CyberAlerts

CVE-2025-34508

Description: A path traversal vulnerability exists in the file dropoff functionality of ZendTo versions 6.15-7 and prior. This could allow a remote, authenticated attacker to retrieve the files of other ZendTo users, retrieve files on the host system, or cause a denial of service.

CVSS: MEDIUM (6.3)

EPSS Score: 0.13%

SSVC Exploitation: poc

Source: CVE

June 17th, 2025 (3 days ago)

CVE-2024-24753

Bref Multiple Value Headers Not Supported in ApiGatewayFormatV2

Description: Bref enable serverless PHP on AWS Lambda. When Bref is used in combination with an API Gateway with the v2 format, it does not handle multiple values headers. If PHP generates a response with two headers having the same key but different values only the latest one is kept. If an application relies on multiple headers with the same key being set for security reasons, then Bref would lower the application security. For example, if an application sets multiple `Content-Security-Policy` headers, then Bref would just reflect the latest one. This vulnerability is patched in 2.1.13.

CVSS: MEDIUM (4.8)

EPSS Score: 0.14%

SSVC Exploitation: poc

Source: CVE

June 17th, 2025 (3 days ago)

CVE-2024-24593

A cross-site request forgery (CSRF) vulnerability in all versions up to 1.14.1 of the api server component of Allegro AI’s ClearML platform allows...

Description: A cross-site request forgery (CSRF) vulnerability in all versions up to 1.14.1 of the api server component of Allegro AI’s ClearML platform allows a remote attacker to impersonate a user by sending API requests via maliciously crafted html. Exploitation of the vulnerability allows an attacker to compromise confidential workspaces and files, leak sensitive information, and target instances of the ClearML platform within closed off networks.

CVSS: CRITICAL (9.6)

EPSS Score: 0.31%

SSVC Exploitation: none

Source: CVE

June 17th, 2025 (3 days ago)

CVE-2024-24574

phpMyFAQ vulnerable to stored XSS on attachments filename

Description: phpMyFAQ is an open source FAQ web application for PHP 8.1+ and MySQL, PostgreSQL and other databases. Unsafe echo of filename in phpMyFAQ\phpmyfaq\admin\attachments.php leads to allowed execution of JavaScript code in client side (XSS). This vulnerability has been patched in version 3.2.5.

CVSS: MEDIUM (6.5)

EPSS Score: 1.78%

SSVC Exploitation: poc

Source: CVE

June 17th, 2025 (3 days ago)

CVE-2024-23630

Motorola MR2600 Arbitrary Firmware Upload Vulnerability

Description: An arbitrary firmware upload vulnerability exists in the Motorola MR2600. An attacker can exploit this vulnerability to achieve code execution on the device. Authentication is required, however can be bypassed.

CVSS: CRITICAL (9.0)

EPSS Score: 0.12%

SSVC Exploitation: none

Source: CVE

June 17th, 2025 (3 days ago)

CVE-2024-23441

Vba32 Antivirus v3.36.0 - Denial of Service (DoS)

Description: Vba32 Antivirus v3.36.0 is vulnerable to a Denial of Service vulnerability by triggering the 0x2220A7 IOCTL code of the Vba32m64.sys driver.

CVSS: MEDIUM (5.5)

EPSS Score: 0.03%

SSVC Exploitation: none

Source: CVE

June 17th, 2025 (3 days ago)

CVE-2024-23055

An issue in Plone Docker Official Image 5.2.13 (5221) open-source software allows for remote code execution via improper validation of input by the...

Description: An issue in Plone Docker Official Image 5.2.13 (5221) open-source software allows for remote code execution via improper validation of input by the HOST headers.

CVSS: MEDIUM (6.1)

EPSS Score: 0.63%

SSVC Exploitation: poc

Source: CVE

June 17th, 2025 (3 days ago)

CVE-2024-22912

A global-buffer-overflow was found in SWFTools v0.9.2, in the function countline at swf5compiler.flex:327. It allows an attacker to cause code...

Description: A global-buffer-overflow was found in SWFTools v0.9.2, in the function countline at swf5compiler.flex:327. It allows an attacker to cause code execution.

CVSS: HIGH (7.8)

EPSS Score: 0.07%

SSVC Exploitation: poc

Source: CVE

June 17th, 2025 (3 days ago)

CVE-2024-22449

Dell PowerScale OneFS versions 9.0.0.x through 9.6.0.x contains a missing authentication for critical function vulnerability. A low privileged...

Description: Dell PowerScale OneFS versions 9.0.0.x through 9.6.0.x contains a missing authentication for critical function vulnerability. A low privileged local malicious user could potentially exploit this vulnerability to gain elevated access.

CVSS: MEDIUM (6.6)

EPSS Score: 0.02%

SSVC Exploitation: none

Source: CVE

June 17th, 2025 (3 days ago)

CVE-2024-22290

WordPress Custom Dashboard Widgets Plugin <= 1.3.1 is vulnerable to Cross Site Request Forgery (CSRF)

Description: Cross-Site Request Forgery (CSRF) vulnerability in AboZain,O7abeeb,UnitOne Custom Dashboard Widgets allows Cross-Site Scripting (XSS).This issue affects Custom Dashboard Widgets: from n/a through 1.3.1.

CVSS: HIGH (7.1)

EPSS Score: 0.05%

SSVC Exploitation: none

Source: CVE

June 17th, 2025 (3 days ago)

Threat and Vulnerability Intelligence Database

Example Searches:

CVE-2025-34508	ZendTo Path Traversal Vulnerability Description: A path traversal vulnerability exists in the file dropoff functionality of ZendTo versions 6.15-7 and prior. This could allow a remote, authenticated attacker to retrieve the files of other ZendTo users, retrieve files on the host system, or cause a denial of service. CVSS: MEDIUM (6.3) EPSS Score: 0.13% SSVC Exploitation: poc Source: CVE June 17th, 2025 (3 days ago)
CVE-2024-24753	Bref Multiple Value Headers Not Supported in ApiGatewayFormatV2 Description: Bref enable serverless PHP on AWS Lambda. When Bref is used in combination with an API Gateway with the v2 format, it does not handle multiple values headers. If PHP generates a response with two headers having the same key but different values only the latest one is kept. If an application relies on multiple headers with the same key being set for security reasons, then Bref would lower the application security. For example, if an application sets multiple `Content-Security-Policy` headers, then Bref would just reflect the latest one. This vulnerability is patched in 2.1.13. CVSS: MEDIUM (4.8) EPSS Score: 0.14% SSVC Exploitation: poc Source: CVE June 17th, 2025 (3 days ago)
CVE-2024-24593	A cross-site request forgery (CSRF) vulnerability in all versions up to 1.14.1 of the api server component of Allegro AI’s ClearML platform allows... Description: A cross-site request forgery (CSRF) vulnerability in all versions up to 1.14.1 of the api server component of Allegro AI’s ClearML platform allows a remote attacker to impersonate a user by sending API requests via maliciously crafted html. Exploitation of the vulnerability allows an attacker to compromise confidential workspaces and files, leak sensitive information, and target instances of the ClearML platform within closed off networks. CVSS: CRITICAL (9.6) EPSS Score: 0.31% SSVC Exploitation: none Source: CVE June 17th, 2025 (3 days ago)
CVE-2024-24574	phpMyFAQ vulnerable to stored XSS on attachments filename Description: phpMyFAQ is an open source FAQ web application for PHP 8.1+ and MySQL, PostgreSQL and other databases. Unsafe echo of filename in phpMyFAQ\phpmyfaq\admin\attachments.php leads to allowed execution of JavaScript code in client side (XSS). This vulnerability has been patched in version 3.2.5. CVSS: MEDIUM (6.5) EPSS Score: 1.78% SSVC Exploitation: poc Source: CVE June 17th, 2025 (3 days ago)
CVE-2024-23630	Motorola MR2600 Arbitrary Firmware Upload Vulnerability Description: An arbitrary firmware upload vulnerability exists in the Motorola MR2600. An attacker can exploit this vulnerability to achieve code execution on the device. Authentication is required, however can be bypassed. CVSS: CRITICAL (9.0) EPSS Score: 0.12% SSVC Exploitation: none Source: CVE June 17th, 2025 (3 days ago)
CVE-2024-23441	Vba32 Antivirus v3.36.0 - Denial of Service (DoS) Description: Vba32 Antivirus v3.36.0 is vulnerable to a Denial of Service vulnerability by triggering the 0x2220A7 IOCTL code of the Vba32m64.sys driver. CVSS: MEDIUM (5.5) EPSS Score: 0.03% SSVC Exploitation: none Source: CVE June 17th, 2025 (3 days ago)
CVE-2024-23055	An issue in Plone Docker Official Image 5.2.13 (5221) open-source software allows for remote code execution via improper validation of input by the... Description: An issue in Plone Docker Official Image 5.2.13 (5221) open-source software allows for remote code execution via improper validation of input by the HOST headers. CVSS: MEDIUM (6.1) EPSS Score: 0.63% SSVC Exploitation: poc Source: CVE June 17th, 2025 (3 days ago)
CVE-2024-22912	A global-buffer-overflow was found in SWFTools v0.9.2, in the function countline at swf5compiler.flex:327. It allows an attacker to cause code... Description: A global-buffer-overflow was found in SWFTools v0.9.2, in the function countline at swf5compiler.flex:327. It allows an attacker to cause code execution. CVSS: HIGH (7.8) EPSS Score: 0.07% SSVC Exploitation: poc Source: CVE June 17th, 2025 (3 days ago)
CVE-2024-22449	Dell PowerScale OneFS versions 9.0.0.x through 9.6.0.x contains a missing authentication for critical function vulnerability. A low privileged... Description: Dell PowerScale OneFS versions 9.0.0.x through 9.6.0.x contains a missing authentication for critical function vulnerability. A low privileged local malicious user could potentially exploit this vulnerability to gain elevated access. CVSS: MEDIUM (6.6) EPSS Score: 0.02% SSVC Exploitation: none Source: CVE June 17th, 2025 (3 days ago)
CVE-2024-22290	WordPress Custom Dashboard Widgets Plugin <= 1.3.1 is vulnerable to Cross Site Request Forgery (CSRF) Description: Cross-Site Request Forgery (CSRF) vulnerability in AboZain,O7abeeb,UnitOne Custom Dashboard Widgets allows Cross-Site Scripting (XSS).This issue affects Custom Dashboard Widgets: from n/a through 1.3.1. CVSS: HIGH (7.1) EPSS Score: 0.05% SSVC Exploitation: none Source: CVE June 17th, 2025 (3 days ago)