CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!
Threat and Vulnerability Intelligence Database
Example Searches:
CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited
|
Description: Last week, ProjectDiscovery took home the title of Most Innovative Startup at the 2025 RSA Innovation Sandbox, the biggest stage in the world for security innovation. While much of this year’s buzz centered on securing AI, our win was a powerful signal: even as new frontiers emerge, foundational problems like vulnerability management remain unsolved. Security leaders are still spending millions on tools that generate noise instead of insight, and the industry is ready for a better way.
Our COO,
May 6th, 2025 (about 2 months ago)
|
|
Description: Summary
Due to a validation error in got.scpaping, it is possible to use an HTTP redirect to avoid IP filtering.
Details
In got.scpaping, Summaly first makes a HTTP HEAD request to the page being summarized. It then preforms private IP address checks on the HEAD response, then makes an additional HTTP GET request to the page being summarized. Unfortunately, since private IP address checks aren't performed on the GET response, the GET response can issue a HTTP redirect to a private IP address, which will succeed, regardless of if private IP addresses are allowed by Summaly.
PoC
With a simple Caddy webserver, you can get Summaly to summarize a page hosted via a local IP address:
@summaly-bypass-head {
method HEAD
path /summaly-bypass
}
@summaly-bypass-get {
method GET
path /summaly-bypass
}
header @summaly-bypass-head Content-Type "text/html"
respond @summaly-bypass-head 200
redir @summaly-bypass-get http://127.0.0.1:3080/
Impact
Using this bypass, an attacker can probe a victims internal network for HTTP services that aren't supposed to be exposed to the outside world. While they might only have read-only access through this, it may still be possible to extract sensitive information or be used to probe a network prior to attacking via other exploits without leaving a trace.
References
https://github.com/misskey-dev/summaly/security/advisories/GHSA-jqx4-9gpq-rppm
https://github.com/misskey-dev/summaly/commit/dfe6451012aac42eabe71d4ed721d8058c4066b4
https://...
May 6th, 2025 (about 2 months ago)
|
|
Description: Hackers are exploiting an unauthenticated remote code execution (RCE) vulnerability in the Samsung MagicINFO 9 Server to hijack devices and deploy malware. [...]
May 6th, 2025 (about 2 months ago)
|
|
|
Description: Affected Environments
Note that this issue only affects the V0 engine, which has been off by default since v0.8.0. Further, the issue only applies to a deployment using tensor parallelism across multiple hosts, which we do not expect to be a common deployment pattern.
Since V0 is has been off by default since v0.8.0 and the fix is fairly invasive, we have decided not to fix this issue. Instead we recommend that users ensure their environment is on a secure network in case this pattern is in use.
The V1 engine is not affected by this issue.
Impact
In a multi-node vLLM deployment using the V0 engine, vLLM uses ZeroMQ for some multi-node communication purposes. The secondary vLLM hosts open a SUB ZeroMQ socket and connect to an XPUB socket on the primary vLLM host.
https://github.com/vllm-project/vllm/blob/c21b99b91241409c2fdf9f3f8c542e8748b317be/vllm/distributed/device_communicators/shm_broadcast.py#L295-L301
When data is received on this SUB socket, it is deserialized with pickle. This is unsafe, as it can be abused to execute code on a remote machine.
https://github.com/vllm-project/vllm/blob/c21b99b91241409c2fdf9f3f8c542e8748b317be/vllm/distributed/device_communicators/shm_broadcast.py#L468-L470
Since the vulnerability exists in a client that connects to the primary vLLM host, this vulnerability serves as an escalation point. If the primary vLLM host is compromised, this vulnerability could be used to compromise the rest of the hosts in the vLLM deployment.
Attackers coul...
May 6th, 2025 (about 2 months ago)
|
|
|
Description: Impact
Based on an analysis of the timing of post login API responses, it's possible to determine whether an account exists.
Patches
Patched in 10.8.10 and 13.8.1.
Workarounds
None available.
