CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

Threat and Vulnerability Intelligence Database

RSS Feed

Example Searches:

CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited

CVE-2024-43906
drm/admgpu: fix dereferencing null pointer context
Description: In the Linux kernel, the following vulnerability has been resolved: drm/admgpu: fix dereferencing null pointer context When user space sets an invalid ta type, the pointer context will be empty. So it need to check the pointer context before using it

EPSS Score: 0.04%

Source: CVE
January 18th, 2025 (6 months ago)

CVE-2024-42225
wifi: mt76: replace skb_put with skb_put_zero
Description: In the Linux kernel, the following vulnerability has been resolved: wifi: mt76: replace skb_put with skb_put_zero Avoid potentially reusing uninitialized data

EPSS Score: 0.05%

Source: CVE
January 18th, 2025 (6 months ago)

CVE-2024-42151
bpf: mark bpf_dummy_struct_ops.test_1 parameter as nullable
Description: In the Linux kernel, the following vulnerability has been resolved: bpf: mark bpf_dummy_struct_ops.test_1 parameter as nullable Test case dummy_st_ops/dummy_init_ret_value passes NULL as the first parameter of the test_1() function. Mark this parameter as nullable to make verifier aware of such possibility. Otherwise, NULL check in the test_1() code: SEC("struct_ops/test_1") int BPF_PROG(test_1, struct bpf_dummy_ops_state *state) { if (!state) return ...; ... access state ... } Might be removed by verifier, thus triggering NULL pointer dereference under certain conditions.

EPSS Score: 0.04%

Source: CVE
January 18th, 2025 (6 months ago)

CVE-2024-29415
The ip package through 2.0.1 for Node.js might allow SSRF because some IP addresses (such as 127.1, 01200034567, 012.1.2.3, 000:0:0000::01, and...
Description: The ip package through 2.0.1 for Node.js might allow SSRF because some IP addresses (such as 127.1, 01200034567, 012.1.2.3, 000:0:0000::01, and ::fFFf:127.0.0.1) are improperly categorized as globally routable via isPublic. NOTE: this issue exists because of an incomplete fix for CVE-2023-42282.

EPSS Score: 0.06%

Source: CVE
January 18th, 2025 (6 months ago)

CVE-2024-0690
Ansible-core: possible information leak in tasks that ignore ansible_no_log configuration
Description: An information disclosure flaw was found in ansible-core due to a failure to respect the ANSIBLE_NO_LOG configuration in some scenarios. Information is still included in the output in certain tasks, such as loop items. Depending on the task, this issue may include sensitive information, such as decrypted secret values.

EPSS Score: 0.05%

Source: CVE
January 18th, 2025 (6 months ago)
[zotregistry.dev/zot] Zot IdP group membership revocation ignored
Description: Summary The group data stored for users in the boltdb database (meta.db) is an append-list so group revocations/removals are ignored in the API. Details SetUserGroups is alled on login, but instead of replacing the group memberships, they are appended. This may be due to some conflict with the group definitions in the config file, but that wasn't obvious to me if it were the case. PoC Login with group claims, logout, remove the user from a group from at IdP and log in again, the API still grants access and the new list of groups is appended creating meaningless duplicate entries and no longer mathing the expected groups from the IdP. The behavior can be verified by seeing the API or UI still presenting images it should not or by viewing the data directly: bbolt get meta.db UserData <user>, eg: Note this example also has duplicates due to group hierarchy changes that were left in the database. Impact Any Zot configuration that relies on group-based authorization will not respect group remove/revocation by an IdP. References https://github.com/project-zot/zot/security/advisories/GHSA-c9p4-xwr9-rfhx https://github.com/project-zot/zot/commit/002ac62d8a15bf0cba010b3ba7bde86f9837b613 https://github.com/advisories/GHSA-c9p4-xwr9-rfhx
Source: Github Advisory Database (Go)
January 17th, 2025 (6 months ago)
FTC cracks down on Genshin Impact gacha loot box practices
Description: Genshin Impact developer Cognosphere (aka Hoyoverse) has agreed to a $20 million settlement with the U.S. Federal Trade Commission (FTC) over its gacha loot box monetization&nbsp;and is now banned from selling them to teens under the age of sixteen without parental consent. [...]
Source: BleepingComputer
January 17th, 2025 (6 months ago)
[katex] KaTeX \htmlData does not validate attribute names
Description: Impact KaTeX users who render untrusted mathematical expressions with renderToString could encounter malicious input using \htmlData that runs arbitrary JavaScript, or generate invalid HTML. Patches Upgrade to KaTeX v0.16.21 to remove this vulnerability. Workarounds Avoid use of or turn off the trust option, or set it to forbid \htmlData commands. Forbid inputs containing the substring "\\htmlData". Sanitize HTML output from KaTeX. Details \htmlData did not validate its attribute name argument, allowing it to generate invalid or malicious HTML that runs scripts. For more information If you have any questions or comments about this advisory: Open an issue or security advisory in the KaTeX repository Email us at [email protected] References https://github.com/KaTeX/KaTeX/security/advisories/GHSA-cg87-wmx4-v546 https://github.com/KaTeX/KaTeX/commit/ff289955e81aab89086eef09254cbf88573d415c https://github.com/advisories/GHSA-cg87-wmx4-v546
Source: Github Advisory Database (NPM)
January 17th, 2025 (6 months ago)
Has the TikTok Ban Already Backfired on US Cybersecurity?
Description: The Supreme Court has affirmed TikTok's ban in the US, which has its users in revolt and is creating a whole new set of national cybersecurity concerns.
Source: Dark Reading
January 17th, 2025 (6 months ago)
FCC to telcos: Did you know you must by law secure your networks from foreign spies?
Source: TheRegister
January 17th, 2025 (6 months ago)