Threat and Vulnerability Intelligence Database
Example Searches:
CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited
CVE-2024-0341 |
Description: A vulnerability was found in Inis up to 2.0.1. It has been rated as problematic. This issue affects some unknown processing of the file /app/api/controller/default/File.php of the component GET Request Handler. The manipulation of the argument path leads to path traversal: '../filedir'. The exploit has been disclosed to the public and may be used. The identifier VDB-250109 was assigned to this vulnerability. Eine Schwachstelle wurde in Inis bis 2.0.1 ausgemacht. Sie wurde als problematisch eingestuft. Hierbei geht es um eine nicht exakt ausgemachte Funktion der Datei /app/api/controller/default/File.php der Komponente GET Request Handler. Mit der Manipulation des Arguments path mit unbekannten Daten kann eine path traversal: '../filedir'-Schwachstelle ausgenutzt werden. Der Exploit steht zur öffentlichen Verfügung.
CVSS: LOW (3.5) EPSS Score: 0.42% SSVC Exploitation: none
April 17th, 2025 (2 days ago)
|
|
CVE-2024-0206 |
Description:
A symbolic link manipulation vulnerability in Trellix Anti-Malware Engine prior to the January 2024 release allows an authenticated local user to potentially gain an escalation of privileges. This was achieved by adding an entry to the registry under the Trellix ENS registry folder with a symbolic link to files that the user wouldn't normally have permission to. After a scan, the Engine would follow the links and remove the files
CVSS: HIGH (7.1) EPSS Score: 0.12% SSVC Exploitation: none
April 17th, 2025 (2 days ago)
|
|
Description: CVE-2025-32433: Unauthenticated Remote Code Execution in Erlang/OTP SSH
CVSS: CRITICAL (10.0) EPSS Score: 0.39%
April 17th, 2025 (2 days ago)
|
|
Description: A new report from iVerify has revealed a far-reaching global surveillance threat enabled by China’s state-owned telecom interconnect providers. By exploiting outdated mobile signaling protocols, entities such as China Mobile International (CMI) and China Telecom Global have gained alarming access to sensitive mobile communications worldwide, with implications ranging from mass user profiling to covert malware …
The post Global Telecom Networks Host Hidden Chinese Surveillance Nodes appeared first on CyberInsider.
April 17th, 2025 (2 days ago)
|
|
Description: Founded in 1964, AccessSMT Holdings is a leading supplier, installer, and project management company that offers hardware, doors, frames, and building materials for the commercial, residential sectors. AccessSMT Holdings is located in Canada. ...
April 17th, 2025 (2 days ago)
|
|
Description: According to a complaint filed by a former employee, cybercriminals exfiltrated records that held personal information like names and Social Security numbers belonging to 76,000 current and former employees of Paradies Shops.
April 17th, 2025 (2 days ago)
|
|
CVE-2024-37036 |
Description: View CSAF
1. EXECUTIVE SUMMARY
CVSS v4 9.3
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Schneider Electric
Equipment: Sage series
Vulnerabilities: Out-of-bounds Write, Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'), Incorrect Default Permissions, Unchecked Return Value, Buffer Copy without Checking Size of Input ('Classic Buffer Overflow'), Out-of-bounds Read
2. RISK EVALUATION
Successful exploitation of this vulnerability could allow an attacker to compromise the impacted device, leading to loss of data, loss of operation, or impacts to the performance of the device.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
Schneider Electric reports that the following products are affected:
Sage 1410: Versions C3414-500-S02K5_P8 and prior
Sage 1430: Versions C3414-500-S02K5_P8 and prior
Sage 1450: Versions C3414-500-S02K5_P8 and prior
Sage 2400: Versions C3414-500-S02K5_P8 and prior
Sage 4400: Versions C3414-500-S02K5_P8 and prior
Sage 3030 Magnum: Versions C3414-500-S02K5_P8 and prior
3.2 VULNERABILITY OVERVIEW
3.2.1 OUT-OF-BOUNDS WRITE CWE-787
An out-of-bounds write vulnerability exists that could result in an authentication bypass when sending a malformed POST request and particular configuration parameters are set.
CVE-2024-37036 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
A CVSS v4 score has also been calculate...
