CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!
Threat and Vulnerability Intelligence Database
Example Searches:
CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited
|
Description: Waiwhetū Medical Centre operates under the korowai of Te Rūnganganui o Te Āti Awa. The team apply a whānau approach to deliver wrap around support services that aim to identify and meet the needs of whānau living in Te Awa Kairangi.
June 7th, 2025 (about 1 month ago)
|
CVE-2025-5303 |
Description: The LTL Freight Quotes – Freightview Edition, LTL Freight Quotes – Daylight Edition and LTL Freight Quotes – Day & Ross Edition plugins for WordPress are vulnerable to Stored Cross-Site Scripting via the expiry_date parameter in all versions up to, and including, 1.0.11, 2.2.6 and 2.1.10 respectively, due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVSS: HIGH (7.2) EPSS Score: 0.12%
June 7th, 2025 (about 1 month ago)
|
|
CVE-2025-5399 |
Description: Due to a mistake in libcurl's WebSocket code, a malicious server can send a
particularly crafted packet which makes libcurl get trapped in an endless
busy-loop.
There is no other way for the application to escape or exit this loop other
than killing the thread/process.
This might be used to DoS libcurl-using application.
CVSS: HIGH (7.5) EPSS Score: 0.05%
June 7th, 2025 (about 1 month ago)
|
|
Description: In June 2022, the Japanese record chain store Disk Union suffered a data breach. The incident exposed 690k unique email addresses along with names, post codes, phone numbers and plain text passwords.
June 7th, 2025 (about 1 month ago)
|
|
CVE-2025-5814 |
Description: The Profiler – What Slowing Down Your WP plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the wpsd_plugin_control() function in all versions up to, and including, 1.0.0. This makes it possible for unauthenticated attackers to reactivate previously deactivated plugins after accessing the "Profiler" page.
CVSS: MEDIUM (5.3) EPSS Score: 0.07%
June 7th, 2025 (about 1 month ago)
|
|
CVE-2025-47601 |
WordPress MaxiBlocks plugin <= 2.1.0 - Arbitrary Option Update to Privilege Escalation vulnerability
Description: Missing Authorization vulnerability in Christiaan Pieterse MaxiBlocks allows Privilege Escalation.This issue affects MaxiBlocks: from n/a through 2.1.0.
CVSS: HIGH (8.8) EPSS Score: 0.04%
June 7th, 2025 (about 1 month ago)
|
|
Description: Overview
A flaw in Jackson-core's JsonLocation._appendSourceDesc method allows up to 500 bytes of unintended memory content to be included in exception messages. When parsing JSON from a byte array with an offset and length, the exception message incorrectly reads from the beginning of the array instead of the logical payload start. This results in possible information disclosure in systems using pooled or reused buffers, like Netty or Vert.x.
Details
The vulnerability affects the creation of exception messages like:
JsonParseException: Unexpected character ... at [Source: (byte[])...]
When JsonFactory.createParser(byte[] data, int offset, int len) is used, and an error occurs while parsing, the exception message should include a snippet from the specified logical payload. However, the method _appendSourceDesc ignores the offset, and always starts reading from index 0.
If the buffer contains residual sensitive data from a previous request, such as credentials or document contents, that data may be exposed if the exception is propagated to the client.
The issue particularly impacts server applications using:
Pooled byte buffers (e.g., Netty)
Frameworks that surface parse errors in HTTP responses
Default Jackson settings (i.e., INCLUDE_SOURCE_IN_LOCATION is enabled)
A documented real-world example is CVE-2021-22145 in Elasticsearch, which stemmed from the same root cause.
Attack Scenario
An attacker sends malformed JSON to a service using Jackson and pooled byte buffers (...
CVSS: MEDIUM (6.5)
June 7th, 2025 (about 1 month ago)
|
|
|
Description: Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-m65q-v92h-cm7q. This link is maintained to preserve external references.
Original Description
A flaw was found in the user's crate for Rust. This vulnerability allows privilege escalation via incorrect group listing when a user or process has fewer than exactly 1024 groups, leading to the erroneous inclusion of the root group in the access list.
References
https://nvd.nist.gov/vuln/detail/CVE-2025-5791
https://github.com/ogham/rust-users/issues/44
https://access.redhat.com/security/cve/CVE-2025-5791
https://bugzilla.redhat.com/show_bug.cgi?id=2370001
https://crates.io/crates/users
https://rustsec.org/advisories/RUSTSEC-2025-0040.html
https://github.com/advisories/GHSA-jq8x-v7jw-v675
EPSS Score: 0.01%
June 7th, 2025 (about 1 month ago)
|
|
|
Description: [AI generated] Ticketmaster Entertainment, Inc. is an American ticket sales and distribution company headquartered in Beverly Hills, California. It operates in more than 20 countries, delivering over 100 million tickets annually. They provide services for worldwide events including concerts, sports events, theatre performances, and family shows. Apart from ticket distribution, Ticketmaster offers marketing and support for event organizers.
June 7th, 2025 (about 1 month ago)
|
|
|
Description: InTech Industries, Inc. specializes in full-service manufacturing, offering services such as 3D printing, design, tooling, injection molding, and precision CNC machining. They serve a wide range of industries, including life sciences, medical devices, dental, and personal safety. Their clients include businesses in a variety of sectors, such as pharmaceuticals, home care devices, and the optical industry.
June 7th, 2025 (about 1 month ago)
|