CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!
Threat and Vulnerability Intelligence Database
Example Searches:
CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited
|
Description: Impact
Information that is restricted from viewing in the search results of site searches (※) can still be viewed via the main text (a feature added in v1.8.0).
Impact by version
v1.8.0 ~ v1.8.3: It will be displayed in the text.
v1.8.0 and earlier: It will not be displayed in the body of the text, but the title (frame name) will be displayed with a link.
Target viewing restriction function
Frame publishing function (private, limited publishing)
IP Restriction Page
Password setting page
Patches (fixed version)
Apply v1.8.4.
Workarounds
Remove the site search (e.g. hide frames).。
References
none
References
https://github.com/opensource-workshop/connect-cms/security/advisories/GHSA-2237-5r9w-vm8j
https://github.com/advisories/GHSA-2237-5r9w-vm8j
February 7th, 2025 (5 months ago)
|
|
|
Description: Version 3.12.0 changed xml2rfc so that it would not access local files without the presence of its new --allow-local-file-access flag.
This prevented XML External Entity (XXE) injection attacks with xinclude and XML entity references.
It was discovered that xml2rfc does not respect --allow-local-file-access when a local file is specified as src in artwork or sourcecode elements. Furthermore, XML entity references can include any file inside the source dir and below without using the --allow-local-file-access flag.
The xml2rfc <= 3.26.0 behaviour:
xinclude
XML entity reference
artwork src=
sourcecode src=
without --allow-local-file-access flag
No filesystem access
Any file in xml2rfc templates dir and below, any file in source directory and below
Access source directory and below
Access source directory and below
with --allow-local-file-access flag
Access any file on filesystem[^1]
Access any file on filesystem[^1]
Access source directory and below
Access source directory and below
[^1]: Access any file of the filesystem with the permissions of the user running xml2rfc can access.
Impact
Anyone running xml2rfc as a service that accepts input from external users is impacted by this issue.
Specifying a file in src attribute in artwork or sourcecode elements will cause the contents of that file to appear in xml2rfc’s output results.
But that file has to be inside the same directory as the XML input source file.
For artwork and sourcecode, xml2rfc will not look ab...
February 7th, 2025 (5 months ago)
|
|
|
Description: The secret use of other people's generative AI platforms, wherein hijackers gain unauthorized access to an LLM while someone else foots the bill, is getting quicker and stealthier by the month.
February 7th, 2025 (5 months ago)
|
|
|
Description: Developers are pulling in publicly available ASP.NET keys into their environments, without realizing that cyberattackers can use them for clandestine code injection.
February 7th, 2025 (5 months ago)
|
|
|
Description: Cyb3r Drag0nz Targeted the Website of Gubad Talabani
February 7th, 2025 (5 months ago)
|
|
|
Description: Hewlett Packard Enterprise (HPE) is notifying employees whose data was stolen from the company's Office 365 email environment by Russian state-sponsored hackers in a May 2023 cyberattack. [...]
February 7th, 2025 (5 months ago)
|
|
|
Description: Worms Viruses Bd Defaced the Website of SHORIELEC
February 7th, 2025 (5 months ago)
|
|
|
Description: DXPLOIT Defaced the Website of Global Bonds
February 7th, 2025 (5 months ago)
|
|
|
Description: Anonymous KSA Targeted the Website of Lebanese Ministry of Agriculture
February 7th, 2025 (5 months ago)
|
|
|
Description: Software vendor Trimble is warning that hackers are exploiting a Cityworks deserialization vulnerability to remotely execute commands on IIS servers and deploy Cobalt Strike beacons for initial network access. [...]
February 7th, 2025 (5 months ago)
|