CyberAlerts

CVE-2024-21622

Description: Craft is a content management system. This is a potential moderate impact, low complexity privilege escalation vulnerability in Craft starting in 3.x prior to 3.9.6 and 4.x prior to 4.4.16 with certain user permissions setups. This has been fixed in Craft 4.4.16 and Craft 3.9.6. Users should ensure they are running at least those versions.

CVSS: MEDIUM (5.4)

EPSS Score: 0.1%

SSVC Exploitation: none

Source: CVE

April 17th, 2025 (1 day ago)

CVE-2024-20804

Path traversal vulnerability in FileUriConverter of MyFiles prior to SMR Jan-2024 Release 1 in Android 11 and Android 12, and version 14.5.00.21 in...

Description: Path traversal vulnerability in FileUriConverter of MyFiles prior to SMR Jan-2024 Release 1 in Android 11 and Android 12, and version 14.5.00.21 in Android 13 allows local attackers to write arbitrary file.

CVSS: MEDIUM (4.0)

EPSS Score: 0.1%

SSVC Exploitation: none

Source: CVE

April 17th, 2025 (1 day ago)

CVE-2024-0290

Kashipara Food Management System stock_edit.php sql injection

Description: A vulnerability, which was classified as critical, has been found in Kashipara Food Management System 1.0. This issue affects some unknown processing of the file stock_edit.php. The manipulation of the argument item_type leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-249851. Eine Schwachstelle wurde in Kashipara Food Management System 1.0 entdeckt. Sie wurde als kritisch eingestuft. Es geht hierbei um eine nicht näher spezifizierte Funktion der Datei stock_edit.php. Durch Manipulieren des Arguments item_type mit unbekannten Daten kann eine sql injection-Schwachstelle ausgenutzt werden. Der Angriff kann über das Netzwerk angegangen werden. Der Exploit steht zur öffentlichen Verfügung.

CVSS: MEDIUM (6.3)

EPSS Score: 0.04%

SSVC Exploitation: poc

Source: CVE

April 17th, 2025 (1 day ago)

CVE-2024-0266

Project Worlds Online Lawyer Management System User Registration cross site scripting

Description: A vulnerability classified as problematic has been found in Project Worlds Online Lawyer Management System 1.0. Affected is an unknown function of the component User Registration. The manipulation of the argument First Name leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-249822 is the identifier assigned to this vulnerability. Es wurde eine problematische Schwachstelle in Project Worlds Online Lawyer Management System 1.0 entdeckt. Es geht dabei um eine nicht klar definierte Funktion der Komponente User Registration. Dank Manipulation des Arguments First Name mit unbekannten Daten kann eine cross site scripting-Schwachstelle ausgenutzt werden. Der Angriff kann über das Netzwerk passieren. Der Exploit steht zur öffentlichen Verfügung.

CVSS: MEDIUM (4.3)

EPSS Score: 0.08%

SSVC Exploitation: poc

Source: CVE

April 17th, 2025 (1 day ago)

CVE-2024-0201

The Product Expiry for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the...

Description: The Product Expiry for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'save_settings' function in versions up to, and including, 2.5. This makes it possible for authenticated attackers, with subscriber-level permissions or above to update plugin settings.

CVSS: MEDIUM (5.4)

EPSS Score: 0.05%

SSVC Exploitation: none

Source: CVE

April 17th, 2025 (1 day ago)

[com.liferay.portal:release.portal.bom] Liferay Cross-site Scripting vulnerability

Description: A stored cross-site scripting (XSS) vulnerability exists with radio button type custom fields in Liferay Portal 7.2.0 through 7.4.3.129, and Liferay DXP 2024.Q4.1 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.9, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.12, 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10, 7.4 GA through update 92, 7.3 GA through update 36, and 7.2 GA through fix pack 20 allows remote authenticated attackers to inject malicious JavaScript into a page. References https://nvd.nist.gov/vuln/detail/CVE-2025-3760 https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-3760 https://github.com/advisories/GHSA-qhp6-vp7c-g7xp

CVSS: MEDIUM (4.8)

EPSS Score: 0.14%

Source: Github Advisory Database (Maven)

April 17th, 2025 (1 day ago)

