Threat and Vulnerability Intelligence Database

RSS Feed

Example Searches:

CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited

CVE-2024-0296
Totolink N200RE cstecgi.cgi NTPSyncWithHost os command injection
Description: A vulnerability has been found in Totolink N200RE 9.3.5u.6139_B20201216 and classified as critical. This vulnerability affects the function NTPSyncWithHost of the file /cgi-bin/cstecgi.cgi. The manipulation of the argument host_time leads to os command injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-249862 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. In Totolink N200RE 9.3.5u.6139_B20201216 wurde eine kritische Schwachstelle gefunden. Betroffen ist die Funktion NTPSyncWithHost der Datei /cgi-bin/cstecgi.cgi. Durch Manipulieren des Arguments host_time mit unbekannten Daten kann eine os command injection-Schwachstelle ausgenutzt werden. Der Angriff kann über das Netzwerk passieren. Der Exploit steht zur öffentlichen Verfügung.

CVSS: HIGH (7.3)

EPSS Score: 2.07%

SSVC Exploitation: poc

Source: CVE
April 17th, 2025 (2 days ago)

CVE-2024-0290
Kashipara Food Management System stock_edit.php sql injection
Description: A vulnerability, which was classified as critical, has been found in Kashipara Food Management System 1.0. This issue affects some unknown processing of the file stock_edit.php. The manipulation of the argument item_type leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-249851. Eine Schwachstelle wurde in Kashipara Food Management System 1.0 entdeckt. Sie wurde als kritisch eingestuft. Es geht hierbei um eine nicht näher spezifizierte Funktion der Datei stock_edit.php. Durch Manipulieren des Arguments item_type mit unbekannten Daten kann eine sql injection-Schwachstelle ausgenutzt werden. Der Angriff kann über das Netzwerk angegangen werden. Der Exploit steht zur öffentlichen Verfügung.

CVSS: MEDIUM (6.3)

EPSS Score: 0.04%

SSVC Exploitation: poc

Source: CVE
April 17th, 2025 (2 days ago)

CVE-2024-0282
Kashipara Food Management System addmaterialsubmit.php cross site scripting
Description: A vulnerability was found in Kashipara Food Management System up to 1.0. It has been classified as problematic. This affects an unknown part of the file addmaterialsubmit.php. The manipulation of the argument tin leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-249837 was assigned to this vulnerability. Es wurde eine Schwachstelle in Kashipara Food Management System bis 1.0 ausgemacht. Sie wurde als problematisch eingestuft. Es geht dabei um eine nicht klar definierte Funktion der Datei addmaterialsubmit.php. Mittels dem Manipulieren des Arguments tin mit unbekannten Daten kann eine cross site scripting-Schwachstelle ausgenutzt werden. Der Angriff kann über das Netzwerk passieren. Der Exploit steht zur öffentlichen Verfügung.

CVSS: LOW (3.5)

EPSS Score: 0.07%

SSVC Exploitation: poc

Source: CVE
April 17th, 2025 (2 days ago)

CVE-2024-0266
Project Worlds Online Lawyer Management System User Registration cross site scripting
Description: A vulnerability classified as problematic has been found in Project Worlds Online Lawyer Management System 1.0. Affected is an unknown function of the component User Registration. The manipulation of the argument First Name leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-249822 is the identifier assigned to this vulnerability. Es wurde eine problematische Schwachstelle in Project Worlds Online Lawyer Management System 1.0 entdeckt. Es geht dabei um eine nicht klar definierte Funktion der Komponente User Registration. Dank Manipulation des Arguments First Name mit unbekannten Daten kann eine cross site scripting-Schwachstelle ausgenutzt werden. Der Angriff kann über das Netzwerk passieren. Der Exploit steht zur öffentlichen Verfügung.

CVSS: MEDIUM (4.3)

EPSS Score: 0.08%

SSVC Exploitation: poc

Source: CVE
April 17th, 2025 (2 days ago)

CVE-2024-0201
The Product Expiry for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the...
Description: The Product Expiry for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'save_settings' function in versions up to, and including, 2.5. This makes it possible for authenticated attackers, with subscriber-level permissions or above to update plugin settings.

