CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

Threat and Vulnerability Intelligence Database

RSS Feed

Example Searches:

CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited

CVE-2025-0282
Hackers Exploiting Critical Ivanti VPN Code Execution Vulnerability
Description: Ivanti has disclosed a critical zero-day vulnerability (CVE-2025-0282) actively exploited in the wild, affecting Ivanti Connect Secure (ICS) VPN appliances. The flaw, a stack-based buffer overflow, allows unauthenticated remote code execution, potentially compromising entire network infrastructures. Ivanti has released a patch and strongly advises immediate updates to ICS version 22.7R2.5 or higher. The advisory also … The post Hackers Exploiting Critical Ivanti VPN Code Execution Vulnerability appeared first on CyberInsider.

CVSS: CRITICAL (9.0)

EPSS Score: 15.33%

Source: CyberInsider
January 9th, 2025 (6 months ago)

CVE-2025-0282
Ivanti Flaw CVE-2025-0282 Actively Exploited, Impacts Connect Secure and Policy Secure
Description: Ivanti is warning that a critical security flaw impacting Ivanti Connect Secure, Policy Secure, and ZTA Gateways has come under active exploitation in the wild beginning mid-December 2024. The security vulnerability in question is CVE-2025-0282 (CVSS score: 9.0), a stack-based buffer overflow that affects Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2

CVSS: CRITICAL (9.0)

EPSS Score: 15.33%

Source: TheHackerNews
January 9th, 2025 (6 months ago)
India Readies Overhauled National Data Privacy Rules
Description: The country awaits implementation guidelines for a framework that gives Indians greater autonomy and security over their personal data — and recognizes a right to personal privacy.
Source: Dark Reading
January 9th, 2025 (6 months ago)

CVE-2025-22215
VMSA-2025-0001: VMware Aria automation update addresses a server side request forgery vulnerability (CVE-2025-22215)
Description: VMware Aria Automation contains a server-side request forgery (SSRF) vulnerability. A malicious actor with "Organization Member" access to Aria Automation may exploit this vulnerability enumerate internal services running on the host/network.

CVSS: MEDIUM (4.3)

EPSS Score: 0.04%

Source: CVE
January 9th, 2025 (6 months ago)

CVE-2025-22145
Carbon has an arbitrary file include via unvalidated input passed to Carbon::setLocale
Description: Carbon is an international PHP extension for DateTime. Application passing unsanitized user input to Carbon::setLocale are at risk of arbitrary file include, if the application allows users to upload files with .php extension in an folder that allows include or require to read it, then they are at risk of arbitrary code ran on their servers. This vulnerability is fixed in 3.8.4 and 2.72.6.

CVSS: MEDIUM (6.3)

EPSS Score: 0.04%

Source: CVE
January 9th, 2025 (6 months ago)

CVE-2025-22143
WeGIA Cross-Site Scripting (XSS) Reflected endpoint 'listar_permissoes.php' parameter 'msg_e'
Description: WeGIA is a web manager for charitable institutions. A Reflected Cross-Site Scripting (XSS) vulnerability was identified in the listar_permissoes.php endpoint of the WeGIA application. This vulnerability allows attackers to inject malicious scripts in the msg_e parameter. This vulnerability is fixed in 3.2.8.

CVSS: MEDIUM (6.4)

EPSS Score: 0.04%

Source: CVE
January 9th, 2025 (6 months ago)

CVE-2025-22141
WeGIA SQL Injection (Blind Time-Based) endpoint 'verificar_recursos_cargo.php' parameter 'cargo'
Description: WeGIA is a web manager for charitable institutions. A SQL Injection vulnerability was identified in the /dao/verificar_recursos_cargo.php endpoint, specifically in the cargo parameter. This vulnerability allows attackers to execute arbitrary SQL commands, compromising the confidentiality, integrity, and availability of the database. This vulnerability is fixed in 3.2.8.

CVSS: CRITICAL (9.4)

EPSS Score: 0.04%

Source: CVE
January 9th, 2025 (6 months ago)

CVE-2025-22140
WeGIA SQL Injection (Blind Time-Based) endpoint 'dependente_listar_um.php' parameter 'id_dependente'
Description: WeGIA is a web manager for charitable institutions. A SQL Injection vulnerability was identified in the /html/funcionario/dependente_listar_um.php endpoint, specifically in the id_dependente parameter. This vulnerability allows attackers to execute arbitrary SQL commands, compromising the confidentiality, integrity, and availability of the database. This vulnerability is fixed in 3.2.8.

CVSS: CRITICAL (9.4)

EPSS Score: 0.04%

Source: CVE
January 9th, 2025 (6 months ago)

CVE-2025-22139
WeGIA Cross-Site Scripting (XSS) Reflected endpoint `configuracao_geral.php` parameter `msg`
Description: WeGIA is a web manager for charitable institutions. A Reflected Cross-Site Scripting (XSS) vulnerability was identified in the configuracao_geral.php endpoint of the WeGIA application. This vulnerability allows attackers to inject malicious scripts in the msg_c parameter. This vulnerability is fixed in 3.2.8.

CVSS: MEDIUM (6.4)

EPSS Score: 0.04%

Source: CVE
January 9th, 2025 (6 months ago)

CVE-2025-22137
Arbitrary File Overwrite via HTTP POST in Pingvin Share
Description: Pingvin Share is a self-hosted file sharing platform and an alternative for WeTransfer. This vulnerability allows an authenticated or unauthenticated (if anonymous shares are allowed) user to overwrite arbitrary files on the server, including sensitive system files, via HTTP POST requests. The issue has been patched in version 1.4.0.

CVSS: CRITICAL (9.8)

EPSS Score: 0.05%

Source: CVE
January 9th, 2025 (6 months ago)