CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!
Threat and Vulnerability Intelligence Database
Example Searches:
CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited
CVE-2025-0521 |
Description: The Post SMTP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the from and subject parameter in all versions up to, and including, 3.0.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVSS: HIGH (7.2) EPSS Score: 0.08%
February 19th, 2025 (5 months ago)
|
|
CVE-2025-0425 |
Description: Via the GUI of the "bestinformed Infoclient", a low-privileged user is by default able to change the server address of the "bestinformed Server" to which this client connects. This is dangerous as the "bestinformed Infoclient" runs with elevated permissions ("nt authority\system"). By changing the server address to a malicious server, or a script simulating a server, the user is able to escalate his privileges by abusing certain features of the "bestinformed Web" server. Those features include:
* Pushing of malicious update packages
* Arbitrary Registry Read as "nt authority\system"
An attacker is able to escalate his privileges to "nt authority\system" on the Windows client running the "bestinformed Infoclient".
This attack is not possible if a custom configuration ("Infoclient.ini") containing the flags "ShowOnTaskbar=false" or "DisabledItems=stPort,stAddress" is deployed.
CVSS: HIGH (8.5) EPSS Score: 0.01%
February 19th, 2025 (5 months ago)
|
|
CVE-2025-0424 |
Description: In the "bestinformed Web" application, some user input was not properly sanitized. This leads to multiple authenticated stored cross-site scripting vulnerabilities. An authenticated attacker is able to compromise the sessions of other users on the server by injecting JavaScript code into their session using an "Authenticated Stored Cross-Site Scripting". Those other users might have more privileges than the attacker, enabling a form of horizontal movement.
CVSS: MEDIUM (5.1) EPSS Score: 0.08%
February 19th, 2025 (5 months ago)
|
|
CVE-2025-0423 |
Description: In the "bestinformed Web" application, some user input was not properly sanitized. This leads to multiple unauthenticated stored cross-site scripting vulnerabilities. An unauthenticated attacker is able to compromise the sessions of users on the server by injecting JavaScript code into their session using an "Unauthenticated Stored Cross-Site Scripting". The attacker is then able to ride the session of those users and can abuse their privileges on the "bestinformed Web" application.
CVSS: MEDIUM (5.3) EPSS Score: 0.12%
February 19th, 2025 (5 months ago)
|
|
CVE-2025-0422 |
Description: An authenticated user in the "bestinformed Web" application can execute commands on the underlying server running the application. (Remote Code Execution) For this, the user must be able to create "ScriptVars" with the type „script" and preview them by, for example, creating a new "Info". By default, admin users have those permissions, but with the granular permission system, those permissions may be assigned to other users. An attacker is able to execute commands on the server running the "bestinformed Web" application if an account with the correct permissions was compromised before.
CVSS: HIGH (8.6) EPSS Score: 0.11%
February 19th, 2025 (5 months ago)
|
|
CVE-2024-5953 |
Description: A denial of service vulnerability was found in the 389-ds-base LDAP server. This issue may allow an authenticated user to cause a server denial of service while attempting to log in with a user with a malformed hash in their password.
EPSS Score: 0.6%
February 19th, 2025 (5 months ago)
|
|
CVE-2024-57964 |
Description: Insecure Loading of Dynamic Link Libraries have been discovered in HVAC Energy Saving Program, which could allow local attackers to potentially disclose information or execute arbitray code on affected systems.
This issue affects HVAC Energy Saving Program:.
CVSS: HIGH (7.3) EPSS Score: 0.01%
February 19th, 2025 (5 months ago)
|
|
CVE-2024-57963 |
Description: Insecure Loading of Dynamic Link Libraries have been discovered in USB-CONVERTERCABLE DRIVER, which could allow local attackers to potentially disclose information or execute arbitray code on affected systems.
This issue affects USB-CONVERTERCABLE DRIVER:.
CVSS: HIGH (7.3) EPSS Score: 0.01%
February 19th, 2025 (5 months ago)
|
|
CVE-2024-57259 |
Description: sqfs_search_dir in Das U-Boot before 2025.01-rc1 exhibits an off-by-one error and resultant heap memory corruption for squashfs directory listing because the path separator is not considered in a size calculation.
EPSS Score: 0.03%
February 19th, 2025 (5 months ago)
|
|
CVE-2024-57258 |
Description: Integer overflows in memory allocation in Das U-Boot before 2025.01-rc1 occur for a crafted squashfs filesystem via sbrk, via request2size, or because ptrdiff_t is mishandled on x86_64.
EPSS Score: 0.04%
February 19th, 2025 (5 months ago)
|