CVSS: MEDIUM (5.4)

EPSS Score: 0.05%

SSVC Exploitation: none

Source: CVE
April 17th, 2025 (2 days ago)
Windows NTLM hash leak flaw exploited in phishing attacks on governments
🚨 Marked as known exploited on April 17th, 2025 (2 days ago).
Description: A Windows vulnerability that exposes NTLM hashes using .library-ms files is now actively exploited by hackers in phishing campaigns targeting government entities and private companies. [...]
Source: BleepingComputer
April 17th, 2025 (2 days ago)
[rasa-pro] Rasa Pro Missing Authentication For Voice Connector APIs
Description: Vulnerability A vulnerability has been identified in Rasa Pro where voice connectors in Rasa Pro do not properly implement authentication even when a token is configured in the credentials.yml file. This could allow an attacker to submit voice data to the Rasa Pro assistant from an unauthenticated source. This impacts the following connectors: audiocodes_stream genesys jambonz As part of our investigation to resolve this issue, we have also performed a security review of our other voice channel connectors: browser_audio: Does not support authentication. This is a development channel not intended for production use. twilio_media_streams, twilio_voice and jambonz: Authentication is currently not supported by these channels, but our investigation has found a way for us to enable it for these voice channel connectors in a future Rasa Pro release. Fix The issue has been resolved for audiocodes, audiocodes_stream, and genesys connectors. Fixed versions of Rasa Pro have been released for 3.9.20, 3.10.19, 3.11.7 and 3.12.6. Please update to a fixed release. If you are using one of the affected connectors, we strongly recommend upgrading to a fixed version. For connectors where authentication is not supported (e.g., Twilio), we suggest taking extra caution and considering other compensating controls if applicable. References https://github.com/RasaHQ/rasa-pro-security-advisories/security/advisories/GHSA-7xq5-54jp-2mfg https://github.com/RasaHQ/security-advisories/security/advi...
Source: Github Advisory Database (PIP)
April 17th, 2025 (2 days ago)
[com.liferay.portal:release.portal.bom] Liferay Cross-site Scripting vulnerability
Description: A stored cross-site scripting (XSS) vulnerability exists with radio button type custom fields in Liferay Portal 7.2.0 through 7.4.3.129, and Liferay DXP 2024.Q4.1 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.9, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.12, 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10, 7.4 GA through update 92, 7.3 GA through update 36, and 7.2 GA through fix pack 20 allows remote authenticated attackers to inject malicious JavaScript into a page. References https://nvd.nist.gov/vuln/detail/CVE-2025-3760 https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-3760 https://github.com/advisories/GHSA-qhp6-vp7c-g7xp

CVSS: MEDIUM (4.8)

EPSS Score: 0.14%

Source: Github Advisory Database (Maven)
April 17th, 2025 (2 days ago)
[com.liferay.portal:release.dxp.bom] Liferay Cross-site Scripting vulnerability
Description: A stored cross-site scripting (XSS) vulnerability exists with radio button type custom fields in Liferay Portal 7.2.0 through 7.4.3.129, and Liferay DXP 2024.Q4.1 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.9, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.12, 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10, 7.4 GA through update 92, 7.3 GA through update 36, and 7.2 GA through fix pack 20 allows remote authenticated attackers to inject malicious JavaScript into a page. References https://nvd.nist.gov/vuln/detail/CVE-2025-3760 https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-3760 https://github.com/advisories/GHSA-qhp6-vp7c-g7xp

CVSS: MEDIUM (4.8)

EPSS Score: 0.14%

Source: Github Advisory Database (Maven)
April 17th, 2025 (2 days ago)
Care what you share
Description: In this week’s newsletter, Thorsten muses on how search engines and AI quietly gather your data while trying to influence your buying choices. Explore privacy-friendly alternatives and get the scoop on why it's important to question the platforms you interact with online.
Source: Cisco Talos Blog
April 17th, 2025 (2 days ago)