CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!
Threat and Vulnerability Intelligence Database
Example Searches:
CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited
|
Description: Mount Rogers Community Services provides Mental Health, Developmental Disability, and Substance Use Services to the people of Bland, Carroll, Grayson, Smyth, and Wythe Counties as well as the City of Galax.
June 10th, 2025 (11 days ago)
|
CVE-2024-38812 |
🚨 Marked as known exploited on June 10th, 2025 (11 days ago).
Description: The vCenter Server contains a heap-overflow vulnerability in the implementation of the DCERPC protocol. A malicious actor with network access to vCenter Server may trigger this vulnerability by sending a specially crafted network packet potentially leading to remote code execution.
CVSS: CRITICAL (9.8) EPSS Score: 58.01% SSVC Exploitation: active
June 10th, 2025 (11 days ago)
|
|
CVE-2024-38524 |
Description: GeoServer is an open source server that allows users to share and edit geospatial data. org.geowebcache.GeoWebCacheDispatcher.handleFrontPage(HttpServletRequest, HttpServletResponse) has no check to hide potentially sensitive information from users except for a hidden system property to hide the storage locations that defaults to showing the locations. This vulnerability is fixed in 2.26.2 and 2.25.6.
CVSS: MEDIUM (5.3) EPSS Score: 0.04% SSVC Exploitation: none
June 10th, 2025 (11 days ago)
|
|
CVE-2024-37396 |
Description: A stored cross-site scripting (XSS) vulnerability in the Calendar function of REDCap 13.1.9 allows authenticated users to execute arbitrary web script or HTML by injecting a crafted payload into the 'Notes' field of a calendar event. This could lead to the execution of malicious scripts when the event is viewed. Updating to version 14.2.1 or later is recommended to remediate this vulnerability.
EPSS Score: 0.02%
June 10th, 2025 (11 days ago)
|
|
CVE-2024-37395 |
Description: A stored cross-site scripting (XSS) vulnerability in the Public Survey function of REDCap 13.1.9 allows authenticated users to execute arbitrary web script or HTML by injecting a crafted payload into the 'Survey Title' and 'Survey Instructions' fields. This vulnerability could be exploited by attackers to execute malicious scripts when the survey is accessed through its public link. It is advised to update to version 14.2.1 or later to fix this issue.
EPSS Score: 0.01%
June 10th, 2025 (11 days ago)
|
|
CVE-2024-37394 |
Description: A stored cross-site scripting (XSS) vulnerability in the Project Dashboards of REDCap 13.1.9 allows authenticated users to execute arbitrary web script or HTML by injecting a crafted payload into the 'Dashboard title' and 'Dashboard content' text boxes. This can lead to the execution of malicious scripts when the dashboard is viewed. Users are recommended to update to version 14.2.1 or later to mitigate this vulnerability.
EPSS Score: 0.02%
June 10th, 2025 (11 days ago)
|
|
CVE-2024-34711 |
Description: GeoServer is an open source server that allows users to share and edit geospatial data. An improper URI validation vulnerability exists that enables an unauthorized attacker to perform XML External Entities (XEE) attack, then send GET request to any HTTP server. By default, GeoServer use PreventLocalEntityResolver class from GeoTools to filter out malicious URIs in XML entities before resolving them. The URI must match the regex (?i)(jar:file|http|vfs)[^?#;]*\\.xsd. But the regex leaves a chance for attackers to request to any HTTP server or limited file. Attacker can abuse this to scan internal networks and gain information about them then exploit further. GeoServer 2.25.0 and greater default to the use of ENTITY_RESOLUTION_ALLOWLIST and does not require you to provide a system property.
CVSS: CRITICAL (9.3) EPSS Score: 0.04% SSVC Exploitation: none
June 10th, 2025 (11 days ago)
|
|
CVE-2024-34347 |
Description: @hoppscotch/cli is a CLI to run Hoppscotch Test Scripts in CI environments. Prior to 0.8.0, the @hoppscotch/js-sandbox package provides a Javascript sandbox that uses the Node.js vm module. However, the vm module is not safe for sandboxing untrusted Javascript code. This is because code inside the vm context can break out if it can get a hold of any reference to an object created outside of the vm. In the case of @hoppscotch/js-sandbox, multiple references to external objects are passed into the vm context to allow pre-request scripts interactions with environment variables and more. But this also allows the pre-request script to escape the sandbox. This vulnerability is fixed in 0.8.0.
CVSS: HIGH (8.4) EPSS Score: 0.09% SSVC Exploitation: poc
June 10th, 2025 (11 days ago)
|
|
CVE-2024-32119 |
Description: An improper authentication vulnerability [CWE-287] in Fortinet FortiClientEMS version 7.4.0 and before 7.2.4 allows an unauthenticated attacker with the knowledge of the targeted user's FCTUID and VDOM to perform operations such as uploading or tagging on behalf of the targeted user via specially crafted TCP requests.
CVSS: MEDIUM (4.6) EPSS Score: 0.01% SSVC Exploitation: none
June 10th, 2025 (11 days ago)
|
|
CVE-2024-29198 |
Description: GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. It possible to achieve Service Side Request Forgery (SSRF) via the Demo request endpoint if Proxy Base URL has not been set. Upgrading to GeoServer 2.24.4, or 2.25.2, removes the TestWfsPost servlet resolving this issue.
CVSS: HIGH (7.5) EPSS Score: 0.04%
June 10th, 2025 (11 days ago)
|