[com.liferay.portal:release.dxp.bom] Liferay Cross-site Scripting vulnerability

Description: A stored cross-site scripting (XSS) vulnerability exists with radio button type custom fields in Liferay Portal 7.2.0 through 7.4.3.129, and Liferay DXP 2024.Q4.1 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.9, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.12, 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10, 7.4 GA through update 92, 7.3 GA through update 36, and 7.2 GA through fix pack 20 allows remote authenticated attackers to inject malicious JavaScript into a page. References https://nvd.nist.gov/vuln/detail/CVE-2025-3760 https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-3760 https://github.com/advisories/GHSA-qhp6-vp7c-g7xp

CVSS: MEDIUM (4.8)

EPSS Score: 0.14%

Source: Github Advisory Database (Maven)

April 17th, 2025 (1 day ago)

CVE-2024-0355

PHPGurukul Dairy Farm Shop Management System add-category.php sql injection

Description: A vulnerability, which was classified as critical, was found in PHPGurukul Dairy Farm Shop Management System up to 1.1. Affected is an unknown function of the file add-category.php. The manipulation of the argument category leads to sql injection. The exploit has been disclosed to the public and may be used. VDB-250122 is the identifier assigned to this vulnerability. Es wurde eine Schwachstelle in PHPGurukul Dairy Farm Shop Management System bis 1.1 gefunden. Sie wurde als kritisch eingestuft. Es geht dabei um eine nicht klar definierte Funktion der Datei add-category.php. Durch Manipulation des Arguments category mit unbekannten Daten kann eine sql injection-Schwachstelle ausgenutzt werden. Der Exploit steht zur öffentlichen Verfügung.

CVSS: MEDIUM (5.5)

EPSS Score: 0.09%

SSVC Exploitation: poc

Source: CVE

April 17th, 2025 (1 day ago)

CVE-2024-0345

CodeAstro Vehicle Booking System User Registration usr-register.php cross site scripting

Description: A vulnerability, which was classified as problematic, was found in CodeAstro Vehicle Booking System 1.0. This affects an unknown part of the file usr/usr-register.php of the component User Registration. The manipulation of the argument Full_Name/Last_Name/Address with the input alert(document.cookie) leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-250113 was assigned to this vulnerability. Es wurde eine problematische Schwachstelle in CodeAstro Vehicle Booking System 1.0 gefunden. Dabei betrifft es einen unbekannter Codeteil der Datei usr/usr-register.php der Komponente User Registration. Mittels Manipulieren des Arguments Full_Name/Last_Name/Address mit der Eingabe alert(document.cookie) mit unbekannten Daten kann eine cross site scripting-Schwachstelle ausgenutzt werden. Die Umsetzung des Angriffs kann dabei über das Netzwerk erfolgen. Der Exploit steht zur öffentlichen Verfügung.

CVSS: MEDIUM (4.3)

EPSS Score: 0.08%

SSVC Exploitation: poc

Source: CVE

April 17th, 2025 (1 day ago)

CVE-2025-2440

Schneider Electric Trio Q Licensed Data Radio

Description: View CSAF 1. EXECUTIVE SUMMARY CVSS v4 5.4 ATTENTION: Low attack complexity Vendor: Schneider Electric Equipment: Trio Q Licensed Data Radio Vulnerabilities: Insecure Storage of Sensitive Information, Initialization of a Resource with an Insecure Default 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow an attacker to access confidential information, compromise the integrity, or affect the availability of the affected product. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS Schneider Electric reports that the following products are affected: Schneider Electric Trio Q Licensed Data Radio: Versions prior to 2.7.2 3.2 VULNERABILITY OVERVIEW 3.2.1 INSECURE STORAGE OF SENSITIVE INFORMATION CWE-922 An insecure storage of sensitive information vulnerability exists that could potentially lead to unauthorized access to confidential data when a malicious user with physical access and advanced knowledge of the filesystem sets the radio to factory default mode. CVE-2025-2440 has been assigned to this vulnerability. A CVSS v3.1 base score of 4.2 has been calculated; the CVSS vector string is (CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N). A CVSS v4 score has also been calculated for CVE-2025-2440. A base score of 4.1 has been calculated; the CVSS vector string is (CVSS:4.0/AV:P/AC:H/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N). 3.2.2 INITIALIZATION OF A RESOURCE WITH AN INSECURE DEFAULT CWE-1188 An incorrect initialization of resource vulnerability exists ...

