CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

Threat and Vulnerability Intelligence Database

RSS Feed

Example Searches:

CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited

CVE-2025-0904
PDF-XChange Editor XPS File Parsing Out-Of-Bounds Read Information Disclosure Vulnerability
Description: PDF-XChange Editor XPS File Parsing Out-Of-Bounds Read Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of PDF-XChange Editor. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of XPS files. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated object. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of the current process. Was ZDI-CAN-25422.

CVSS: LOW (3.3)

EPSS Score: 0.09%

Source: CVE
February 12th, 2025 (5 months ago)

CVE-2025-0903
PDF-XChange Editor RTF File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability
Description: PDF-XChange Editor RTF File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of PDF-XChange Editor. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of RTF files. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-25421.

CVSS: HIGH (7.8)

EPSS Score: 0.09%

Source: CVE
February 12th, 2025 (5 months ago)

CVE-2025-0902
PDF-XChange Editor XPS File Parsing Out-Of-Bounds Read Information Disclosure Vulnerability
Description: PDF-XChange Editor XPS File Parsing Out-Of-Bounds Read Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of PDF-XChange Editor. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of XPS files. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated object. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of the current process. Was ZDI-CAN-25405.

CVSS: LOW (3.3)

EPSS Score: 0.09%

Source: CVE
February 12th, 2025 (5 months ago)

CVE-2025-0901
PDF-XChange Editor Doc Object Out-Of-Bounds Read Remote Code Execution Vulnerability
Description: PDF-XChange Editor Doc Object Out-Of-Bounds Read Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of PDF-XChange Editor. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of Doc objects. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-25372.

CVSS: HIGH (7.8)

EPSS Score: 0.09%

Source: CVE
February 12th, 2025 (5 months ago)

CVE-2025-0899
PDF-XChange Editor AcroForm Use-After-Free Remote Code Execution Vulnerability
Description: PDF-XChange Editor AcroForm Use-After-Free Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of PDF-XChange Editor. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of AcroForms. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-25349.

CVSS: HIGH (7.8)

EPSS Score: 0.09%

Source: CVE
February 12th, 2025 (5 months ago)

CVE-2025-0862
SuperSaaS – online appointment scheduling <= 2.1.12 - Authenticated (Contributor+) Stored Cross-Site Scripting via after Parameter
Description: The SuperSaaS – online appointment scheduling plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘after’ parameter in all versions up to, and including, 2.1.12 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This is limited to Chromium-based browsers (e.g. Chrome, Edge, Brave).

CVSS: MEDIUM (4.9)

EPSS Score: 0.07%

Source: CVE
February 12th, 2025 (5 months ago)

CVE-2025-0589
In affected versions of Octopus Deploy where customers are using Active Directory for authentication it was possible for an unauthenticated user to...
Description: In affected versions of Octopus Deploy where customers are using Active Directory for authentication it was possible for an unauthenticated user to make an API request against two endpoints which would retrieve some data from the associated Active Directory. The requests when crafted correctly would return specific information from user profiles (Email address/UPN and Display name) from one endpoint and group information ( Group ID and Display name) from the other. This vulnerability does not expose data within the Octopus Server product itself.

CVSS: MEDIUM (6.9)

EPSS Score: 0.04%

Source: CVE
February 12th, 2025 (5 months ago)

CVE-2025-0588
In affected versions of Octopus Server it was possible for a user with sufficient access to set custom headers in all server responses. By...
Description: In affected versions of Octopus Server it was possible for a user with sufficient access to set custom headers in all server responses. By submitting a specifically crafted referrer header the user could ensure that all subsequent server responses would return 500 errors rendering the site mostly unusable. The user would be able to subsequently set and unset the referrer header to control the denial of service state with a valid CSRF token whilst new CSRF tokens could not be generated.

CVSS: MEDIUM (5.9)

EPSS Score: 0.04%

Source: CVE
February 12th, 2025 (5 months ago)

CVE-2025-0526
In affected versions of Octopus Deploy it was possible to upload files to unexpected locations on the host using an API endpoint. The field lacked...
Description: In affected versions of Octopus Deploy it was possible to upload files to unexpected locations on the host using an API endpoint. The field lacked validation which could potentially result in ways to circumvent expected workflows.

CVSS: LOW (2.3)

EPSS Score: 0.04%

Source: CVE
February 12th, 2025 (5 months ago)

CVE-2025-0525
In affected versions of Octopus Server the preview import feature could be leveraged to identify the existence of a target file. This could provide...
Description: In affected versions of Octopus Server the preview import feature could be leveraged to identify the existence of a target file. This could provide an adversary with information that may aid in further attacks against the server.

CVSS: LOW (2.3)

EPSS Score: 0.04%

Source: CVE
February 12th, 2025 (5 months ago)