CVSS: CRITICAL (9.8)
April 17th, 2025 (2 days ago)
|
|
CVE-2025-2440 |
Description: View CSAF
1. EXECUTIVE SUMMARY
CVSS v4 5.4
ATTENTION: Low attack complexity
Vendor: Schneider Electric
Equipment: Trio Q Licensed Data Radio
Vulnerabilities: Insecure Storage of Sensitive Information, Initialization of a Resource with an Insecure Default
2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow an attacker to access confidential information, compromise the integrity, or affect the availability of the affected product.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
Schneider Electric reports that the following products are affected:
Schneider Electric Trio Q Licensed Data Radio: Versions prior to 2.7.2
3.2 VULNERABILITY OVERVIEW
3.2.1 INSECURE STORAGE OF SENSITIVE INFORMATION CWE-922
An insecure storage of sensitive information vulnerability exists that could potentially lead to unauthorized access to confidential data when a malicious user with physical access and advanced knowledge of the filesystem sets the radio to factory default mode.
CVE-2025-2440 has been assigned to this vulnerability. A CVSS v3.1 base score of 4.2 has been calculated; the CVSS vector string is (CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N).
A CVSS v4 score has also been calculated for CVE-2025-2440. A base score of 4.1 has been calculated; the CVSS vector string is (CVSS:4.0/AV:P/AC:H/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).
3.2.2 INITIALIZATION OF A RESOURCE WITH AN INSECURE DEFAULT CWE-1188
An incorrect initialization of resource vulnerability exists ...
CVSS: MEDIUM (4.1) EPSS Score: 0.02%
April 17th, 2025 (2 days ago)
|
|
CVE-2025-1863 |
Description: View CSAF
1. EXECUTIVE SUMMARY
CVSS v4 9.3
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Yokogawa
Equipment: GX10, GX20, GP10, GP20, GM Data Acquisition System, DX1000, DX2000, DX1000N, FX1000, μR10000, μR20000, MW100, DX1000T, DX2000T, CX1000, CX2000
Vulnerability: Missing Authentication for Critical Function
2. RISK EVALUATION
Successful exploitation of this vulnerability could allow an attacker to manipulate information on the affected products.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following versions of Yokogawa recorder products are affected:
GX10 / GX20 / GP10 / GP20 Paperless Recorders: Versions R5.04.01 and earlier
GM Data Acquisition System: Versions R5.05.01 and earlier
DX1000 / DX2000 / DX1000N Paperless Recorders: Versions R4.21 and earlier
FX1000 Paperless Recorders: Versions R1.31 and earlier
μR10000 / μR20000 Chart Recorders: Versions R1.51 and earlier
MW100 Data Acquisition Units: All versions
DX1000T / DX2000T Paperless Recorders: All versions
CX1000 / CX2000 Paperless Recorders: All versions
3.2 VULNERABILITY OVERVIEW
3.2.1 MISSING AUTHENTICATION FOR CRITICAL FUNCTION CWE-306
Authentication is disabled by default on the affected products. When connected to a network with default settings, this could allow anyone to access all functions related to settings and operations. As a result, an attacker can illegally manipulate and configure important data such as measured values and settings.
CVE-2025-1863 has been assigned to this v...
EPSS Score: 0.05%
April 17th, 2025 (2 days ago)
|
|
CVE-2025-2222 |
Description: View CSAF
1. EXECUTIVE SUMMARY
CVSS v4 8.4
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Schneider Electric
Equipment: ConneXium Network Manager
Vulnerabilities: Files or Directories Accessible to External Parties, Improper Input Validation
2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow an attacker to access sensitive data, escalate privileges, or perform remote code execution.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
Schneider Electric reports that the following products are affected:
Schneider Electric ConneXium Network Manager: Version 2.0.01 (CVE-2025-2222)
Schneider Electric ConneXium Network Manager: All versions (CVE-2025-2223)
3.2 VULNERABILITY OVERVIEW
3.2.1 FILES OR DIRECTORIES ACCESSIBLE TO EXTERNAL PARTIES CWE-552
CWE-552: Files or Directories Accessible to External Parties vulnerability over https exists that could leak information and potential privilege escalation following a Man-In-The-Middle attack.
CVE-2025-2222 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).
A CVSS v4 score has also been calculated for CVE-2025-2222. A base score of 8.2 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).
3.2.2 IMPROPER INPUT VALIDATION CWE-20
CWE-20: Improper Input Validation vulnerability exists that could cause a loss of confidentiality, ...
CVSS: HIGH (8.2) EPSS Score: 0.03%
April 17th, 2025 (2 days ago)
|