CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!
Threat and Vulnerability Intelligence Database
Example Searches:
CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited
CVE-2024-11849 |
Description: The Pods WordPress plugin before 3.2.8.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
EPSS Score: 0.04%
January 7th, 2025 (6 months ago)
|
|
CVE-2024-11356 |
Description: The tourmaster WordPress plugin before 5.3.4 does not sanitise and escape some parameters when outputting them in the page, which could allow unauthenticated users to perform Cross-Site Scripting attacks.
EPSS Score: 0.04%
January 7th, 2025 (6 months ago)
|
|
CVE-2024-10033 |
Description: A vulnerability was found in aap-gateway. A Cross-site Scripting (XSS) vulnerability exists in the gateway component. This flaw allows a malicious user to perform actions that impact users by using the "?next=" in a URL, which can lead to redirecting, injecting malicious script, stealing sessions and data.
EPSS Score: 0.05%
January 7th, 2025 (6 months ago)
|
|
Description: Discover our 2024 Hispanic Heritage Month series: overcoming adversity, fostering community, and empowering growth through inclusion.
January 6th, 2025 (6 months ago)
|
|
|
Description: This daily article is intended to make it easier for those who want to stay updated with my regular Dark Web Informer and X/Twitter posts.
January 6th, 2025 (6 months ago)
|
|
|
Description: Summary
When you send a request with the Authorization header to one domain, and the response asks to redirect to a different domain, Deno'sfetch() redirect handling creates a follow-up redirect request that keeps the original Authorization header, leaking its content to that second domain.
Details
The right behavior would be to drop the Authorization header instead, in this scenario. The same is generally applied to Cookie and Proxy-Authorization headers, and is done for not only host changes, but also protocol/port changes. Generally referred to as "origin".
The documentation states:
Deno does not follow the same-origin policy, because the Deno user agent currently does not have the concept of origins, and it does not have a cookie jar. This means Deno does not need to protect against leaking authenticated data cross origin
Reproduction
const ac = new AbortController()
const server1 = Deno.serve({ port: 3001, signal: ac.signal }, (req) => {
return new Response(null, {
status: 302,
headers: {
'location': 'http://localhost:3002/redirected'
},
})
})
const server2 = Deno.serve({ port: 3002, signal: ac.signal }, (req) => {
const body = JSON.stringify({
url: req.url,
hasAuth: req.headers.has('authorization'),
})
return new Response(body, {
status: 200,
headers: {'content-type': 'application/json'},
})
})
async function main() {
const response = await fetch("http://localhost:3001/", {
headers: {authorization: 'Bearer fo...
January 6th, 2025 (6 months ago)
|
|
|
Description: Summary
When you send a request with the Authorization header to one domain, and the response asks to redirect to a different domain, Deno'sfetch() redirect handling creates a follow-up redirect request that keeps the original Authorization header, leaking its content to that second domain.
Details
The right behavior would be to drop the Authorization header instead, in this scenario. The same is generally applied to Cookie and Proxy-Authorization headers, and is done for not only host changes, but also protocol/port changes. Generally referred to as "origin".
The documentation states:
Deno does not follow the same-origin policy, because the Deno user agent currently does not have the concept of origins, and it does not have a cookie jar. This means Deno does not need to protect against leaking authenticated data cross origin
Reproduction
const ac = new AbortController()
const server1 = Deno.serve({ port: 3001, signal: ac.signal }, (req) => {
return new Response(null, {
status: 302,
headers: {
'location': 'http://localhost:3002/redirected'
},
})
})
const server2 = Deno.serve({ port: 3002, signal: ac.signal }, (req) => {
const body = JSON.stringify({
url: req.url,
hasAuth: req.headers.has('authorization'),
})
return new Response(body, {
status: 200,
headers: {'content-type': 'application/json'},
})
})
async function main() {
const response = await fetch("http://localhost:3001/", {
headers: {authorization: 'Bearer fo...
January 6th, 2025 (6 months ago)
|
|
CVE-2024-35498 |
Description: A cross-site scripting (XSS) vulnerability in Grav v1.7.45 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.
References
https://nvd.nist.gov/vuln/detail/CVE-2024-35498
https://github.com/r4vanan/Stored-xss-Grav-v1.7.45
https://r4vanan.medium.com/a-quick-dive-into-xss-vulnerability-in-grav-cms-v1-7-45-cve-2024-35498-fc236b7d74a0
https://github.com/advisories/GHSA-m78c-qx99-mvw9
EPSS Score: 0.04%
January 6th, 2025 (6 months ago)
|
|
CVE-2024-46209 |
Description: A stored cross-site scripting (XSS) vulnerability in the component /media/test.html of REDAXO CMS v5.17.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the password parameter.
References
https://nvd.nist.gov/vuln/detail/CVE-2024-46209
https://github.com/h4ckr4v3n/CVE-2024-46209/blob/main/REDAXO%20Stored%20XSS%20%2B%20RCE.pdf
https://github.com/h4ckr4v3n/research_redaxo_5_17_1.git
https://github.com/advisories/GHSA-2p95-8xvm-2pjx
EPSS Score: 0.04%
January 6th, 2025 (6 months ago)
|
|
|
Description: Cybersecurity industry visionary and renowned executive Amit Yoran has passed away after an almost one-year battle with cancer.
January 6th, 2025 (6 months ago)
|