CVSS: MEDIUM (4.1)

EPSS Score: 0.02%

Source: All CISA Advisories

April 17th, 2025 (1 day ago)

Threat and Vulnerability Intelligence Database

Example Searches:

CVE-2024-21622	Craft CMS Privilege Escalation Description: Craft is a content management system. This is a potential moderate impact, low complexity privilege escalation vulnerability in Craft starting in 3.x prior to 3.9.6 and 4.x prior to 4.4.16 with certain user permissions setups. This has been fixed in Craft 4.4.16 and Craft 3.9.6. Users should ensure they are running at least those versions. CVSS: MEDIUM (5.4) EPSS Score: 0.1% SSVC Exploitation: none Source: CVE April 17th, 2025 (1 day ago)
CVE-2024-20804	Path traversal vulnerability in FileUriConverter of MyFiles prior to SMR Jan-2024 Release 1 in Android 11 and Android 12, and version 14.5.00.21 in... Description: Path traversal vulnerability in FileUriConverter of MyFiles prior to SMR Jan-2024 Release 1 in Android 11 and Android 12, and version 14.5.00.21 in Android 13 allows local attackers to write arbitrary file. CVSS: MEDIUM (4.0) EPSS Score: 0.1% SSVC Exploitation: none Source: CVE April 17th, 2025 (1 day ago)
CVE-2024-0290	Kashipara Food Management System stock_edit.php sql injection Description: A vulnerability, which was classified as critical, has been found in Kashipara Food Management System 1.0. This issue affects some unknown processing of the file stock_edit.php. The manipulation of the argument item_type leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-249851. Eine Schwachstelle wurde in Kashipara Food Management System 1.0 entdeckt. Sie wurde als kritisch eingestuft. Es geht hierbei um eine nicht näher spezifizierte Funktion der Datei stock_edit.php. Durch Manipulieren des Arguments item_type mit unbekannten Daten kann eine sql injection-Schwachstelle ausgenutzt werden. Der Angriff kann über das Netzwerk angegangen werden. Der Exploit steht zur öffentlichen Verfügung. CVSS: MEDIUM (6.3) EPSS Score: 0.04% SSVC Exploitation: poc Source: CVE April 17th, 2025 (1 day ago)
CVE-2024-0266	Project Worlds Online Lawyer Management System User Registration cross site scripting Description: A vulnerability classified as problematic has been found in Project Worlds Online Lawyer Management System 1.0. Affected is an unknown function of the component User Registration. The manipulation of the argument First Name leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-249822 is the identifier assigned to this vulnerability. Es wurde eine problematische Schwachstelle in Project Worlds Online Lawyer Management System 1.0 entdeckt. Es geht dabei um eine nicht klar definierte Funktion der Komponente User Registration. Dank Manipulation des Arguments First Name mit unbekannten Daten kann eine cross site scripting-Schwachstelle ausgenutzt werden. Der Angriff kann über das Netzwerk passieren. Der Exploit steht zur öffentlichen Verfügung. CVSS: MEDIUM (4.3) EPSS Score: 0.08% SSVC Exploitation: poc Source: CVE April 17th, 2025 (1 day ago)
CVE-2024-0201	The Product Expiry for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the... Description: The Product Expiry for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'save_settings' function in versions up to, and including, 2.5. This makes it possible for authenticated attackers, with subscriber-level permissions or above to update plugin settings. CVSS: MEDIUM (5.4) EPSS Score: 0.05% SSVC Exploitation: none Source: CVE April 17th, 2025 (1 day ago)
	[com.liferay.portal:release.portal.bom] Liferay Cross-site Scripting vulnerability Description: A stored cross-site scripting (XSS) vulnerability exists with radio button type custom fields in Liferay Portal 7.2.0 through 7.4.3.129, and Liferay DXP 2024.Q4.1 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.9, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.12, 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10, 7.4 GA through update 92, 7.3 GA through update 36, and 7.2 GA through fix pack 20 allows remote authenticated attackers to inject malicious JavaScript into a page. References https://nvd.nist.gov/vuln/detail/CVE-2025-3760 https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-3760 https://github.com/advisories/GHSA-qhp6-vp7c-g7xp CVSS: MEDIUM (4.8) EPSS Score: 0.14% Source: Github Advisory Database (Maven) April 17th, 2025 (1 day ago)
