CyberAlerts

Description: In late 2023, the online jewellery store GLAMIRA suffered a data breach they attributed to "an unauthorised individual [who] briefly accessed one of our servers". The data was subsequently published on a popular hacking forum and included 875k email addresses, names, phone numbers and purchases.

Source: HaveIBeenPwnedLatestBreaches

January 3rd, 2025 (6 months ago)

Critical Deadline: Update Old .NET Domains Before January 7, 2025 to Avoid Service Disruption

Description: Microsoft has announced that it's making an "unexpected change" to the way .NET installers and archives are distributed, requiring developers to update their production and DevOps infrastructure. "We expect that most users will not be directly affected, however, it is critical that you validate if you are affected and to watch for downtime or other kinds of breakage," Richard Lander, a program

Source: TheHackerNews

January 3rd, 2025 (6 months ago)

Apple to Pay Siri Users $20 Per Device in Settlement Over Accidental Siri Privacy Violations

Description: Apple has agreed to pay $95 million to settle a proposed class action lawsuit that accused the iPhone maker of invading users' privacy using its voice-activated Siri assistant. The development was first reported by Reuters. The settlement applies to U.S.-based individuals current or former owners or purchasers of a Siri-enabled device who had their confidential voice communications with the

Source: TheHackerNews

January 3rd, 2025 (6 months ago)

Proposed HIPAA Amendments Will Close Healthcare Security Gaps

Description: The changes to the healthcare privacy regulation with technical controls such as network segmentation, multi-factor authentication, and encryption. The changes would strengthen cybersecurity protections for electronic health information and address evolving threats against healthcare entities.

Source: Dark Reading

January 3rd, 2025 (6 months ago)

CVE-2024-8447

Narayana: deadlock via multiple join requests sent to lra coordinator

Description: A security issue was discovered in the LRA Coordinator component of Narayana. When Cancel is called in LRA, an execution time of approximately 2 seconds occurs. If Join is called with the same LRA ID within that timeframe, the application may crash or hang indefinitely, leading to a denial of service.

EPSS Score: 0.05%

Source: CVE

January 3rd, 2025 (6 months ago)

CVE-2024-7319

Openstack-heat: incomplete fix for cve-2023-1625

Description: An incomplete fix for CVE-2023-1625 was found in openstack-heat. Sensitive information may possibly be disclosed through the OpenStack stack abandon command with the hidden feature set to True and the CVE-2023-1625 fix applied.

EPSS Score: 0.05%

Source: CVE

January 3rd, 2025 (6 months ago)

CVE-2024-7318

Keycloak-core: one time passcode (otp) is valid longer than expiration timeseverity

Description: A vulnerability was found in Keycloak. Expired OTP codes are still usable when using FreeOTP when the OTP token period is set to 30 seconds (default). Instead of expiring and deemed unusable around 30 seconds in, the tokens are valid for an additional 30 seconds totaling 1 minute. A one time passcode that is valid longer than its expiration time increases the attack window for malicious actors to abuse the system and compromise accounts. Additionally, it increases the attack surface because at any given time, two OTPs are valid.

EPSS Score: 0.05%

Source: CVE

January 3rd, 2025 (6 months ago)

CVE-2024-7260

Keycloak-core: open redirect on account page

Description: An open redirect vulnerability was found in Keycloak. A specially crafted URL can be constructed where the referrer and referrer_uri parameters are made to trick a user to visit a malicious webpage. A trusted URL can trick users and automation into believing that the URL is safe, when, in fact, it redirects to a malicious server. This issue can result in a victim inadvertently trusting the destination of the redirect, potentially leading to a successful phishing attack or other types of attacks. Once a crafted URL is made, it can be sent to a Keycloak admin via email for example. This will trigger this vulnerability when the user visits the page and clicks the link. A malicious actor can use this to target users they know are Keycloak admins for further attacks. It may also be possible to bypass other domain-related security checks, such as supplying this as a OAuth redirect uri. The malicious actor can further obfuscate the redirect_uri using URL encoding, to hide the text of the actual malicious website domain.

EPSS Score: 0.05%

Source: CVE

January 3rd, 2025 (6 months ago)

CVE-2024-56520

An issue was discovered in tc-lib-pdf-font before 2.6.4, as used in TCPDF before 6.8.0 and other products. Fonts are mishandled, e.g., FontBBox for...

Description: An issue was discovered in tc-lib-pdf-font before 2.6.4, as used in TCPDF before 6.8.0 and other products. Fonts are mishandled, e.g., FontBBox for Type 1 and TrueType fonts is misparsed.

EPSS Score: 0.05%

Source: CVE

January 3rd, 2025 (6 months ago)

CVE-2024-56519

An issue was discovered in TCPDF before 6.8.0. setSVGStyles does not sanitize the SVG font-family attribute.

Description: An issue was discovered in TCPDF before 6.8.0. setSVGStyles does not sanitize the SVG font-family attribute.

