CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!
Threat and Vulnerability Intelligence Database
Example Searches:
CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited
|
Description: [AI generated] N/A
May 21st, 2025 (about 1 month ago)
|
|
|
Description: [AI generated] N/A
May 21st, 2025 (about 1 month ago)
|
|
|
Description: [AI generated] N/A
May 21st, 2025 (about 1 month ago)
|
|
Description: Introduction
Versa Concerto is a widely used network security and SD-WAN orchestration platform, designed to provide seamless policy management, analytics, and automation for enterprises. With a growing customer base that includes large enterprises, service providers, and government entities, the security of this platform is critical. Given its extensive adoption and potential exposure to external threats, we initiated research to assess its security posture and uncover possible vulnerabilities
May 21st, 2025 (about 1 month ago)
|
CVE-2025-45752 |
Description: A vulnerability in SeedDMS 6.0.32 allows an attacker with admin privileges to execute arbitrary PHP code by exploiting the zip import functionality in the Extension Manager.
EPSS Score: 0.05%
May 21st, 2025 (about 1 month ago)
|
|
CVE-2025-44083 |
Description: An issue in D-Link DI-8100 16.07.26A1 allows a remote attacker to bypass administrator login authentication
EPSS Score: 0.14%
May 21st, 2025 (about 1 month ago)
|
|
May 21st, 2025 (about 1 month ago)
|
|
Description: Summary
The ejson2env tool has a vulnerability related to how it writes to stdout. Specifically, the tool is intended to write an export statement for environment variables and their values. However, due to inadequate output sanitization, there is a potential risk where variable names or values may include malicious content, resulting in additional unintended commands being output to stdout. If this output is improperly utilized in further command execution, it could lead to command injection vulnerabilities, allowing an attacker to execute arbitrary commands on the host system.
Details
The vulnerability exists because environment variables are not properly sanitized during the decryption phase, which enables malicious keys or encrypted values to inject commands.
Impact
An attacker with control over .ejson files can inject commands in the environment where source $(ejson2env) or eval ejson2env are executed.
Mitigation
Update to a version of ejson2env that sanitizes the output during decryption or
Do not use ejson2env to decrypt untrusted user secrets or
Do not evaluate or execute the direct output from ejson2env without removing nonprintable characters.
Credit
Thanks to security researcher Demonia for reporting this issue.
References
https://github.com/Shopify/ejson2env/security/advisories/GHSA-2c47-m757-32g6
https://github.com/Shopify/ejson2env/commit/592b3ceea967fee8b064e70983e8cec087b6d840
https://github.com/advisories/GHSA-2c47-m757-32g6
May 21st, 2025 (about 1 month ago)
|
|
|
Description: Summary
The ejson2env tool has a vulnerability related to how it writes to stdout. Specifically, the tool is intended to write an export statement for environment variables and their values. However, due to inadequate output sanitization, there is a potential risk where variable names or values may include malicious content, resulting in additional unintended commands being output to stdout. If this output is improperly utilized in further command execution, it could lead to command injection vulnerabilities, allowing an attacker to execute arbitrary commands on the host system.
Details
The vulnerability exists because environment variables are not properly sanitized during the decryption phase, which enables malicious keys or encrypted values to inject commands.
Impact
An attacker with control over .ejson files can inject commands in the environment where source $(ejson2env) or eval ejson2env are executed.
Mitigation
Update to a version of ejson2env that sanitizes the output during decryption or
Do not use ejson2env to decrypt untrusted user secrets or
Do not evaluate or execute the direct output from ejson2env without removing nonprintable characters.
Credit
Thanks to security researcher Demonia for reporting this issue.
References
https://github.com/Shopify/ejson2env/security/advisories/GHSA-2c47-m757-32g6
https://github.com/Shopify/ejson2env/commit/592b3ceea967fee8b064e70983e8cec087b6d840
https://github.com/advisories/GHSA-2c47-m757-32g6
May 21st, 2025 (about 1 month ago)
|
|
|
Description: Impact
In XWiki 16.10.0, required rights were introduced as a way to limit which rights a document can have. Part of the security model of required rights is that a user who doesn't have a right also cannot define that right as required right. That way, users who are editing documents on which required rights are enforced can be sure that they're not giving a right to a script or object that it didn't have before. A bug in the implementation of the enforcement of this rule means that in fact, it was possible for any user with edit right on a document to set programming right as required right. If then a user with programming right edited that document, the content of that document would gain programming right, allowing remote code execution. This thereby defeats most of the security benefits of required rights. As XWiki still performs the required rights analysis when a user edits a page even when required rights are enforced, the user with programming right would still be warned about the dangerous content unless the attacker managed to bypass this check (see, e.g., https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-c32m-27pj-4xcj). Note also that none of the affected versions include a UI for enabling the enforcing of required rights so it seems unlikely that anybody relied on them for security in the affected versions. As this vulnerability provides no additional attack surface unless all documents in the wiki enforce required rights, we consider the impac...
May 21st, 2025 (about 1 month ago)
|