Threat and Vulnerability Intelligence Database
Example Searches:
CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited
|
Description: Summary
The Dpanel service contains a hardcoded JWT secret in its default configuration, allowing attackers to generate valid JWT tokens and compromise the host machine.
Details
The Dpanel service, when initiated using its default configuration, includes a hardcoded JWT secret embedded directly within its source code. This security flaw allows attackers to analyze the source code, discover the embedded secret, and craft legitimate JWT tokens. By forging these tokens, an attacker can successfully bypass authentication mechanisms, impersonate privileged users, and gain unauthorized administrative access. Consequently, this enables full control over the host machine, potentially leading to severe consequences such as sensitive data exposure, unauthorized command execution, privilege escalation, or further lateral movement within the network environment. It is recommended to replace the hardcoded secret with a securely generated value and load it from secure configuration storage to mitigate this vulnerability.
PoC
The core code snippet is shown below:
import jwt
def generate_jwt(appname):
payload = {
"SECRET_KEY":"SECRET_VALUE",
}
print("appname:", appname)
print("payload:", str(payload))
token = jwt.encode(payload, SECRET_KEY.format(APP_NAME=appname), algorithm="HS256")
return token
appname = "SECRET_KEY"
token = generate_jwt(appname)
print("url token:", token)
Impact
Attackers who successfully exploit this vulnerability can write arbitrar...
April 15th, 2025 (7 days ago)
|
|
|
Description: Summary
When creating a new component from an existing component that has a source code repository URL specified in settings, this URL is included in the client's URL parameters during the creation process. If, for example, the source code repository URL contains GitHub credentials, the confidential PAT and username are shown in plaintext and get saved into browser history. Moreover, if the request URL is logged, the credentials are written to the logs in plaintext.
The problematic URL in question is of this form:
https:///create/component/vcs/?repo=https%3A%2F%2F%3A%40github.com%2F%2F.git&project=1&category=&name=&slug=&is_glossary=False&vcs=github&source_language=228&license=&source_component=1#existing
If using Weblate official Docker image, nginx logs the URL and the token in plaintext:
nginx stdout | 127.0.0.1 - - [04/Apr/2025:10:46:54 +0000] "GET /create/component/vcs/?repo=https%3A%2F%2F%3A%40github.com%2F%2F.git&project=1&category=&name=&slug=&is_glossary=False&vcs=github&source_language=228&license=&source_component=1 HTTP/1.1" 200 17625 "" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:136.0) Gecko/20100101 Firefox/136.0"
Reproduction
In a project, create a component which has the Repository push URL setting configured with, for example, a GitHub repository URL including a username and a PAT.
In the same project, create another component using the From existing component option and selecting the previous component as the source. Click Continue.
Observe that...
April 15th, 2025 (7 days ago)
|
|
Description: Google is preparing for a future with AGI, ASI, and machine consciousness.
April 15th, 2025 (7 days ago)
|
|
Description: PEÑA BRIONES MCDANIEL & CO. offers a wide range of accounting, ta
x, assurance, and consulting services across Texas and New Mexico
. Their clientele includes individuals, non-profits, governments,
financial institutions, and businesses from various industries.
We are ready to upload more than 34 GB of essential corporate doc
uments such as: marriage licenses, corporate licenses, agreements
and contracts, personal passport scans, driver licenses, contact
numbers and e-mail addresses of employees and customers, financi
al data (audits, payment details, reports), etc.
April 15th, 2025 (7 days ago)
|
|
|
Description: King Industries, Inc. designs, manufactures, and distributes addi
tives for small to large companies throughout the world who make
their own branded products we all know and use like engine oils,
greases, hydraulic oils, paints, coatings, and rubber goods.
We are ready to upload more than 260 GB of essential corporate do
cuments such as: corporate NDA’s, passport scans, medical documen
ts, contact numbers and e-mail addresses of employees and custome
rs, financial data (audits, payment details, reports), etc.
April 15th, 2025 (7 days ago)
|
|
Description: A House committee launched an investigation into the privacy and security risks associated with the bankruptcy of genetic testing company 23andMe and has asked its former CEO to testify at a hearing planned for early May.
April 15th, 2025 (7 days ago)
|
CVE-2025-29280 |
Description: Stored cross-site scripting vulnerability exists in PerfreeBlog v4.0.11 in the website name field of the backend system settings interface allows an attacker to insert and execute arbitrary malicious code.
EPSS Score: 0.03%
April 15th, 2025 (7 days ago)
|
|
CVE-2025-28136 |
Description: TOTOLINK A800R V4.1.2cu.5137_B20200730 was found to contain a buffer overflow vulnerability in the downloadFile.cgi.
EPSS Score: 0.04%
April 15th, 2025 (7 days ago)
|
|
Description: Cybersecurity researchers have disclosed a malicious package uploaded to the Python Package Index (PyPI) repository that's designed to reroute trading orders placed on the MEXC cryptocurrency exchange to a malicious server and steal tokens.
The package, ccxt-mexc-futures, purports to be an extension built on top of a popular Python library named ccxt (short for CryptoCurrency eXchange Trading),
April 15th, 2025 (7 days ago)
|
|
Description: The China-linked threat actor known as UNC5174 has been attributed to a new campaign that leverages a variant of a known malware dubbed SNOWLIGHT and a new open-source tool called VShell to infect Linux systems.
"Threat actors are increasingly using open source tools in their arsenals for cost-effectiveness and obfuscation to save money and, in this case, plausibly blend in with the pool of
April 15th, 2025 (7 days ago)
|