CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!
Threat and Vulnerability Intelligence Database
Example Searches:
CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited
CVE-2025-24458 |
Description: In JetBrains YouTrack before 2024.3.55417 account takeover was possible via spoofed email and Helpdesk integration
CVSS: HIGH (7.1) EPSS Score: 0.05%
January 22nd, 2025 (6 months ago)
|
|
CVE-2025-24457 |
Description: In JetBrains YouTrack before 2024.3.55417 permanent tokens could be exposed in logs
CVSS: MEDIUM (5.5) EPSS Score: 0.04%
January 22nd, 2025 (6 months ago)
|
|
CVE-2025-24456 |
Description: In JetBrains Hub before 2024.3.55417 privilege escalation was possible via LDAP authentication mapping
CVSS: MEDIUM (6.7) EPSS Score: 0.05%
January 22nd, 2025 (6 months ago)
|
|
CVE-2025-24024 |
Description: Mjolnir is a moderation tool for Matrix. Mjolnir v1.9.0 responds to management commands from any room the bot is member of. This can allow users who aren't operators of the bot to use the bot's functions, including server administration components if enabled. Version 1.9.1 reverts the feature that introduced the bug, and version 1.9.2 reintroduces the feature safely. Downgrading to version 1.8.3 is recommended if upgrading to 1.9.1 or higher isn't possible.
CVSS: CRITICAL (9.1) EPSS Score: 0.05%
January 22nd, 2025 (6 months ago)
|
|
CVE-2025-24020 |
Description: WeGIA is a Web manager for charitable institutions. An Open Redirect vulnerability was identified in the `control.php` endpoint of versions up to and including 3.2.10 of the WeGIA application. The vulnerability allows the `nextPage` parameter to be manipulated, redirecting authenticated users to arbitrary external URLs without validation. The issue stems from the lack of validation for the `nextPage` parameter, which accepts external URLs as redirection destinations. This vulnerability can be exploited to perform phishing attacks or redirect users to malicious websites. Version 3.2.11 contains a fix for the issue.
CVSS: MEDIUM (4.8) EPSS Score: 0.05%
January 22nd, 2025 (6 months ago)
|
|
CVE-2025-24019 |
Description: YesWiki is a wiki system written in PHP. In versions up to and including 4.4.5, it is possible for any authenticated user, through the use of the filemanager to delete any file owned by the user running the FastCGI Process Manager (FPM) on the host without any limitation on the filesystem's scope. This vulnerability allows any authenticated user to arbitrarily remove content from the Wiki resulting in partial loss of data and defacement/deterioration of the website. In the context of a container installation of YesWiki without any modification, the `yeswiki` files (for example .php) are not owned by the same user (root) as the one running the FPM process (www-data). However in a standard installation, www-data may also be the owner of the PHP files, allowing a malicious user to completely cut the access to the wiki by deleting all important PHP files (like index.php or core files of YesWiki). Version 4.5.0 contains a patch for this issue.
CVSS: HIGH (7.1) EPSS Score: 0.04%
January 22nd, 2025 (6 months ago)
|
|
CVE-2025-24018 |
Description: YesWiki is a wiki system written in PHP. In versions up to and including 4.4.5, it is possible for an authenticated user with rights to edit/create a page or comment to trigger a stored XSS which will be reflected on any page where the resource is loaded. The vulnerability makes use of the content edition feature and more specifically of the `{{attach}}` component allowing users to attach files/medias to a page. When a file is attached using the `{{attach}}` component, if the resource contained in the `file` attribute doesn't exist, then the server will generate a file upload button containing the filename. This vulnerability allows any malicious authenticated user that has the right to create a comment or edit a page to be able to steal accounts and therefore modify pages, comments, permissions, extract user data (emails), thus impacting the integrity, availability and confidentiality of a YesWiki instance. Version 4.5.0 contains a patch for the issue.
CVSS: HIGH (7.6) EPSS Score: 0.05%
January 22nd, 2025 (6 months ago)
|
|
CVE-2025-24017 |
Description: YesWiki is a wiki system written in PHP. Versions up to and including 4.4.5 are vulnerable to any end-user crafting a DOM based XSS on all of YesWiki's pages which is triggered when a user clicks on a malicious link. The vulnerability makes use of the search by tag feature. When a tag doesn't exist, the tag is reflected on the page and isn't properly sanitized on the server side which allows a malicious user to generate a link that will trigger an XSS on the client's side when clicked. This vulnerability allows any user to generate a malicious link that will trigger an account takeover when clicked, therefore allowing a user to steal other accounts, modify pages, comments, permissions, extract user data (emails), thus impacting the integrity, availability and confidentiality of a YesWiki instance. Version 4.5.0 contains a patch for the issue.
CVSS: HIGH (7.6) EPSS Score: 0.04%
January 22nd, 2025 (6 months ago)
|
|
CVE-2025-24012 |
Description: Umbraco is a free and open source .NET content management system. Starting in version 14.0.0 and prior to versions 14.3.2 and 15.1.2, authenticated users are able to exploit a cross-site scripting vulnerability when viewing certain localized backoffice components. Versions 14.3.2 and 15.1.2 contain a patch.
CVSS: MEDIUM (4.6) EPSS Score: 0.04%
January 22nd, 2025 (6 months ago)
|
|
CVE-2025-24011 |
Description: Umbraco is a free and open source .NET content management system. Starting in version 14.0.0 and prior to versions 14.3.2 and 15.1.2, it's possible to determine whether an account exists based on an analysis of response codes and timing of Umbraco management API responses. Versions 14.3.2 and 15.1.2 contain a patch. No known workarounds are available.
CVSS: MEDIUM (5.3) EPSS Score: 0.05%
January 22nd, 2025 (6 months ago)
|