Threat and Vulnerability Intelligence Database
Example Searches:
CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited
|
Description: Groupe Custeau is a Sherbrooke-based company specializing in real estate development, rental properties, private financing, and investment. They offer efficient solutions in residential and commercial real estate markets. The company is commi ...
April 14th, 2025 (8 days ago)
|
|
|
Description: Company has 24 hours to contact us .
N.L. Olson & Associates maintains at all times, $1,000,000 E & O insurance and $1,000,000 general liability insurance. Careful consideration must be given to the selection of a firm to perform design an ...
April 14th, 2025 (8 days ago)
|
|
Description: American business services giant and government contractor Conduent disclosed today that client data was stolen in a January 2025 cyberattack. [...]
April 14th, 2025 (8 days ago)
|
|
Description: A vulnerability within the online application platform for insurance policies likely resulted in the breach of customer details.
April 14th, 2025 (8 days ago)
|
|
|
Description: Prodaft is currently buying accounts from five Dark Web forums and offers to pay extra for administrator or moderator accounts. The idea is to infiltrate forums to boost its threat intelligence.
April 14th, 2025 (8 days ago)
|
|
Description: Summary
Unsanitized search param names cause XSS vulnerability. You are affected if you iterate over all entries of event.url.searchParams inside a server load function. Attackers can exploit it by crafting a malicious URL and getting a user to click a link with said URL.
Details
SvelteKit tracks which parameters in event.url.searchParams are read inside server load functions. If the application iterates over the these parameters, the uses.search_params array included in the boot script (embedded in the server-rendered HTML) will have any search param name included in unsanitized form.
packages/kit/src/runtime/server/utils.js:150 has the stringify_uses(node) function which prints these out.
Reproduction
In a +page.server.js or +layout.server.js:
/** @type {import('@sveltejs/kit').Load} */
export function load(event) {
const values = {};
for (const key of event.url.searchParams.keys()) {
values[key] = event.url.searchParams.get(key);
}
}
If a user visits the page in question via a link containing ?window.pwned%3D1, the will be included verbatim in the payload, causing the embedded script to be executed.
It is not necessary to return the parameter value from load or render it in the page, only to read it (which causes it to be tracked as a dependency) while load is running.
Impact
Any application that iterates over all values in event.url.searchParams in a load function in +page.server.js or +layout.server.js (directly or indirectly) is vulnerable to XSS.
Refere...
April 14th, 2025 (8 days ago)
|
|
Description: Swiss cybersecurity firm Prodaft has launched a new initiative called 'Sell your Source' where the company purchases verified and aged accounts on hacking forums to to spy on cybercriminals. [...]
April 14th, 2025 (8 days ago)
|
|
Description: The firm assists businesses in small business accounting, tax pre
paration, strategic business planning, part-time Chief Financial
Officer Services, and assistance in loan proposal preparation to
banks among others.
We are ready to upload more than 20 GB of essential corporate doc
uments such as: corporate NDA’s, personal SSN’s, internal corpora
te correspondence, contact numbers and e-mail addresses of employ
ees and customers, driver licenses, corporate licenses, agreement
s and contracts, financial data (audits, payment details, reports
), etc.
April 14th, 2025 (8 days ago)
|
|
|
Description: Established in 1980, the Al-Hejailan Group began as an engineering and contracting firm and has since evolved into a diversified holding company. Headquartered in Riyadh, with regional offices across the GCC...
April 14th, 2025 (8 days ago)
|
|
April 14th, 2025 (8 days ago)
|