CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!
Threat and Vulnerability Intelligence Database
Example Searches:
CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited
|
Description: Impact
In XWiki 16.10.0, required rights were introduced as a way to limit which rights a document can have. Part of the security model of required rights is that a user who doesn't have a right also cannot define that right as required right. That way, users who are editing documents on which required rights are enforced can be sure that they're not giving a right to a script or object that it didn't have before. A bug in the implementation of the enforcement of this rule means that in fact, it was possible for any user with edit right on a document to set programming right as required right. If then a user with programming right edited that document, the content of that document would gain programming right, allowing remote code execution. This thereby defeats most of the security benefits of required rights. As XWiki still performs the required rights analysis when a user edits a page even when required rights are enforced, the user with programming right would still be warned about the dangerous content unless the attacker managed to bypass this check (see, e.g., https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-c32m-27pj-4xcj). Note also that none of the affected versions include a UI for enabling the enforcing of required rights so it seems unlikely that anybody relied on them for security in the affected versions. As this vulnerability provides no additional attack surface unless all documents in the wiki enforce required rights, we consider the impac...
May 21st, 2025 (about 1 month ago)
|
|
May 21st, 2025 (about 1 month ago)
|
|
Description: A sting involving law enforcement and private sector companies disrupted the Lumma infostealer — malware sold around the globe to cybercriminals and used for millions of infections.
May 21st, 2025 (about 1 month ago)
|
|
|
Description: Summary
The ejson2env tool has a vulnerability related to how it writes to stdout. Specifically, the tool is intended to write an export statement for environment variables and their values. However, due to inadequate output sanitization, there is a potential risk where variable names or values may include malicious content, resulting in additional unintended commands being output to stdout. If this output is improperly utilized in further command execution, it could lead to command injection vulnerabilities, allowing an attacker to execute arbitrary commands on the host system.
Details
The vulnerability exists because environment variables are not properly sanitized during the decryption phase, which enables malicious keys or encrypted values to inject commands.
Impact
An attacker with control over .ejson files can inject commands in the environment where source $(ejson2env) or eval ejson2env are executed.
Mitigation
Update to a version of ejson2env that sanitizes the output during decryption or
Do not use ejson2env to decrypt untrusted user secrets or
Do not evaluate or execute the direct output from ejson2env without removing nonprintable characters.
Credit
Thanks to security researcher Demonia for reporting this issue.
References
https://github.com/Shopify/ejson2env/security/advisories/GHSA-2c47-m757-32g6
https://github.com/Shopify/ejson2env/commit/592b3ceea967fee8b064e70983e8cec087b6d840
https://github.com/advisories/GHSA-2c47-m757-32g6
May 21st, 2025 (about 1 month ago)
|
|
Description: Russian cyber threat actors have been attributed to a state-sponsored campaign targeting Western logistics entities and technology companies since 2022.
The activity has been assessed to be orchestrated by APT28 (aka BlueDelta, Fancy Bear, or Forest Blizzard), which is linked to the Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center, Military Unit 26165.
May 21st, 2025 (about 1 month ago)
|
|
Description: Two Democratic members of the Privacy and Civil Liberties Oversight Board were unlawfully removed from their positions by President Donald Trump, a federal judge ruled.
May 21st, 2025 (about 1 month ago)
|
CVE-2025-5020 |
Description: Opening maliciously-crafted URLs in Firefox from other apps such as Safari could have allowed attackers to spoof website addresses if the URLs utilized non-HTTP schemes used internally by the Firefox iOS client This vulnerability affects Firefox for iOS < 139.
EPSS Score: 0.03%
May 21st, 2025 (about 1 month ago)
|
|
CVE-2025-25539 |
Description: Local File Inclusion vulnerability in Vasco v3.14and before allows a remote attacker to obtain sensitive information via help menu.
EPSS Score: 0.05%
May 21st, 2025 (about 1 month ago)
|
|
CVE-2024-56428 |
Description: The local iLabClient database in itech iLabClient 3.7.1 allows local attackers to read cleartext credentials (from the CONFIGS table) for their servers configured in the client.
EPSS Score: 0.01%
May 21st, 2025 (about 1 month ago)
|
|
Description: The Russian government has introduced a new law that makes installing a tracking app mandatory for all foreign nationals in the Moscow region. [...]
May 21st, 2025 (about 1 month ago)
|