CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!
Threat and Vulnerability Intelligence Database
Example Searches:
CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited
CVE-2025-27400 |
Description: As reported by Aakash Adhikari, Github: @justlife4x4, the Design > Themes > Skin (Images / CSS) config field allows a Stored XSS when it contains an end script tag.
Impact
A malicious user with access to this configuration field could use a Stored XSS to affect other authenticated admin users in the admin panel.
The attack requires an admin user with configuration access, so in practice, it is not very likely to be used for gaining elevated privileges, although it could theoretically be used to impersonate other users.
References
https://github.com/OpenMage/magento-lts/security/advisories/GHSA-5pxh-89cx-4668
https://nvd.nist.gov/vuln/detail/CVE-2025-27400
https://github.com/OpenMage/magento-lts/commit/d307e5bf75729a2347dde0952fe9fd9fcd9c6aea
https://github.com/OpenMage/magento-lts/releases/tag/v20.12.3
https://github.com/OpenMage/magento-lts/releases/tag/v20.13.0
https://github.com/advisories/GHSA-5pxh-89cx-4668
CVSS: LOW (2.9) EPSS Score: 0.12%
March 3rd, 2025 (4 months ago)
|
|
CVE-2024-0012 |
CVSS: CRITICAL (9.3)
March 3rd, 2025 (4 months ago)
|
|
CVE-2025-27501 |
Description: OpenZiti is a free and open source project focused on bringing zero trust to any application. An endpoint on the admin panel can be accessed without any form of authentication. This endpoint accepts a user-supplied URL parameter to connect to an OpenZiti Controller and performs a server-side request, resulting in a potential Server-Side Request Forgery (SSRF) vulnerability. The fixed version has moved the request to the external controller from the server side to the client side, thereby eliminating the identity of the node from being used to gain any additional permissions. This vulnerability is fixed in 3.7.1.
CVSS: HIGH (8.6) EPSS Score: 0.04%
March 3rd, 2025 (4 months ago)
|
|
CVE-2025-27500 |
Description: OpenZiti is a free and open source project focused on bringing zero trust to any application. An endpoint(/api/upload) on the admin panel can be accessed without any form of authentication. This endpoint accepts an HTTP POST to upload a file which is then stored on the node and is available via URL. This can lead to a stored cross site scripting attack if the file uploaded contains malicious code and is then accessed and executed within the context of the user's browser. This function is no longer necessary as the ziti-console moves from a node server application to a single page application, and has been disabled. The vulnerability is fixed in 3.7.1.
CVSS: HIGH (8.2) EPSS Score: 0.04%
March 3rd, 2025 (4 months ago)
|
|
CVE-2025-27499 |
Description: WeGIA is an open source Web Manager for Institutions with a focus on Portuguese language users. A Stored Cross-Site Scripting (XSS) vulnerability was identified in the processa_edicao_socio.php endpoint of the WeGIA application. This vulnerability allows attackers to inject malicious scripts into the socio_nome parameter. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk. This vulnerability is fixed in 3.2.10.
CVSS: MEDIUM (6.4) EPSS Score: 0.03%
March 3rd, 2025 (4 months ago)
|
|
CVE-2025-26206 |
Description: Cross Site Request Forgery vulnerability in sell done storefront v.1.0 allows a remote attacker to escalate privileges via the index.html component
CVSS: CRITICAL (9.0) EPSS Score: 0.05%
March 3rd, 2025 (4 months ago)
|
|
CVE-2025-25967 |
Description: Acora CMS version 10.1.1 is vulnerable to Cross-Site Request Forgery (CSRF). This flaw enables attackers to trick authenticated users into performing unauthorized actions, such as account deletion or user creation, by embedding malicious requests in external content. The lack of CSRF protections allows exploitation via crafted requests.
EPSS Score: 0.1%
March 3rd, 2025 (4 months ago)
|
|
CVE-2025-25939 |
Description: Reprise License Manager 14.2 is vulnerable to reflected cross-site scripting in /goform/activate_process via the akey parameter.
EPSS Score: 0.03%
March 3rd, 2025 (4 months ago)
|
|
CVE-2025-1889 |
Description: picklescan before 0.0.22 only considers standard pickle file extensions in the scope for its vulnerability scan. An attacker could craft a malicious model that uses Pickle include a malicious pickle file with a non-standard file extension. Because the malicious pickle file inclusion is not considered as part of the scope of picklescan, the file would pass security checks and appear to be safe, when it could instead prove to be problematic.
CVSS: MEDIUM (5.3) EPSS Score: 0.03%
March 3rd, 2025 (4 months ago)
|
|
CVE-2025-1877 |
Description: A vulnerability, which was classified as critical, was found in D-Link DAP-1562 1.10. This affects the function pure_auth_check of the component HTTP POST Request Handler. The manipulation of the argument a1 leads to null pointer dereference. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. This vulnerability only affects products that are no longer supported by the maintainer. Es wurde eine kritische Schwachstelle in D-Link DAP-1562 1.10 gefunden. Hiervon betroffen ist die Funktion pure_auth_check der Komponente HTTP POST Request Handler. Durch die Manipulation des Arguments a1 mit unbekannten Daten kann eine null pointer dereference-Schwachstelle ausgenutzt werden. Der Angriff kann über das Netzwerk angegangen werden. Der Exploit steht zur öffentlichen Verfügung.
CVSS: HIGH (7.1) EPSS Score: 0.08%
March 3rd, 2025 (4 months ago)
|