrets, passwords, and tokens of external systems. A read-only administrator who has access to the config log, can read secrets, passwords, and tokens to external systems.

CVSS: MEDIUM (6.0)

EPSS Score: 0.05%

SSVC Exploitation: none

Source: CVE

April 30th, 2025 (8 days ago)

CVE-2024-2777

Campcodes/PHPGurukul Online Marriage Registration System application-bwdates-reports-details.php sql injection

Description: A vulnerability has been found in Campcodes/PHPGurukul Online Marriage Registration System 1.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /admin/application-bwdates-reports-details.php. The manipulation of the argument fromdate leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. In Campcodes/PHPGurukul Online Marriage Registration System 1.0 wurde eine Schwachstelle gefunden. Sie wurde als kritisch eingestuft. Das betrifft eine unbekannte Funktionalität der Datei /admin/application-bwdates-reports-details.php. Mit der Manipulation des Arguments fromdate mit unbekannten Daten kann eine sql injection-Schwachstelle ausgenutzt werden. Der Angriff kann über das Netzwerk angegangen werden. Der Exploit steht zur öffentlichen Verfügung.

CVSS: MEDIUM (5.3)

EPSS Score: 0.05%

SSVC Exploitation: poc

Source: CVE

April 30th, 2025 (8 days ago)

CVE-2025-4135

Netgear WG302v2 ui_get_input_value command injection

Description: A vulnerability was found in Netgear WG302v2 up to 5.2.9 and classified as critical. Affected by this issue is the function ui_get_input_value. The manipulation of the argument host leads to command injection. The attack may be launched remotely. The vendor was contacted early about this disclosure but did not respond in any way. Eine Schwachstelle wurde in Netgear WG302v2 bis 5.2.9 gefunden. Sie wurde als kritisch eingestuft. Es geht hierbei um die Funktion ui_get_input_value. Dank Manipulation des Arguments host mit unbekannten Daten kann eine command injection-Schwachstelle ausgenutzt werden. Der Angriff kann über das Netzwerk angegangen werden.

CVSS: MEDIUM (5.3)

EPSS Score: 1.33%

Source: CVE

April 30th, 2025 (8 days ago)

CVE-2025-39413

WordPress Simple Sitemap – Create a Responsive HTML Sitemap plugin <= 3.5.14 - Broken Access Control vulnerability

Description: Missing Authorization vulnerability in David Gwyer Simple Sitemap – Create a Responsive HTML Sitemap.This issue affects Simple Sitemap – Create a Responsive HTML Sitemap: from n/a through 3.5.14.

CVSS: MEDIUM (4.3)

EPSS Score: 0.03%

SSVC Exploitation: none

Source: CVE

April 30th, 2025 (8 days ago)

CVE-2024-5920 PAN-OS: Stored Cross-Site Scripting (XSS) Vulnerability in PAN-OS Enables Impersonation of a Legitimate Administrator (Severity: LOW)

CVSS: MEDIUM (4.6)

EPSS Score: 0.05%

Source: Palo Alto Networks Security Advisories

April 30th, 2025 (8 days ago)

CVE-2024-5916 PAN-OS: Cleartext Exposure of External System Secrets (Severity: MEDIUM)

CVSS: MEDIUM (6.0)

EPSS Score: 0.05%

Source: Palo Alto Networks Security Advisories

April 30th, 2025 (8 days ago)

CVE-2025-3599

Symantec Endpoint Protection Elevation of Privilege

Description: Symantec Endpoint Protection Windows Agent, running an ERASER Engine prior to 119.1.7.8, may be susceptible to an Elevation of Privilege vulnerability, which may allow an attacker to delete resources that are normally protected from an application or user.

CVSS: MEDIUM (6.5)

EPSS Score: 0.04%

Source: CVE

April 30th, 2025 (8 days ago)

Threat and Vulnerability Intelligence Database

Example Searches: