OpenCart version 4.1.0.4 is vulnerable to a Stored Cross-Site Scripting (XSS) attack via SVG file uploads used in blog posts. The vulnerability arises because SVG files uploaded through the media manager are not properly sanitized. Attackers can craft a malicious SVG file containing embedded JavaScript

CVE Database V5

Detailed information about CVE-2025-45893: n/a. Get real-time updates, technical details, and mitigation strategies.

CVE-2025-45893: n/a - Live Threat Intelligence - Threat Radar | OffSeq.com

CVE-2025-45893: n/a

Cross Site Scripting vulnerability in tawk.to Live Chat v.1.6.1 allows a remote attacker to execute arbitrary code via the web application stores and displays user-supplied input without proper input validation or encoding

CVE-2025-45960 is a Cross Site Scripting (XSS) vulnerability identified in the tawk.to Live Chat application version 1.6.1. This vulnerability arises because the web application accepts user-supplied input and stores and displays it without proper input validation or output encoding. As a result, a remote attacker can inject malicious scripts that execute arbitrary code within the context of the victim's browser session. The vulnerability is classified as a stored XSS, meaning the malicious payload is saved on the server and served to other users, increasing the attack's reach and persistence. Exploiting this flaw could allow attackers to hijack user sessions, steal sensitive information such as cookies or authentication tokens, perform actions on behalf of users, or deliver further malware. The vulnerability does not require authentication or user interaction beyond visiting a compromised page or interacting with the chat widget. Although no known exploits are currently reported in the wild and no CVSS score has been assigned, the nature of stored XSS vulnerabilities typically represents a significant security risk. The lack of a patch link suggests that a fix may not yet be publicly available, underscoring the need for immediate mitigation efforts by affected organizations.

Detailed information about CVE-2025-45960: n/a. Get real-time updates, technical details, and mitigation strategies.

CVE-2025-45960: n/a - Live Threat Intelligence - Threat Radar | OffSeq.com

CVE-2025-45960: n/a

Abnormal Security /v1.0/rbac/users_v2/{USER_ID}/ before 2025-02-19 allows downgrading the privileges of other user accounts.

CVE-2025-54596 is a medium-severity vulnerability classified under CWE-863 (Incorrect Authorization) affecting Abnormal AI's Abnormal Security product version 1.0 and earlier, specifically before the patch date of 2025-02-19. The vulnerability exists in the API endpoint /v1.0/rbac/users_v2/{USER_ID}/, which handles role-based access control (RBAC) user management. Due to improper authorization checks, an authenticated user with certain privileges can downgrade the privileges of other user accounts without proper authorization. This means that an attacker who already has some level of access (low privilege) can reduce the permissions of other users, potentially disrupting their ability to perform security functions or access critical features. The CVSS v3.1 score is 4.3 (medium), reflecting that the attack vector is network-based (AV:N), requires low attack complexity (AC:L), but requires privileges (PR:L) and no user interaction (UI:N). The impact affects integrity (I:L) but not confidentiality or availability. No known exploits are currently reported in the wild, and no patches or mitigation links are provided in the data. The vulnerability could be exploited remotely by an authenticated user to manipulate RBAC settings, potentially weakening the security posture of an organization by disabling or limiting other users' roles, which may include security administrators or privileged users. This could lead to reduced oversight, delayed incident response, or unauthorized changes going unnoticed.

Detailed information about CVE-2025-54596: CWE-863 Incorrect Authorization in Abnormal AI Abnormal Security affecting Abnormal AI Abnormal Security. Get real-ti

CVE-2025-54596: CWE-863 Incorrect Authorization in Abnormal AI Abnormal Security - Live Threat Intelligence - Threat Radar | OffSeq.com

CVE-2025-54596: CWE-863 Incorrect Authorization in Abnormal AI Abnormal Security

OpenCart version 4.1.0.4 is vulnerable to a Stored Cross-Site Scripting (XSS) attack via the blog editor. The vulnerability arises because input in the blog's editor is not properly sanitized or escaped before being rendered. This allows attackers to inject malicious JavaScript code

CVE-2025-45892 is a Stored Cross-Site Scripting (XSS) vulnerability identified in OpenCart version 4.1.0.4, specifically affecting the blog editor component. The vulnerability occurs because the blog editor fails to properly sanitize or escape user input before rendering it on the web pages. This flaw allows an attacker to inject malicious JavaScript code into blog content, which is then stored on the server and delivered to any user viewing the affected blog posts. When a victim loads the compromised blog page, the malicious script executes in their browser context, potentially leading to session hijacking, credential theft, defacement, or redirection to malicious sites. Stored XSS is particularly dangerous because the payload persists on the server and can affect multiple users without requiring repeated exploitation. Although no known exploits are currently reported in the wild, the vulnerability's presence in a widely used e-commerce platform like OpenCart poses a significant risk. The lack of a CVSS score indicates this is a newly published vulnerability, and no official severity rating has been assigned yet. The attack vector is web-based and requires no authentication, making it accessible to remote attackers who can submit content via the blog editor interface. The vulnerability impacts the confidentiality and integrity of user data and can also affect availability if used to deploy disruptive scripts or malware. Given OpenCart's popularity among small to medium-sized online retailers, this vulnerability could be leveraged to compromise customer trust and business operations.

Detailed information about CVE-2025-45892: n/a. Get real-time updates, technical details, and mitigation strategies.

CVE-2025-45892: n/a - Live Threat Intelligence - Threat Radar | OffSeq.com

CVE-2025-45892: n/a

A vulnerability, which was classified as critical, has been found in deerwms deer-wms-2 up to 3.3. Affected by this issue is some unknown functionality of the file /system/dept/list. The manipulation of the argument params[dataScope] leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.

Detailed information about CVE-2025-8162: SQL Injection in deerwms deer-wms-2 affecting deerwms deer-wms-2. Get real-time updates, technical details, and mitiga

CVE-2025-8162: SQL Injection in deerwms deer-wms-2

CVE-2025-8162: SQL Injection in deerwms deer-wms-2

Description

Technical Details

Related Threats

CVE-2025-45893: n/a

CVE-2025-45960: n/a

CVE-2025-54596: CWE-863 Incorrect Authorization in Abnormal AI Abnormal Security

CVE-2025-45892: n/a

CVE-2025-45406: n/a

Actions

External Links

Need enhanced features?

Latest Threats

Keyboard Shortcuts

Navigation

Search & Filters

UI Controls

Accessibility