Threat and Vulnerability Intelligence Database

Example Searches:

CVE-2024-11972	WordPress Hunk Companion Plugin Flaw Exploited to Silently Install Vulnerable Plugins Description: Malicious actors are exploiting a critical vulnerability in the Hunk Companion plugin for WordPress to install other vulnerable plugins that could open the door to a variety of attacks. The flaw, tracked as CVE-2024-11972 (CVSS score: 9.8), affects all versions of the plugin prior to 1.9.0. The plugin has over 10,000 active installations. "This flaw poses a significant security risk, as it EPSS Score: 0.04% Source: TheHackerNews December 12th, 2024 (5 months ago)
	Europol Dismantles 27 DDoS Attack Platforms Across 15 Nations; Admins Arrested Description: A global law enforcement operation has failed 27 stresser services that were used to conduct distributed denial-of-service (DDoS) attacks and took them offline as part of a multi-year international exercise called PowerOFF. The effort, coordinated by Europol and involving 15 countries, dismantled several booter and stresser websites, including zdstresser.net, orbitalstress.net, and Source: TheHackerNews December 12th, 2024 (5 months ago)
CVE-2024-5154	Cri-o: malicious container can create symlink on host Description: A flaw was found in cri-o. A malicious container can create a symbolic link to arbitrary files on the host via directory traversal (“../“). This flaw allows the container to read and write to arbitrary files on the host system. EPSS Score: 0.05% Source: CVE December 12th, 2024 (5 months ago)
CVE-2023-23456	Upx: heap-buffer-overflow in packtmt::pack() Description: A heap-based buffer overflow issue was discovered in UPX in PackTmt::pack() in p_tmt.cpp file. The flow allows an attacker to cause a denial of service (abort) via a crafted file. EPSS Score: 0.13% Source: CVE December 12th, 2024 (5 months ago)
	Hunk Companion WordPress plugin exploited to install vulnerable plugins Description: Hackers are exploiting a critical vulnerability in the "Hunk Companion" plugin to install and activate other plugins with exploitable flaws directly from the WordPress.org repository. [...] Source: BleepingComputer December 11th, 2024 (5 months ago)
CVE-2024-53677	[org.apache.struts:struts2-core] Apache Struts file upload logic is flawed Description: File upload logic is flawed vulnerability in Apache Struts. This issue affects Apache Struts: from 2.0.0 before 6.4.0. Users are recommended to upgrade to version 6.4.0, which fixes the issue. You can find more details in  https://cwiki.apache.org/confluence/display/WW/S2-067 References https://nvd.nist.gov/vuln/detail/CVE-2024-53677 https://cwiki.apache.org/confluence/display/WW/S2-067 https://github.com/advisories/GHSA-43mq-6xmg-29vm EPSS Score: 0.04% Source: Github Advisory Database (Maven) December 11th, 2024 (5 months ago)
	[golang.org/x/crypto] Misuse of ServerConfig.PublicKeyCallback may cause authorization bypass in golang.org/x/crypto Description: Applications and libraries which misuse the ServerConfig.PublicKeyCallback callback may be susceptible to an authorization bypass. The documentation for ServerConfig.PublicKeyCallback says that "A call to this function does not guarantee that the key offered is in fact used to authenticate." Specifically, the SSH protocol allows clients to inquire about whether a public key is acceptable before proving control of the corresponding private key. PublicKeyCallback may be called with multiple keys, and the order in which the keys were provided cannot be used to infer which key the client successfully authenticated with, if any. Some applications, which store the key(s) passed to PublicKeyCallback (or derived information) and make security relevant determinations based on it once the connection is established, may make incorrect assumptions. For example, an attacker may send public keys A and B, and then authenticate with A. PublicKeyCallback would be called only twice, first with A and then with B. A vulnerable application may then make authorization decisions based on key B for which the attacker does not actually control the private key. Since this API is widely misused, as a partial mitigation golang.org/x/[email protected] enforces the property that, when successfully authenticating via public key, the last key passed to ServerConfig.PublicKeyCallback will be the key used to authenticate the connection. PublicKeyCallback will now be called multiple times with the same key, if... Source: Github Advisory Database (Go) December 11th, 2024 (5 months ago)
	Chinese Hacker Pwns 81K Sophos Devices With Zero-Day Bug Description: The US State Department has offered a $10 million reward for Guan Tianfeng, who has been accused of developing and testing a critical SQL injection flaw with a CVSS score of 9.8 used in Sophos attacks. Source: Dark Reading December 11th, 2024 (5 months ago)
	Cynet Delivers 100% Protection and 100% Detection Visibility in the 2024 MITRE ATT&CK Evaluation Description: The 2024 MITRE ATT&CK Evaluation results are now available with Cynet achieving 100% Visibility and 100% Protection in the 2024 evaluation. Learn more from Cynet about what these results mean. [...] Source: BleepingComputer December 11th, 2024 (5 months ago)
	Krispy Kreme Doughnut Delivery Gets Cooked in Cyberattack Description: Threat actors punch holes in the company's online ordering systems, tripping up doughnut deliveries across the US after a late November breach. Source: Dark Reading December 11th, 2024 (5 months ago)