CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!
Threat and Vulnerability Intelligence Database
Example Searches:
CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited
|
February 5th, 2025 (5 months ago)
|
|
|
Description: Summary
The better-auth /api/auth/error page was vulnerable to HTML injection, resulting in a reflected cross-site scripting (XSS) vulnerability.
Details
The value of error URL parameter was reflected as HTML on the error page: https://github.com/better-auth/better-auth/blob/05ada0b79dbcac93cc04ceb79b23ca598d07830c/packages/better-auth/src/api/routes/error.ts#L81
PoC
https://demo.better-auth.com/api/auth/error?error=%3Cscript%3Ealert(1)%3C/script%3E
Impact
An attacker who exploited this vulnerability by coercing a user to visit a specially-crafted URL could execute arbitrary JavaScript in the context of the user's browser.
Because better-auth is a dependency of web applications, the impact of such a vulnerability is unknowable; it depends on the functionality of the application/site using better-auth. I have calculated the CVSS score assuming the hypothetical victim is an administrator with elevated permissions and access.
References
https://github.com/better-auth/better-auth/security/advisories/GHSA-9x4v-xfq5-m8x5
https://github.com/better-auth/better-auth/commit/7ae340e2eddad641b7e43d24d37c58a66ce9ddcf
https://github.com/better-auth/better-auth/blob/05ada0b79dbcac93cc04ceb79b23ca598d07830c/packages/better-auth/src/api/routes/error.ts#L81
https://github.com/advisories/GHSA-9x4v-xfq5-m8x5
February 5th, 2025 (5 months ago)
|
|
|
Description: A Threat Actor is Selling Stock Investor Emails and Phone Number Data from MarketWatch
February 5th, 2025 (5 months ago)
|
|
|
Description: Impact
Recovering coordinators do not verify the seed provided by the recovering party. This allows an attacker to set up a coordinator with a manifest that passes validation, but with a secret seed controlled by the attacker.
If network traffic is redirected from the legitimate coordinator to the attacker's coordinator, a workload owner is susceptible to impersonation if either
they set a new manifest and don't compare the root CA cert with the existing one (this is the default of the contrast CLI) or
they verify the coordinator and don't compare the root CA cert with a trusted reference.
Under these circumstances, the attacker can:
Issue certificates that chain back to the attacker coordinator's root CA.
Recover arbitrary workload secrets of workloads deployed after the attack.
This issue does not affect the following:
secrets of the legitimate coordinator (seed, workload secrets, CA)
integrity of workloads, even when used with the rogue coordinator
certificates chaining back to the mesh CA
Patches
This issue is patched in Contrast v1.4.1.
Workarounds
The issue can be avoided by verifying the coordinator root CA cert against expectations.
At the first set call, keep a copy of the CA cert returned by the coordinator.
After subsequent set or verify calls, compare the returned CA cert with the backup copy. If it matches bit-for-bit, the coordinator is legitimate.
References
https://github.com/edgelesssys/contrast/security/advisories/GHSA-vqv5-385r-2hf8
https://gi...
February 5th, 2025 (5 months ago)
|
CVE-2024-5830 |
Description: Summary
While pushing a file via postLocal method if user add javascript code in file parameter that codes can exe in v8go context.
Details
While posting a file via postLocal, any attacker will add javascript codes to file parameter. That parameter content pass to componentSignature method after some validation. After that componentSignature parameter concat with ssrStr parameter.
Last part of compileSvelte function ssrStr parameter executed in v8go engine.
This cause to any one who can post a file also can push javascript code and run it. Thanks to v8go we can't use all javascript metod, if there is no any vulnerability in v8go we can't escape sandbox and can't run dangerous command like opening socket etc. But we can create infinite loop and the plenti can't response any request.
After posting a file with name 'layouts/global/test; eval(while(1););var test.svelte' we can see the ssrStr parameter include our javascript codes.
Note: Eval usage not must I just want to ensure that it's run javascript commands.
PoC
Request
POST /postlocal HTTP/1.1
Host: localhost:3000
Content-Length: 125
Content-Type: application/json; charset=utf-8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.6778.140 Safari/537.36
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
[{"action":"create","encoding":"text","file":"layouts/global/test; eval(`while(1);`);var test.svelte","contents":"anethole"}]
Video
Curl Request
curl --p...
EPSS Score: 0.05%
February 5th, 2025 (5 months ago)
|
|
CVE-2025-1022 |
Description: Versions of the package spatie/browsershot before 5.0.5 are vulnerable to Improper Input Validation in the setHtml function, invoked by Browsershot::html(), which can be bypassed by omitting the slashes in the file URI (e.g., file:../../../../etc/passwd). This is due to missing validations of the user input that should be blocking file URI schemes (e.g., file:// and file:/) in the HTML content.