References
https://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-4g8m-5mj5-c8xg
https://github.com/umbraco/Umbraco-CMS/commit/14fbd20665b453cbf094ccf4575b79a9fba07e03
https://github.com/umbraco/Umbraco-CMS/commit/34709be6cce9752dfa767dffbf551305f48839bc
https://github.com/advisories/GHSA-4g8m-5mj5-c8xg
May 6th, 2025 (about 2 months ago)
|
|
|
Description: Impact:
A security issue has been found in terraform-provider-windns before version 1.0.5. The windns_record resource did not santize the input variables. This can lead to authenticated command injection in the underlyding powershell command prompt.
Patches:
83ef736 (fix: better input validation)
Fixed versions:
v1.0.5
References
https://github.com/nrkno/terraform-provider-windns/security/advisories/GHSA-4vgf-2cm4-mp7c
https://github.com/nrkno/terraform-provider-windns/commit/c76f69610c1b502f90aaed8c4f102194530b5bce
https://github.com/advisories/GHSA-4vgf-2cm4-mp7c
May 6th, 2025 (about 2 months ago)
|
|
|
Description: Summary
It seems that when running goshs without arguments it is possible for anyone to execute commands on the server. This was tested on version 1.0.4 of goshs. The command function was introduced in version 0.3.4.
Details
It seems that the function dispatchReadPump does not checks the option cli -c, thus allowing anyone to execute arbitrary command through the use of websockets.
PoC
Used websocat for the POC:
echo -e '{"type": "command", "content": "id"}' |./websocat 'ws://192.168.1.11:8000/?ws' -t
Impact
The vulnerability will only impacts goshs server on vulnerable versions.
References
https://github.com/patrickhener/goshs/security/advisories/GHSA-rwj2-w85g-5cmm
https://github.com/patrickhener/goshs/commit/160220974576afe5111485b8d12fd36058984cfa
https://github.com/advisories/GHSA-rwj2-w85g-5cmm
May 6th, 2025 (about 2 months ago)
|
|
|
Description: Impact
ZITADEL offers developers the ability to manage user sessions using the Session API. This API enables the use of IdPs for authentication, known as idp intents.
Following a successful idp intent, the client receives an id and token on a predefined URI. These id and token can then be used to authenticate the user or their session.
However, it was possible to exploit this feature by repeatedly using intents. This allowed an attacker with access to the application’s URI to retrieve the id and token, enabling them to authenticate on behalf of the user.
It’s important to note that the use of additional factors (MFA) prevents a complete authentication process and, consequently, access to the ZITADEL API.
Patches
3.x versions are fixed on >=3.0.0
2.71.x versions are fixed on >=2.71.9
2.x versions are fixed on >=2.70.10
Workarounds
The recommended solution is to update ZITADEL to a patched version.
Questions
If you have any questions or comments about this advisory, please email us at [email protected]
Credits
Thanks to Józef Chraplewski from Nedap for reporting this vulnerability.
References
https://github.com/zitadel/zitadel/security/advisories/GHSA-g4r8-mp7g-85fq
https://github.com/zitadel/zitadel/commit/b1e60e7398d677f08b06fd7715227f70b7ca1162
https://github.com/zitadel/zitadel/releases/tag/v2.70.10
https://github.com/zitadel/zitadel/releases/tag/v2.71.9
https://github.com/zitadel/zitadel/releases/tag/v3.0.0
https://github.com/advisories/GHSA-g4r8-mp7g-85fq
May 6th, 2025 (about 2 months ago)
|
|
|
Description: The following functions in the tanton_engine crate are unsound due to lack of sufficient boundary
checks in public API:
Stack::offset()
ThreadStack::get()
RootMoveList::insert_score_depth()
RootMoveList::insert_score()
The tanton_engine crate is no longer maintained, so there are no plans to fix this issue.
References
https://rustsec.org/advisories/RUSTSEC-2025-0031.html
https://github.com/advisories/GHSA-m2xr-2vj4-wh94
May 6th, 2025 (about 2 months ago)
|
|
Description: The California Privacy Protection Agency (CPPA) on Tuesday announced a six-figure fine and an order demanding significant business practice changes for a national clothing retailer which allegedly used a flawed privacy portal.
May 6th, 2025 (about 2 months ago)
|