CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

Threat and Vulnerability Intelligence Database

RSS Feed

Example Searches:

CVE-2024-51948

Description: There is a stored Cross-site Scripting vulnerability in ArcGIS Server for versions 10.9.1 – 11.3 that may allow a remote, authenticated attacker to create a stored crafted link which when clicked could potentially execute arbitrary JavaScript code in the victim’s browser. The privileges required to execute this attack are high, requiring publisher capabilities. The impact is low to both confidentiality and integrity while having no impact to availability.

CVSS: MEDIUM (4.8)

EPSS Score: 0.03%

Source: CVE
March 3rd, 2025 (4 months ago)

CVE-2024-51947

Description: There is a stored Cross-site Scripting vulnerability in ArcGIS Server for versions 10.9.1 – 11.3 that may allow a remote, authenticated attacker to create a stored crafted link which when clicked could potentially execute arbitrary JavaScript code in the victim’s browser. The privileges required to execute this attack are high, requiring publisher capabilities. The impact is low to both confidentiality and integrity while having no impact to availability.

CVSS: MEDIUM (4.8)

EPSS Score: 0.03%

Source: CVE
March 3rd, 2025 (4 months ago)

CVE-2024-51946

Description: There is a stored Cross-site Scripting vulnerability in ArcGIS Server for versions 10.9.1 – 11.3 that may allow a remote, authenticated attacker to create a stored crafted link which when clicked could potentially execute arbitrary JavaScript code in the victim’s browser. The privileges required to execute this attack are high, requiring publisher capabilities. The impact is low to both confidentiality and integrity while having no impact to availability.

CVSS: MEDIUM (4.8)

EPSS Score: 0.03%

Source: CVE
March 3rd, 2025 (4 months ago)

CVE-2024-51945

Description: There is a stored Cross-site Scripting vulnerability in ArcGIS Server for versions 10.9.1 – 11.3 that may allow a remote, authenticated attacker to create a stored crafted link which when clicked could potentially execute arbitrary JavaScript code in the victim’s browser. The privileges required to execute this attack are high, requiring publisher capabilities. The impact is low to both confidentiality and integrity while having no impact to availability.

CVSS: MEDIUM (4.8)

EPSS Score: 0.03%

Source: CVE
March 3rd, 2025 (4 months ago)

CVE-2024-51944

Description: There is a stored Cross-site Scripting vulnerability in ArcGIS Server for versions 10.9.1 – 11.3 that may allow a remote, authenticated attacker to create a stored crafted link which when clicked could potentially execute arbitrary JavaScript code in the victim’s browser. The privileges required to execute this attack are high, requiring publisher capabilities. The impact is low to both confidentiality and integrity while having no impact to availability.

CVSS: MEDIUM (4.8)

EPSS Score: 0.03%

Source: CVE
March 3rd, 2025 (4 months ago)

CVE-2024-51942

Description: There is a stored Cross-site Scripting vulnerability in ArcGIS Server for versions 10.9.1 – 11.3 that may allow a remote, authenticated attacker to create a stored crafted link which when clicked could potentially execute arbitrary JavaScript code in the victim’s browser. The privileges required to execute this attack are high, requiring publisher capabilities. The impact is low to both confidentiality and integrity while having no impact to availability.

CVSS: MEDIUM (4.8)

EPSS Score: 0.03%

Source: CVE
March 3rd, 2025 (4 months ago)

CVE-2024-10904

Description: There is a stored Cross-site Scripting vulnerability in ArcGIS Server for versions 10.9.1 – 11.3 that may allow a remote, authenticated attacker to create a stored crafted link which when clicked could potentially execute arbitrary JavaScript code in the victim’s browser. The privileges required to execute this attack are high, requiring publisher capabilities. The impact is low to both confidentiality and integrity while having no impact to availability.

CVSS: MEDIUM (4.8)

EPSS Score: 0.03%

Source: CVE
March 3rd, 2025 (4 months ago)
Description: A complex campaign allows cyberattackers to take over Windows systems by a combining a ClickFix-style attack and sophisticated obfuscation that abuses legitimate Microsoft services.
Source: Dark Reading
March 3rd, 2025 (4 months ago)

CVE-2025-27408

Description: Summary Manifest employs a weak password hashing implementation that uses SHA3 without a salt. This exposes user passwords to a higher risk of being cracked if an attacker gains access to the database. Without the use of a salt, identical passwords across multiple users will result in the same hash, making it easier for attackers to identify and exploit patterns, thereby accelerating the cracking process. Details Analysis of the application source code reveals that user passwords are hashed using the SHA3 algorithm without implementing a unique salt per user. const newUser: AuthenticableEntity = entityRepository.create(signupUserDto) newUser.password = SHA3(newUser.password).toString() This approach results in deterministic password hashes, which can be identified by comparing the hashes for users with matching credentials. PoC Create two users with the same password (it could be admin or any other authenticatable entity) Extract their password hashes from the database Verify that both hashes are identical, confirming the absence of unique salts Impact This is a cryptographic weakness vulnerability that affects all users of the system. The lack of a unique salt when hashing passwords reduces protection against database breaches, as attackers who gain access to the database can more efficiently crack user passwords. Since identical passwords result in identical hashes, attackers can use precomputed hash databases (e.g., Rainbow Tables) or offline brute-force attacks to ...

CVSS: MEDIUM (4.8)

EPSS Score: 0.02%

Source: Github Advisory Database (NPM)
March 3rd, 2025 (4 months ago)

CVE-2025-27414

Description: Summary A bug in evaluating the trust of the SSH key used in an SFTP connection to MinIO allows authentication bypass and unauthorized data access. Details On a MinIO server with SFTP access configured and using LDAP as an external identity provider, MinIO supports SSH key based authentication for SFTP connections when the user has the sshPublicKey attribute set in their LDAP server. The server trusts the client's key only when the public key is the same as the sshPublicKey attribute. Due to the bug, when the user has no sshPublicKey property in LDAP, the server ends up trusting the key allowing the client to perform any FTP operations allowed by the MinIO access policies associated with the LDAP user (or any of their groups). The bug was introduced in https://github.com/minio/minio/commit/91e1487de45720753c9e9e4c02b1bd16b7e452fa. Impact The following requirements must be met to exploit this vulnerability: MinIO server must be configured to allow SFTP access and use LDAP as an external identity provider. Knowledge of an LDAP username that does not have the sshPublicKey property set. Such an LDAP username or one of their groups must also have some MinIO access policy configured. When this bug is successfully exploited, the attacker can perform any FTP operations (i.e. reading, writing, deleting and listing objects) allowed by the access policy associated with the LDAP user account (and their groups). References https://github.com/minio/minio/security/advisories/GHSA-wc79...

CVSS: MEDIUM (4.6)

EPSS Score: 0.16%

Source: Github Advisory Database (Go)
March 3rd, 2025 (4 months ago)