![]() |
Description: In February 2025, the spyware service Spyzie suffered a data breach along with sibling spyware services, Spyic and Cocospy. The Spyzie breach alone exposed almost 519k customer email addresses which were provided to HIBP, and reportedly also enabled unauthorised access to captured messages, photos, call logs, and more. The data was provided to HIBP by a source who requested it be attributed to "[email protected]".
February 28th, 2025 (4 months ago)
|
CVE-2025-25729 |
Description: An information disclosure vulnerability in Bosscomm IF740 Firmware versions:11001.7078 & v11001.0000 and System versions: 6.25 & 6.00 allows attackers to obtain hardcoded cleartext credentials via the update or boot process.
EPSS Score: 0.04%
February 28th, 2025 (4 months ago)
|
CVE-2025-25728 |
Description: Bosscomm IF740 Firmware versions:11001.7078 & v11001.0000 and System versions: 6.25 & 6.00 were discovered to send communications to the update API in plaintext, allowing attackers to access sensitive information via a man-in-the-middle attack.
EPSS Score: 0.01%
February 28th, 2025 (4 months ago)
|
CVE-2025-25727 |
Description: Bosscomm IF740 Firmware versions:11001.7078 & v11001.0000 and System versions: 6.25 & 6.00 were discovered to store passwords in cleartext.
EPSS Score: 0.02%
February 28th, 2025 (4 months ago)
|
CVE-2025-25477 |
Description: A host header injection vulnerability in SysPass 3.2x allows an attacker to load malicious JS files from an arbitrary domain which would be executed in the victim's browser.
EPSS Score: 0.03%
February 28th, 2025 (4 months ago)
|
CVE-2025-24832 |
Description: Arbitrary file overwrite during home directory recovery due to improper symbolic link handling. The following products are affected: Acronis Backup plugin for cPanel & WHM (Linux) before build 1.8.4.866, Acronis Backup plugin for cPanel & WHM (Linux) before build 1.9.1.892, Acronis Backup extension for Plesk (Linux) before build 1.8.7.615.
CVSS: MEDIUM (4.4) EPSS Score: 0.02%
February 28th, 2025 (4 months ago)
|
CVE-2025-1687 |
Description: The Cardealer theme for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.6.4. This is due to missing nonce validation on the 'update_user_profile' function. This makes it possible for unauthenticated attackers to update the user email and password via a forged request, granted they can trick a site administrator into performing an action such as clicking on a link.
CVSS: HIGH (8.8) EPSS Score: 0.02%
February 28th, 2025 (4 months ago)
|
CVE-2025-1682 |
Description: The Cardealer theme for WordPress is vulnerable to privilege escalation in versions up to, and including, 1.6.4 due to missing capability check on the 'save_settings' function. This makes it possible for authenticated attackers, with subscriber-level access and above, to modify the default user role.
CVSS: HIGH (8.8) EPSS Score: 0.04%
February 28th, 2025 (4 months ago)
|
CVE-2025-1681 |
Description: The Cardealer theme for WordPress is vulnerable to unauthorized modification of data and loss of data due to a missing capability check and missing filename sanitization on the demo theme scheme AJAX functions in versions up to, and including, 1.6.4. This makes it possible for authenticated attackers, with subscriber-level access and above, to change or delete arbitrary css and js files.
CVSS: MEDIUM (5.4) EPSS Score: 0.04%
February 28th, 2025 (4 months ago)
|
CVE-2024-12811 |
Description: The Traveler theme for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.1.8 via the 'hotel_alone_slider' shortcode 'style' attribute. This makes it possible for authenticated attackers, with contributor-level and above permissions, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where php file type can be uploaded and included.
CVSS: HIGH (8.8) EPSS Score: 0.1%
February 28th, 2025 (4 months ago)
|