CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

Threat and Vulnerability Intelligence Database

RSS Feed

Example Searches:

CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited

CVE-2025-1042
Files or Directories Accessible to External Parties in GitLab
Description: An insecure direct object reference vulnerability in GitLab EE affecting all versions from 15.7 prior to 17.6.5, 17.7 prior to 17.7.4, and 17.8 prior to 17.8.2 allows an attacker to view repositories in an unauthorized way.

CVSS: MEDIUM (4.9)

EPSS Score: 0.04%

Source: CVE
February 13th, 2025 (5 months ago)

CVE-2025-0972
Zenvia Movidesk New Ticket cross site scripting
Description: A vulnerability classified as problematic has been found in Zenvia Movidesk up to 25.01.22. This affects an unknown part of the component New Ticket Handler. The manipulation of the argument subject leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 25.01.22.245a473c54 is able to address this issue. It is recommended to upgrade the affected component. Es wurde eine Schwachstelle in Zenvia Movidesk bis 25.01.22 entdeckt. Sie wurde als problematisch eingestuft. Dabei betrifft es einen unbekannter Codeteil der Komponente New Ticket Handler. Durch die Manipulation des Arguments subject mit unbekannten Daten kann eine cross site scripting-Schwachstelle ausgenutzt werden. Die Umsetzung des Angriffs kann dabei über das Netzwerk erfolgen. Der Exploit steht zur öffentlichen Verfügung. Ein Aktualisieren auf die Version 25.01.22.245a473c54 vermag dieses Problem zu lösen. Als bestmögliche Massnahme wird das Einspielen eines Upgrades empfohlen.

CVSS: MEDIUM (5.3)

EPSS Score: 0.07%

Source: CVE
February 13th, 2025 (5 months ago)

CVE-2025-0937
Nomad Vulnerable To Event Stream Namespace ACL Policy Bypass Through Wildcard Namespace
Description: Nomad Community and Nomad Enterprise ("Nomad") event stream configured with a wildcard namespace can bypass the ACL Policy allowing reads on other namespaces.

CVSS: HIGH (7.1)

EPSS Score: 0.04%

Source: CVE
February 13th, 2025 (5 months ago)

CVE-2025-0808
Houzez Property Feed <= 2.4.21 - Cross-Site Request Forgery to Property Feed Export Deletion
Description: The Houzez Property Feed plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.4.21. This is due to missing or incorrect nonce validation on the "deleteexport" action. This makes it possible for unauthenticated attackers to delete property feed exports via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CVSS: MEDIUM (4.3)

EPSS Score: 0.05%

Source: CVE
February 13th, 2025 (5 months ago)

CVE-2025-0556
Telerik Report Server Clear Text Transmission of Agent Commands
Description: In Progress® Telerik® Report Server, versions prior to 2025 Q1 (11.0.25.211) when using the older .NET Framework implementation, communication of non-sensitive information between the service agent process and app host process occurs over an unencrypted tunnel, which can be subjected to local network traffic sniffing.

CVSS: HIGH (8.8)

EPSS Score: 0.09%

Source: CVE
February 13th, 2025 (5 months ago)

CVE-2025-0516
Incorrect Authorization in GitLab
Description: Improper Authorization in GitLab CE/EE affecting all versions from 17.7 prior to 17.7.4, 17.8 prior to 17.8.2 allow users with limited permissions to perform unauthorized actions on critical project data.

CVSS: MEDIUM (4.3)

EPSS Score: 0.04%

Source: CVE
February 13th, 2025 (5 months ago)

CVE-2025-0511
Welcart e-Commerce <= 2.11.9 - Unauthenticated Stored Cross-Site Scripting via name Parameter
Description: The Welcart e-Commerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘name’ parameter in all versions up to, and including, 2.11.9 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVSS: HIGH (7.2)

EPSS Score: 0.05%

Source: CVE
February 13th, 2025 (5 months ago)

CVE-2025-0506
Rise Blocks – A Complete Gutenberg Page Builder <= 3.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via TitleTag Parameter
Description: The Rise Blocks – A Complete Gutenberg Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the titleTag parameter in all versions up to, and including, 3.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVSS: MEDIUM (6.4)

EPSS Score: 0.05%

Source: CVE
February 13th, 2025 (5 months ago)

CVE-2025-0376
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitLab
Description: An XSS vulnerability exists in GitLab CE/EE affecting all versions from 13.3 prior to 17.6.5, 17.7 prior to 17.7.4 and 17.8 prior to 17.8.2 that allows an attacker to execute unauthorized actions via a change page.

CVSS: HIGH (8.7)

EPSS Score: 0.04%

Source: CVE
February 13th, 2025 (5 months ago)

CVE-2025-0332
Progress UI for WinForms decompression path traversal vulnerability
Description: In Progress® Telerik® UI for WinForms, versions prior to 2025 Q1 (2025.1.211), using the improper limitation of a target path can lead to decompressing an archive's content into a restricted directory.

CVSS: HIGH (7.8)

EPSS Score: 0.09%

Source: CVE
February 13th, 2025 (5 months ago)