	[com.liferay.portal:release.dxp.bom] Liferay Cross-site Scripting vulnerability Description: A stored cross-site scripting (XSS) vulnerability exists with radio button type custom fields in Liferay Portal 7.2.0 through 7.4.3.129, and Liferay DXP 2024.Q4.1 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.9, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.12, 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10, 7.4 GA through update 92, 7.3 GA through update 36, and 7.2 GA through fix pack 20 allows remote authenticated attackers to inject malicious JavaScript into a page. References https://nvd.nist.gov/vuln/detail/CVE-2025-3760 https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-3760 https://github.com/advisories/GHSA-qhp6-vp7c-g7xp CVSS: MEDIUM (4.8) EPSS Score: 0.14% Source: Github Advisory Database (Maven) April 17th, 2025 (1 day ago)
CVE-2024-0355	PHPGurukul Dairy Farm Shop Management System add-category.php sql injection Description: A vulnerability, which was classified as critical, was found in PHPGurukul Dairy Farm Shop Management System up to 1.1. Affected is an unknown function of the file add-category.php. The manipulation of the argument category leads to sql injection. The exploit has been disclosed to the public and may be used. VDB-250122 is the identifier assigned to this vulnerability. Es wurde eine Schwachstelle in PHPGurukul Dairy Farm Shop Management System bis 1.1 gefunden. Sie wurde als kritisch eingestuft. Es geht dabei um eine nicht klar definierte Funktion der Datei add-category.php. Durch Manipulation des Arguments category mit unbekannten Daten kann eine sql injection-Schwachstelle ausgenutzt werden. Der Exploit steht zur öffentlichen Verfügung. CVSS: MEDIUM (5.5) EPSS Score: 0.09% SSVC Exploitation: poc Source: CVE April 17th, 2025 (1 day ago)
CVE-2024-0345	CodeAstro Vehicle Booking System User Registration usr-register.php cross site scripting Description: A vulnerability, which was classified as problematic, was found in CodeAstro Vehicle Booking System 1.0. This affects an unknown part of the file usr/usr-register.php of the component User Registration. The manipulation of the argument Full_Name/Last_Name/Address with the input alert(document.cookie) leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-250113 was assigned to this vulnerability. Es wurde eine problematische Schwachstelle in CodeAstro Vehicle Booking System 1.0 gefunden. Dabei betrifft es einen unbekannter Codeteil der Datei usr/usr-register.php der Komponente User Registration. Mittels Manipulieren des Arguments Full_Name/Last_Name/Address mit der Eingabe alert(document.cookie) mit unbekannten Daten kann eine cross site scripting-Schwachstelle ausgenutzt werden. Die Umsetzung des Angriffs kann dabei über das Netzwerk erfolgen. Der Exploit steht zur öffentlichen Verfügung. CVSS: MEDIUM (4.3) EPSS Score: 0.08% SSVC Exploitation: poc Source: CVE April 17th, 2025 (1 day ago)
CVE-2025-2440	Schneider Electric Trio Q Licensed Data Radio Description: View CSAF 1. EXECUTIVE SUMMARY CVSS v4 5.4 ATTENTION: Low attack complexity Vendor: Schneider Electric Equipment: Trio Q Licensed Data Radio Vulnerabilities: Insecure Storage of Sensitive Information, Initialization of a Resource with an Insecure Default 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow an attacker to access confidential information, compromise the integrity, or affect the availability of the affected product. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS Schneider Electric reports that the following products are affected: Schneider Electric Trio Q Licensed Data Radio: Versions prior to 2.7.2 3.2 VULNERABILITY OVERVIEW 3.2.1 INSECURE STORAGE OF SENSITIVE INFORMATION CWE-922 An insecure storage of sensitive information vulnerability exists that could potentially lead to unauthorized access to confidential data when a malicious user with physical access and advanced knowledge of the filesystem sets the radio to factory default mode. CVE-2025-2440 has been assigned to this vulnerability. A CVSS v3.1 base score of 4.2 has been calculated; the CVSS vector string is (CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N). A CVSS v4 score has also been calculated for CVE-2025-2440. A base score of 4.1 has been calculated; the CVSS vector string is (CVSS:4.0/AV:P/AC:H/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N). 3.2.2 INITIALIZATION OF A RESOURCE WITH AN INSECURE DEFAULT CWE-1188 An incorrect initialization of resource vulnerability exists ... CVSS: MEDIUM (4.1) EPSS Score: 0.02% Source: All CISA Advisories April 17th, 2025 (1 day ago)