Threat and Vulnerability Intelligence Database

RSS Feed

Example Searches:

CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited
[trix] Trix editor subject to XSS vulnerabilities on copy & paste
Description: The Trix editor, in versions prior to 2.1.9 and 1.3.3, is vulnerable to XSS + mutation XSS attacks when pasting malicious code. Impact An attacker could trick a user to copy and paste malicious code that would execute arbitrary JavaScript code within the context of the user's session, potentially leading to unauthorized actions being performed or sensitive information being disclosed. Patches Update Recommendation: Users should upgrade to Trix editor version 2.1.9 or later, which uses DOMPurify to sanitize the pasted content. If using Trix 1.x, upgrade to version 1.3.3 or later. Mitigations This is not really a workaround but something that should be considered in addition to upgrading to the patched version. If affected users can disallow browsers that don't support a Content Security Policy, then this would be an effective workaround for this and all XSS vulnerabilities. Set CSP policies such as script-src 'self' to ensure that only scripts hosted on the same origin are executed, and explicitly prohibit inline scripts using script-src-elem. References The XSS vulnerability was reported by HackerOne researcher hiumee. The mutation XSS vulnerability was reported by HackerOne researcher sudi. References https://github.com/basecamp/trix/security/advisories/GHSA-6vx4-v2jw-qwqh https://github.com/basecamp/trix/commit/272c7e27e722608732a67108ad3fe7870e233ac8 https://github.com/advisories/GHSA-6vx4-v2jw-qwqh
Source: Github Advisory Database (NPM)
December 9th, 2024 (4 months ago)
[directus] Directus allows unauthenticated access to WebSocket events and operations
Description: Summary When setting WEBSOCKETS_GRAPHQL_AUTH or WEBSOCKETS_REST_AUTH to "public", an unauthenticated user is able to do any of the supported operations (CRUD, subscriptions) with full admin privileges. Details Accountability for unauthenticated WebSocket requests is set to null, which used to be "public permissions" until the Permissions Policy update which now defaults that to system/admin level access. So instead of null we need to make use of createDefaultAccountability() to ensure public permissions are used for unauthenticated users. PoC Start directus with WEBSOCKETS_ENABLED=true WEBSOCKETS_GRAPHQL_AUTH=public WEBSOCKETS_REST_AUTH=public Subscribe using GQL or REST or do any CRUD operation on a user created collection (system tables are not reachable with crud) subscription { directus_users_mutated { key event data { id email first_name last_name password } } } or { "type": "items", "action": "read", "collection": "your_collection_name" } 3a. Open up the data studio as any user. Observe how the subscriber gets notified on each page navigation (because the users last_page gets updated, the password fields is properly redacted here) 3b. Observe receiving all available items from the your_collection_name collection. Impact This impacts any Directus instance that has either WEBSOCKETS_GRAPHQL_AUTH or WEBSOCKETS_REST_AUTH set to public allowing unauthenticat...
Source: Github Advisory Database (NPM)
December 9th, 2024 (4 months ago)
Radiant links $50 million crypto heist to North Korean hackers
Description: Radiant Capital now says that North Korean threat actors are behind the $50 million cryptocurrency heist that occurred after hackers breached its systems in an October 16 cyberattack. [...]
Source: BleepingComputer
December 9th, 2024 (4 months ago)
Attackers Can Use QR Codes to Bypass Browser Isolation
Description: Researchers demonstrate a proof-of-concept cyberattack vector that gets around remote, on-premises, and local versions of browser isolation security technology to send malicious communications from an attacker-controlled server.
Source: Dark Reading
December 9th, 2024 (4 months ago)
Outdated Google Workspace Sync blocks Windows 11 24H2 upgrades
Description: Microsoft now blocks the Windows 11 24H2 update on computers with outdated Google Workspace Sync installs because they're causing Outlook launch issues. [...]
Source: BleepingComputer
December 9th, 2024 (4 months ago)
Genetec Physical Security Report Shows Accelerating Hybrid Cloud Adoption
Description: More than 4% of US attempted e-commerce transactions between Thanksgiving and Cyber Monday suspected to be fraudulent.
Source: Dark Reading
December 9th, 2024 (4 months ago)
Black Basta Ransomware Evolves with Email Bombing, QR Codes, and Social Engineering
Description: The threat actors linked to the Black Basta ransomware have been observed switching up their social engineering tactics, distributing a different set of payloads such as Zbot and DarkGate since early October 2024. "Users within the target environment will be email bombed by the threat actor, which is often achieved by signing up the user's email to numerous mailing lists simultaneously," Rapid7
Source: TheHackerNews
December 9th, 2024 (4 months ago)
Cybercrime gang arrested after turning Airbnbs into fraud centers
Description: Eight members of an international cybercrime network that stole millions of Euros from victims and set up Airbnb fraud centers were arrested in Belgium and the Netherlands. [...]
Source: BleepingComputer
December 9th, 2024 (4 months ago)
Romanian energy supplier Electrica hit by ransomware attack
Description: Electrica Group, a key player in the Romanian electricity distribution and supply market, is investigating a ransomware attack that was still "in progress" earlier today. [...]
Source: BleepingComputer
December 9th, 2024 (4 months ago)
Large-Scale Incidents & the Art of Vulnerability Prioritization
Description: We can anticipate a growing number of emerging vulnerabilities in the near future, emphasizing the need for an effective prioritization strategy.
Source: Dark Reading
December 9th, 2024 (4 months ago)