References
https://nvd.nist.gov/vuln/detail/CVE-2025-1022
https://github.com/spatie/browsershot/commit/bcfd608b264fab654bf78e199bdfbb03e9323eb7
https://github.com/spatie/browsershot/commit/e3273974506865a24fbb5b65b534d8d4b8dfbf72
https://gist.github.com/mrdgef/a820837c530e09e1dd725e013e0d4341
https://security.snyk.io/vuln/SNYK-PHP-SPATIEBROWSERSHOT-8496747
https://github.com/advisories/GHSA-j2gw-r24m-j2qw
EPSS Score: 0.05%
February 5th, 2025 (5 months ago)
|
|
CVE-2025-1025 |
Description: Versions of the package cockpit-hq/cockpit before 2.4.1 are vulnerable to Arbitrary File Upload where an attacker can use different extension to bypass the upload filter.
References
https://nvd.nist.gov/vuln/detail/CVE-2025-1025
https://github.com/Cockpit-HQ/Cockpit/commit/984ef9ad270357b843af63c81db95178eae42cae
https://github.com/Cockpit-HQ/Cockpit/commit/becca806c7071ecc732521bb5ad0bb9c64299592
https://gist.github.com/CHOOCS/fe1227443544d5d74c33982814f290af
https://security.snyk.io/vuln/SNYK-PHP-COCKPITHQCOCKPIT-8516320
https://github.com/advisories/GHSA-wp68-xrfg-xvq4
EPSS Score: 0.05%
February 5th, 2025 (5 months ago)
|
|
CVE-2024-10973 |
Description: The env option KC_CACHE_EMBEDDED_MTLS_ENABLED does not work and the jgroups replication configuration is always used in plain. This option worked before in 24 and 22. More info in public issue https://github.com/keycloak/keycloak/issues/34644.
References
https://github.com/keycloak/keycloak/security/advisories/GHSA-g6qq-c9f9-2772
https://nvd.nist.gov/vuln/detail/CVE-2024-10973
https://github.com/keycloak/keycloak/issues/28750
https://github.com/keycloak/keycloak/issues/34644
https://github.com/keycloak/keycloak/pull/28756
https://github.com/keycloak/keycloak/pull/34668
https://github.com/keycloak/keycloak/commit/071032a108bd9e9fce9e66d00c36d56bd4b334df
https://github.com/keycloak/keycloak/commit/36defd5f33b2da5d705f179bbaa21c28b13a9996
https://access.redhat.com/security/cve/CVE-2024-10973
https://bugzilla.redhat.com/show_bug.cgi?id=2324361
https://github.com/advisories/GHSA-g6qq-c9f9-2772
February 5th, 2025 (5 months ago)
|
|
|
Description: The FCC has proposed a $4,492,500 fine against VoIP service provider Telnyx for allegedly allowing customers to make robocalls posing as fictitious FCC "Fraud Prevention Team," by failing to comply with Know Your Customer (KYC) rules. However, Telnyx says the FCC is mistaken and denies the accusations. [...]
February 5th, 2025 (5 months ago)
|
|
|
Description: Product: MobSF
Version: < 4.3.1
CWE-ID: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSS vector v.4.0: 8.5 (AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N)
CVSS vector v.3.1: 8.1 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N)
Description: Stored XSS in the iOS Dynamic Analyzer functionality.
Impact: Leveraging this vulnerability would enable performing actions as users, including administrative users.
Vulnerable component: dynamic_analysis.html
https://github.com/MobSF/Mobile-Security-Framework-MobSF/blob/d1d3b7a9aeb1a8c8c7c229a3455b19ade9fa8fe0/mobsf/templates/dynamic_analysis/ios/dynamic_analysis.html#L406
Exploitation conditions: A malicious application was uploaded to the Correlium.
Mitigation: Use escapeHtml() function on the bundle variable.
Researcher: Oleg Surnin (Positive Technologies)
Research
Researcher discovered zero-day vulnerability Stored Cross-site Scripting (XSS) in MobSF in iOS Dynamic Analyzer functionality.
According to Apple's documentation for bundle ID's, it must contain only alphanumeric characters (A–Z, a–z, and 0–9), hyphens (-), and periods (.).
(https://developer.apple.com/documentation/bundleresources/information-property-list/cfbundleidentifier)
However, an attacker can manually modify this value in Info.plist file and add special characters to the CFBundleIdentifier value.
In the dynamic_analysis.html file you do not sanitize received bundle value from Corellium
https://github.com/MobSF/Mobil...
February 5th, 2025 (5 months ago)
|