CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

Threat and Vulnerability Intelligence Database

RSS Feed

Example Searches:

CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited
[silverstripe/framework] Silverstripe Framework has a Reflected Cross Site Scripting (XSS) in error message
Description: [!IMPORTANT] This vulnerability only affects sites which are in the "dev" environment mode. If your production website is in "dev" mode, it has been misconfigured, and you should immediately swap it to "live" mode. See https://docs.silverstripe.org/en/developer_guides/debugging/environment_types/ for more information. If a website has been set to the "dev" environment mode, a URL can be provided which includes an XSS payload which will be executed in the resulting error message. References https://www.silverstripe.org/download/security-releases/ss-2024-002 Reported by Gaurav Nayak from Chaleit References https://github.com/silverstripe/silverstripe-framework/security/advisories/GHSA-mqf3-qpc3-g26q https://github.com/silverstripe/silverstripe-framework/commit/a555dad4ec73c929f6316bcb4019eb325a5b77d8 https://www.silverstripe.org/download/security-releases/ss-2024-002 https://github.com/advisories/GHSA-mqf3-qpc3-g26q
Source: Github Advisory Database (Composer)
January 14th, 2025 (6 months ago)
Microsoft Rings in 2025 With Record Security Update
Description: Company has issued patches for an unprecedented 159 CVEs, including eight zero-days, three of which attackers are already exploiting.
Source: Dark Reading
January 14th, 2025 (6 months ago)
A Threat Actor Claims to be Selling Access to an Unidentified Polish Group of Companies
Description: A Threat Actor Claims to be Selling Access to an Unidentified Polish Group of Companies
Source: DarkWebInformer
January 14th, 2025 (6 months ago)
Allstate car insurer sued for tracking drivers without permission
Description: Texas Attorney General Ken Paxton has filed a lawsuit against Allstate and its data subsidiary Arity for unlawfully collecting, using, and selling driving data from over 45 million Americans. [...]
Source: BleepingComputer
January 14th, 2025 (6 months ago)
January Windows updates may fail if Citrix SRA is installed
Description: Microsoft is warning that the January 2025 Windows 11 and Windows 10 cumulative updates may fail if Citrix Session Recording Agent (SRA) version 2411 is installed on the device. [...]
Source: BleepingComputer
January 14th, 2025 (6 months ago)
Patch Tuesday - January 2025
Description: Eight 0-days. Access: triple zero-day RCE; Hyper-V NT Kernel Integration VSP: triple zero-day EoP; Windows Themes: zero-day NTLM disclosure; Windows Installer: zero-day EoP; PGM: critical RCE; OLE: critical RCE.
Source: Rapid7
January 14th, 2025 (6 months ago)
FBI Wraps Up Eradication Effort of Chinese 'PlugX' Malware
Description: Two hacker groups were paid to develop malware targeting victims in the US, Europe, and Asia, as well as various Chinese dissident groups.
Source: Dark Reading
January 14th, 2025 (6 months ago)
Microsoft Patch Tuesday for January 2025 — Snort rules and prominent vulnerabilities
Description: Microsoft has released its monthly security update for January of 2025 which includes 159 vulnerabilities, including 10 that Microsoft marked as “critical.” The remaining vulnerabilities listed are classified as “important.” 
Source: Cisco Talos Blog
January 14th, 2025 (6 months ago)
Windows January 2025 Patch Tuesday Fixes 159 Vulnerabilities
Description: Microsoft's January 2025 Patch Tuesday update addresses 159 vulnerabilities, including three previously undisclosed actively exploited zero-day vulnerabilities. The update is applicable to Windows 11 OS Builds 22621.4751 and 22631.4751 and is part of Microsoft's ongoing effort to secure its flagship operating system against emerging threats. New zero-day flaws Microsoft has confirmed three vulnerabilities under active … The post Windows January 2025 Patch Tuesday Fixes 159 Vulnerabilities appeared first on CyberInsider.
Source: CyberInsider
January 14th, 2025 (6 months ago)

CVE-2025-23081
[mediawiki/data-transfer] Mediawiki - DataTransfer Extension Cross-Site Request Forgery (CSRF) and Cross-site Scripting (XSS)
Description: Cross-Site Request Forgery (CSRF), Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation Mediawiki - DataTransfer Extension allows Cross Site Request Forgery, Cross-Site Scripting (XSS).This issue affects Mediawiki - DataTransfer Extension: from 1.39.X before 1.39.11, from 1.41.X before 1.41.3, from 1.42.X before 1.42.2. References https://nvd.nist.gov/vuln/detail/CVE-2025-23081 https://gerrit.wikimedia.org/r/c/mediawiki/extensions/DataTransfer/+/1080451 https://gerrit.wikimedia.org/r/c/mediawiki/extensions/DataTransfer/+/1093931 https://gerrit.wikimedia.org/r/q/I5e1538a3bf66378810f905834c05626e1d2c82f0 https://gerrit.wikimedia.org/r/q/I773c616db781d2f3f30893ad01ef503bf251a2b3 https://gerrit.wikimedia.org/r/q/I7c9de4c8dcdb3276ba923c6bc7c8eef3531324c7 https://gerrit.wikimedia.org/r/q/I9223c31f02f31f1e06e1a8cddf7d539cc8d3a3d9 https://phabricator.wikimedia.org/T379749 https://github.com/advisories/GHSA-c3h5-h73c-29hq

EPSS Score: 0.04%

Source: Github Advisory Database (Composer)
January 14th, 2025 (6 months ago)