EPSS Score: 0.05%

Source: CVE

January 3rd, 2025 (6 months ago)

Threat and Vulnerability Intelligence Database

Example Searches:

	GLAMIRA - 999,999 breached accounts Description: In late 2023, the online jewellery store GLAMIRA suffered a data breach they attributed to "an unauthorised individual [who] briefly accessed one of our servers". The data was subsequently published on a popular hacking forum and included 875k email addresses, names, phone numbers and purchases. Source: HaveIBeenPwnedLatestBreaches January 3rd, 2025 (6 months ago)
	Critical Deadline: Update Old .NET Domains Before January 7, 2025 to Avoid Service Disruption Description: Microsoft has announced that it's making an "unexpected change" to the way .NET installers and archives are distributed, requiring developers to update their production and DevOps infrastructure. "We expect that most users will not be directly affected, however, it is critical that you validate if you are affected and to watch for downtime or other kinds of breakage," Richard Lander, a program Source: TheHackerNews January 3rd, 2025 (6 months ago)
	Apple to Pay Siri Users $20 Per Device in Settlement Over Accidental Siri Privacy Violations Description: Apple has agreed to pay $95 million to settle a proposed class action lawsuit that accused the iPhone maker of invading users' privacy using its voice-activated Siri assistant. The development was first reported by Reuters. The settlement applies to U.S.-based individuals current or former owners or purchasers of a Siri-enabled device who had their confidential voice communications with the Source: TheHackerNews January 3rd, 2025 (6 months ago)
	Proposed HIPAA Amendments Will Close Healthcare Security Gaps Description: The changes to the healthcare privacy regulation with technical controls such as network segmentation, multi-factor authentication, and encryption. The changes would strengthen cybersecurity protections for electronic health information and address evolving threats against healthcare entities. Source: Dark Reading January 3rd, 2025 (6 months ago)
CVE-2024-8447	Narayana: deadlock via multiple join requests sent to lra coordinator Description: A security issue was discovered in the LRA Coordinator component of Narayana. When Cancel is called in LRA, an execution time of approximately 2 seconds occurs. If Join is called with the same LRA ID within that timeframe, the application may crash or hang indefinitely, leading to a denial of service. EPSS Score: 0.05% Source: CVE January 3rd, 2025 (6 months ago)
CVE-2024-7319	Openstack-heat: incomplete fix for cve-2023-1625 Description: An incomplete fix for CVE-2023-1625 was found in openstack-heat. Sensitive information may possibly be disclosed through the OpenStack stack abandon command with the hidden feature set to True and the CVE-2023-1625 fix applied. EPSS Score: 0.05% Source: CVE January 3rd, 2025 (6 months ago)
CVE-2024-7318	Keycloak-core: one time passcode (otp) is valid longer than expiration timeseverity Description: A vulnerability was found in Keycloak. Expired OTP codes are still usable when using FreeOTP when the OTP token period is set to 30 seconds (default). Instead of expiring and deemed unusable around 30 seconds in, the tokens are valid for an additional 30 seconds totaling 1 minute. A one time passcode that is valid longer than its expiration time increases the attack window for malicious actors to abuse the system and compromise accounts. Additionally, it increases the attack surface because at any given time, two OTPs are valid. EPSS Score: 0.05% Source: CVE January 3rd, 2025 (6 months ago)
CVE-2024-7260	Keycloak-core: open redirect on account page Description: An open redirect vulnerability was found in Keycloak. A specially crafted URL can be constructed where the referrer and referrer_uri parameters are made to trick a user to visit a malicious webpage. A trusted URL can trick users and automation into believing that the URL is safe, when, in fact, it redirects to a malicious server. This issue can result in a victim inadvertently trusting the destination of the redirect, potentially leading to a successful phishing attack or other types of attacks. Once a crafted URL is made, it can be sent to a Keycloak admin via email for example. This will trigger this vulnerability when the user visits the page and clicks the link. A malicious actor can use this to target users they know are Keycloak admins for further attacks. It may also be possible to bypass other domain-related security checks, such as supplying this as a OAuth redirect uri. The malicious actor can further obfuscate the redirect_uri using URL encoding, to hide the text of the actual malicious website domain. EPSS Score: 0.05% Source: CVE January 3rd, 2025 (6 months ago)
CVE-2024-56520	An issue was discovered in tc-lib-pdf-font before 2.6.4, as used in TCPDF before 6.8.0 and other products. Fonts are mishandled, e.g., FontBBox for... Description: An issue was discovered in tc-lib-pdf-font before 2.6.4, as used in TCPDF before 6.8.0 and other products. Fonts are mishandled, e.g., FontBBox for Type 1 and TrueType fonts is misparsed. EPSS Score: 0.05% Source: CVE January 3rd, 2025 (6 months ago)
CVE-2024-56519	An issue was discovered in TCPDF before 6.8.0. setSVGStyles does not sanitize the SVG font-family attribute. Description: An issue was discovered in TCPDF before 6.8.0. setSVGStyles does not sanitize the SVG font-family attribute. EPSS Score: 0.05% Source: CVE January 3rd, 2025 (6 months ago)