CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!
Threat and Vulnerability Intelligence Database
Example Searches:
CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited
|
Description: D-Link has issued a security warning regarding a severe vulnerability in its DCS-8300LHv2 WiFi camera, which exposes sensitive credentials, including WiFi passwords and administrative access details. The flaw, originally discovered by cybersecurity researcher Alexis Lingad, affects all hardware revisions of the camera and remains unpatched due to the device reaching End-of-Life (EOL) and End-of-Service (EOS) …
The post D-Link Warns of Critical Security Flaw in Popular WiFi Camera appeared first on CyberInsider.
February 27th, 2025 (4 months ago)
|
CVE-2025-1690 |
Description: The ThemeMakers Stripe Checkout plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'stripe' shortcode in versions up to, and including, 1.0.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVSS: MEDIUM (6.4) EPSS Score: 0.02%
February 27th, 2025 (4 months ago)
|
|
CVE-2025-1282 |
Description: The Car Dealer Automotive WordPress Theme – Responsive theme for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the delete_post_photo() and add_car() functions in all versions up to, and including, 1.6.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). The add_car() function may also make it possible to read arbitrary files.
CVSS: HIGH (8.8) EPSS Score: 0.35%
February 27th, 2025 (4 months ago)
|
|
CVE-2023-20118 |
Description: A new malware campaign has been observed targeting edge devices from Cisco, ASUS, QNAP, and Synology to rope them into a botnet named PolarEdge since at least the end of 2023.
French cybersecurity company Sekoia said it observed the unknown threat actors leveraging CVE-2023-20118 (CVSS score: 6.5), a critical security flaw impacting Cisco Small Business RV016, RV042, RV042G, RV082, RV320, and
CVSS: MEDIUM (6.5)
February 27th, 2025 (4 months ago)
|
|
CVE-2025-1717 |
Description: The Login Me Now plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 1.7.2. This is due to insecure authentication based on an arbitrary transient name in the 'AutoLogin::listen()' function. This makes it possible for unauthenticated attackers to log in an existing user on the site, even an administrator. Note: this vulnerability requires using a transient name and value from another software, so the plugin is not inherently vulnerable on it's own.
CVSS: HIGH (8.1) EPSS Score: 0.11%
February 27th, 2025 (4 months ago)
|
|
CVE-2024-5848 |
Description: A reflected cross-site scripting (XSS) vulnerability exists in multiple WSO2 products due to improper input validation. User-supplied data is directly included in server responses from vulnerable service endpoints without proper sanitization or encoding, allowing an attacker to inject malicious JavaScript.
Successful exploitation could lead to UI manipulation, redirection to malicious websites, or data exfiltration from the browser. While session-related sensitive cookies are protected with the httpOnly flag, mitigating session hijacking risks, the impact may vary depending on gateway-level service restrictions.
CVSS: MEDIUM (6.1) EPSS Score: 0.03%
February 27th, 2025 (4 months ago)
|
|
CVE-2024-0392 |
Description: A Cross-Site Request Forgery (CSRF) vulnerability exists in the management console of WSO2 Enterprise Integrator 6.6.0 due to the absence of CSRF token validation. This flaw allows attackers to craft malicious requests that can trigger state-changing operations on behalf of an authenticated user, potentially compromising account settings and data integrity. The vulnerability only affects a limited set of state-changing operations, and successful exploitation requires social engineering to trick a user with access to the management console into performing the malicious action.
CVSS: MEDIUM (5.4) EPSS Score: 0.01%
February 27th, 2025 (4 months ago)
|
|
|
Description: The U.S. Federal Bureau of Investigation (FBI) formally linked the record-breaking $1.5 billion Bybit hack to North Korean threat actors, as the company's CEO Ben Zhou declared a "war against Lazarus."
The agency said the Democratic People's Republic of Korea (North Korea) was responsible for the theft of the virtual assets from the cryptocurrency exchange, attributing it to a specific cluster
February 27th, 2025 (4 months ago)
|
|
|
February 27th, 2025 (4 months ago)
|
|
CVE-2025-1689 |
Description: The ThemeMakers PayPal Express Checkout plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'paypal' shortcode in versions up to, and including, 1.1.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVSS: MEDIUM (6.4) EPSS Score: 0.02%
February 27th, 2025 (4 months ago)
|