Threat and Vulnerability Intelligence Database
Example Searches:
CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited
CVE-2024-13610 |
Description: The Simple Social Media Share Buttons WordPress plugin before 6.0.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
EPSS Score: 0.03%
April 15th, 2025 (8 days ago)
|
|
CVE-2024-13207 |
Description: The Widget for Social Page Feeds WordPress plugin before 6.4.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
EPSS Score: 0.03%
April 15th, 2025 (8 days ago)
|
|
Description: Meta has announced that it will begin to train its artificial intelligence (AI) models using public data shared by adults across its platforms in the European Union, nearly a year after it paused its efforts due to data protection concerns from Irish regulators.
"This training will better support millions of people and businesses in Europe, by teaching our generative AI models to better
April 15th, 2025 (8 days ago)
|
|
Description: Pymatgen 2024.1 - Remote Code Execution (RCE)
April 15th, 2025 (8 days ago)
|
|
Description: Car rental giant Hertz Corporation warns it suffered a data breach after customer data for its Hertz, Thrifty, and Dollar brands was stolen in the Cleo zero-day data theft attacks. [...]
April 14th, 2025 (8 days ago)
|
|
April 14th, 2025 (8 days ago)
|
|
[ash_authentication] ash_authentication has email link auto-click account confirmation vulnerability
Description: Impact
The confirmation flow for account creation currently uses a GET request triggered by clicking a link sent via email. Some email clients and security tools (e.g., Outlook, virus scanners, and email previewers) may automatically follow these links, unintentionally confirming the account. This allows an attacker to register an account using another user’s email and potentially have it auto-confirmed by the victim’s email client.
This does not allow attackers to take over or access existing accounts or private data. It is limited to account confirmation of new accounts only.
Patches
A mitigation has been released in version 4.7.0. You will also need to upgrade to 2.6.0 or later of ash_authentication_phoenix to take advantage of the autogenerated views for confirmation. The fix updates the confirmation flow to require explicit user interaction (such as clicking a button on the confirmation page) rather than performing the confirmation via a GET request. This ensures that automatic link prefetching or scanning by email clients does not unintentionally confirm accounts.
To create a route to a prebuilt confirmation page, use the following in your router, in the same place as your auth routes.
confirm_route(
MyApp.Accounts.User,
,
auth_routes_prefix: "/auth",
overrides: [MyAppWeb.AuthOverrides, AshAuthentication.Phoenix.Overrides.Default],
# use these options to keep your currently issued confirmation emails compatible
# without the options below, the route will ...
April 14th, 2025 (8 days ago)
|
|
Description: Threat Attack Daily - 14th of April 2025
April 14th, 2025 (8 days ago)
|
|
Description: Ransomware Attack Update for the 14th of April 2025
April 14th, 2025 (8 days ago)
|
|
Description: The hallucination problem is not just pervasive, it is persistent as well, according to new research.
April 14th, 2025 (8 days ago)
|