CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!
Threat and Vulnerability Intelligence Database
Example Searches:
CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited
CVE-2025-25471 |
Description: FFmpeg git master before commit fd1772 was discovered to contain a NULL pointer dereference via the component libavformat/mov.c.
EPSS Score: 0.02%
February 19th, 2025 (5 months ago)
|
|
CVE-2025-25469 |
Description: FFmpeg git-master before commit d5873b was discovered to contain a memory leak in the component libavutil/iamf.c.
EPSS Score: 0.04%
February 19th, 2025 (5 months ago)
|
|
CVE-2025-25468 |
Description: FFmpeg git-master before commit d5873b was discovered to contain a memory leak in the component libavutil/mem.c.
EPSS Score: 0.04%
February 19th, 2025 (5 months ago)
|
|
CVE-2025-25467 |
Description: Insufficient tracking and releasing of allocated used memory in libx264 git master allows attackers to execute arbitrary code via creating a crafted AAC file.
EPSS Score: 0.11%
February 19th, 2025 (5 months ago)
|
|
CVE-2025-25305 |
Description: Home Assistant Core is an open source home automation that puts local control and privacy first. Affected versions are subject to a potential man-in-the-middle attacks due to missing SSL certificate verification in the project codebase and used third-party libraries. In the past, `aiohttp-session`/`request` had the parameter `verify_ssl` to control SSL certificate verification. This was a boolean value. In `aiohttp` 3.0, this parameter was deprecated in favor of the `ssl` parameter. Only when `ssl` is set to `None` or provided with a correct configured SSL context the standard SSL certificate verification will happen. When migrating integrations in Home Assistant and libraries used by Home Assistant, in some cases the `verify_ssl` parameter value was just moved to the new `ssl` parameter. This resulted in these integrations and 3rd party libraries using `request.ssl = True`, which unintentionally turned off SSL certificate verification and opened up a man-in-the-middle attack vector. This issue has been addressed in version 2024.1.6 and all users are advised to upgrade. There are no known workarounds for this vulnerability.
CVSS: HIGH (7.0) EPSS Score: 0.03%
February 19th, 2025 (5 months ago)
|
|
CVE-2025-25300 |
Description: smartbanner.js is a customizable smart app banner for iOS and Android. Prior to version 1.14.1, clicking on smartbanner `View` link and navigating to 3rd party page leaves `window.opener` exposed. It may allow hostile third parties to abuse `window.opener`, e.g. by redirection or injection on the original page with smartbanner. `rel="noopener"` is automatically populated to links as of `v1.14.1` which is a recommended upgrade to resolve the vulnerability. Some workarounds are available for those who cannot upgrade. Ensure `View` link is only taking users to App Store or Google Play Store where security is guarded by respective app store security teams. If `View` link is going to a third party page, limit smartbanner.js to be used on iOS that decreases the scope of the vulnerability since as of Safari 12.1, `rel="noopener"` is imposed on all `target="_blank"` links. Version 1.14.1 of smartbanner.js contains a fix for the issue.
CVSS: LOW (1.3) EPSS Score: 0.06%
February 19th, 2025 (5 months ago)
|
|
CVE-2025-25284 |
Description: The ZOO-Project is an open source processing platform, released under MIT/X11 Licence. A vulnerability in ZOO-Project's WPS (Web Processing Service) implementation allows unauthorized access to files outside the intended directory through path traversal. Specifically, the Gdal_Translate service, when processing VRT (Virtual Format) files, does not properly validate file paths referenced in the VRTRasterBand element, allowing attackers to read arbitrary files on the system. The vulnerability exists because the service doesn't properly sanitize the SourceFilename parameter in VRT files, allowing relative path traversal sequences (../). When combined with VRT's raw data handling capabilities, this allows reading arbitrary files as raw binary data and converting them to TIFF format, effectively exposing their contents. This vulnerability is particularly severe because it allows attackers to read sensitive system files, potentially exposing configuration data, credentials, or other confidential information stored on the server. An unauthenticated attacker can read arbitrary files from the system through path traversal, potentially accessing sensitive information such as configuration files, credentials, or other confidential data stored on the server. The vulnerability requires no authentication and can be exploited remotely through the WPS service. This issue has been addressed in commit `5f155a8` and all users are advised to upgrade. There are no known workarounds for this vu...
CVSS: HIGH (8.7) EPSS Score: 0.13%
February 19th, 2025 (5 months ago)
|
|
CVE-2025-25224 |
Description: The LuxCal Web Calendar prior to 5.3.3M (MySQL version) and prior to 5.3.3L (SQLite version) contains a missing authentication vulnerability in dloader.php. If this vulnerability is exploited, arbitrary files on a server may be obtained.
CVSS: MEDIUM (5.3) EPSS Score: 0.13%
February 19th, 2025 (5 months ago)
|
|
CVE-2025-25223 |
Description: The LuxCal Web Calendar prior to 5.3.3M (MySQL version) and prior to 5.3.3L (SQLite version) contains a path traversal vulnerability in dloader.php. If this vulnerability is exploited, arbitrary files on a server may be obtained.
CVSS: MEDIUM (5.8) EPSS Score: 0.06%
February 19th, 2025 (5 months ago)
|
|
CVE-2025-25222 |
Description: The LuxCal Web Calendar prior to 5.3.3M (MySQL version) and prior to 5.3.3L (SQLite version) contains an SQL injection vulnerability in retrieve.php. If this vulnerability is exploited, information in a database may be deleted, altered, or retrieved.
CVSS: HIGH (7.3) EPSS Score: 0.04%
February 19th, 2025 (5 months ago)
|