CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!
Threat and Vulnerability Intelligence Database
Example Searches:
CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited
|
February 10th, 2025 (5 months ago)
|
|
|
Description: LazaGrad Hack Defaced the Website of Wish Future Paths
February 10th, 2025 (5 months ago)
|
|
|
Description: Summary
This vulnerability allows a user to bypass any predefined hardcoded URL path or security anti-Localhost mechanism and perform an arbitrary GET request to any Host, Port and URL using a Webfinger Request.
Details
The Webfinger endpoint takes a remote domain for checking accounts as a feature, however, as per the ActivityPub spec (https://www.w3.org/TR/activitypub/#security-considerations), on the security considerations section at B.3, access to Localhost services should be prevented while running in production.
The library attempts to prevent Localhost access using the following mechanism (/src/config.rs):
pub(crate) async fn verify_url_valid(&self, url: &Url) -> Result<(), Error> {
match url.scheme() {
"https" => {}
"http" => {
if !self.allow_http_urls {
return Err(Error::UrlVerificationError(
"Http urls are only allowed in debug mode",
));
}
}
_ => return Err(Error::UrlVerificationError("Invalid url scheme")),
};
// Urls which use our local domain are not a security risk, no further verification needed
if self.is_local_url(url) {
return Ok(());
}
if url.domain().is_none() {
return Err(Error::UrlVerificationError("Url must have a domain"));
}
if url.domain() == Some("localhost") && !self.debug {
return Err(Error::UrlVerif...
February 10th, 2025 (5 months ago)
|
CVE-2025-24200 |
Description: Apple has patched a zero-day vulnerability affecting iPhones and iPads, which allowed attackers to disable USB Restricted Mode on locked devices. The flaw, tracked as CVE-2025-24200, has reportedly been exploited in highly targeted attacks. The fix was released in iOS 18.3.1, iPadOS 18.3.1, and iPadOS 17.7.5. Sophisticated attacks targeting iPhones The vulnerability was discovered by …
The post Apple Patches Zero-Day Exploit Targeting Locked iPhones appeared first on CyberInsider.
EPSS Score: 1.04%
February 10th, 2025 (5 months ago)
|
|
|
Description: Four distributors of the encrypted communications service Sky ECC, used extensively by criminals, were arrested in Spain and the Netherlands. [...]
February 10th, 2025 (5 months ago)
|
|
|
Description: Brave has announced a new feature in its latest desktop release (version 1.75) that allows advanced users to inject custom JavaScript scriptlets into web pages. This functionality offers users greater control over their browsing experience while maintaining strong privacy protections. Empowering users with custom scriptlets Brave has long positioned itself as a privacy-first browser, blocking …
The post Brave Introduces Custom Scriptlets for Advanced Privacy Options appeared first on CyberInsider.
February 10th, 2025 (5 months ago)
|
|
|
Description: The newspaper company expects the investigation to take some time, but said in an SEC filing that it has not yet identified any material impact.
February 10th, 2025 (5 months ago)
|
|
|
Description: A Threat Actor Claims to be Selling the Data of Cin Learn
February 10th, 2025 (5 months ago)
|
|
|
Description: Today, an Alabama man pleaded guilty to hijacking the U.S. Securities and Exchange Commission (SEC) account on X in a January 2024 SIM swapping attack. [...]
February 10th, 2025 (5 months ago)
|
|
|
Description: Belsen_Group is Allegedly Selling RCE Access to an Unidentified Manufacturing Company in North Africa
February 10th, 2025 (5 months ago)
|