CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!
Threat and Vulnerability Intelligence Database
Example Searches:
CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited
CVE-2025-48877 |
Description: Discourse is an open-source discussion platform. Prior to version 3.4.4 of the `stable` branch, version 3.5.0.beta5 of the `beta` branch, and version 3.5.0.beta6-dev of the `tests-passed` branch, Codepen is present in the default `allowed_iframes` site setting, and it can potentially auto-run arbitrary JS in the iframe scope, which is unintended. This issue is patched in version 3.4.4 of the `stable` branch, version 3.5.0.beta5 of the `beta` branch, and version 3.5.0.beta6-dev of the `tests-passed` branch. As a workaround, the Codepen prefix can be removed from a site's `allowed_iframes`.
CVSS: HIGH (8.1) EPSS Score: 0.06%
June 9th, 2025 (18 days ago)
|
|
CVE-2025-48062 |
Description: Discourse is an open-source discussion platform. Prior to version 3.4.4 of the `stable` branch, version 3.5.0.beta5 of the `beta` branch, and version 3.5.0.beta6-dev of the `tests-passed` branch, certain invites via email may result in HTML injection in the email body if the topic title includes HTML. This includes inviting someone (without an account) to a PM and inviting someone (without an account) to a topic with a custom message. This issue is patched in version 3.4.4 of the `stable` branch, version 3.5.0.beta5 of the `beta` branch, and version 3.5.0.beta6-dev of the `tests-passed` branch. This can be worked around if the relevant templates are overridden without `{topic_title}`.
CVSS: HIGH (7.1) EPSS Score: 0.04%
June 9th, 2025 (18 days ago)
|
|
CVE-2025-48053 |
Description: Discourse is an open-source discussion platform. Prior to version 3.4.4 of the `stable` branch, version 3.5.0.beta5 of the `beta` branch, and version 3.5.0.beta6-dev of the `tests-passed` branch, sending a malicious URL in a PM to a bot user can cause a reduced the availability of a Discourse instance. This issue is patched in version 3.4.4 of the `stable` branch, version 3.5.0.beta5 of the `beta` branch, and version 3.5.0.beta6-dev of the `tests-passed` branch. No known workarounds are available.
CVSS: HIGH (8.7) EPSS Score: 0.06%
June 9th, 2025 (18 days ago)
|
|
CVE-2025-40670 |
Description: Incorrect authorization vulnerability in TCMAN's GIM v11. This vulnerability allows an unprivileged attacker to create a user and assign it many privileges by sending a POST request to /PC/frmGestionUser.aspx/updateUser.
CVSS: HIGH (7.1) EPSS Score: 0.04%
June 9th, 2025 (18 days ago)
|
|
CVE-2025-40669 |
Description: Incorrect authorization vulnerability in TCMAN's GIM v11. This vulnerability allows an unprivileged attacker to modify the permissions held by each of the application's users, including the user himself by sending a POST request to /PC/Options.aspx?Command=2&Page=-1.
CVSS: HIGH (7.1) EPSS Score: 0.03%
June 9th, 2025 (18 days ago)
|
|
CVE-2025-40668 |
Description: Incorrect authorization vulnerability in TCMAN's GIM v11. This vulnerability allows an attacker, with low privilege level, to change the password of other users through a POST request using the parameters idUser, PasswordActual, PasswordNew and PasswordNewRepeat in /PC/WebService.aspx/validateChangePassword%C3%B1a. To exploit the vulnerability the PasswordActual parameter must be empty.
CVSS: HIGH (7.1) EPSS Score: 0.04%
June 9th, 2025 (18 days ago)
|
|
CVE-2024-42367 |
Description: aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. In versions on the 3.10 branch prior to version 3.10.2, static routes which contain files with compressed variants (`.gz` or `.br` extension) are vulnerable to path traversal outside the root directory if those variants are symbolic links. The server protects static routes from path traversal outside the root directory when `follow_symlinks=False` (default). It does this by resolving the requested URL to an absolute path and then checking that path relative to the root. However, these checks are not performed when looking for compressed variants in the `FileResponse` class, and symbolic links are then automatically followed when performing the `Path.stat()` and `Path.open()` to send the file. Version 3.10.2 contains a patch for the issue.
CVSS: MEDIUM (4.8) EPSS Score: 0.24% SSVC Exploitation: none
June 9th, 2025 (18 days ago)
|
|
Description: EUC Zealand was established in 1999 through a merger between the technical schools in Køge, Haslev and Næstved and has since been expanded with two centers for labor market education. Today, EUC Zealand has branches in Næstved, Køge, Haslev and Greve.
June 9th, 2025 (18 days ago)
|
|
Description: Skyvern through 0.2.0 has a Jinja runtime leak in sdk/workflow/models/block.py.
References
https://nvd.nist.gov/vuln/detail/CVE-2025-49619
https://github.com/Skyvern-AI/skyvern/commit/db856cd8433a204c8b45979c70a4da1e119d949d
https://cristibtz.github.io/posts/CVE-2025-49619
https://github.com/advisories/GHSA-h92g-3xc3-ww2r
CVSS: HIGH (8.5) EPSS Score: 0.34%
June 9th, 2025 (18 days ago)
|
|
|
Description: Summary
The env and expandenv template functions which is enabled by default in Sprig enables capturing of env variables on host. While this may not be a problem on single-user (super admin) installations, on multi-user installations, this allows non-super-admin users with campaign or template permissions to use the {{ env }} template expression to capture sensitive environment variables.
Upgrade to v5.0.2 to mitigate.
Demonstration
Description
A critical template injection vulnerability exists in Listmonk's campaign preview functionality that allows authenticated users with minimal privileges (campaigns:get & campaigns:get_all) to extract sensitive system data, including database credentials, SMTP passwords, and admin credentials due to some dangerous function being allowed.
Proof of Concept
Create a user and give him campaigns:get and campaigns:get_all privileges
Now login with that user, go to any campaign, go the Content section and here lies the vulnerability, we're able to execute template content which allows us to get environment variables, execute Sprig functions...
Now in the text field you can input the following and press Preview:
{{ env "AWS_KEY" }}
{{ env "LISTMONK_db__user" }}
{{ env "LISTMONK_db__password" }}
Preview:
I had the AWS_KEY variable set like that to confirm the vulnerability:
Impact
Through these environment variables the attacker can access, they can fully compromise the database, cloud accounts, admin credentials, and more dependi...
June 9th, 2025 (18 days ago)
|