Threat and Vulnerability Intelligence Database
Example Searches:
CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited
|
Description: This week, we discuss the phrase "activist journalist," waiting in line for a Switch 2, and teledildonics.
June 6th, 2025 (4 days ago)
|
|
Description: Security researchers at LayerX have uncovered a stealthy network of malicious Chrome extensions masquerading as in-browser sound enhancement tools. With over 700k installations globally, these add-ons appear to be laying dormant, awaiting remote instructions to execute malicious payloads. LayerX's report reveals that the extensions function as “sleeper agents,” capable of downloading and executing code from …
The post Sound-Boosting Chrome Extensions Potential Ticking Bombs appeared first on CyberInsider.
June 6th, 2025 (4 days ago)
|
|
Description: An issue was discovered in Django 5.2 before 5.2.2, 5.1 before 5.1.10, and 4.2 before 4.2.22. Internal HTTP response logging does not escape request.path, which allows remote attackers to potentially manipulate log output via crafted URLs. This may lead to log injection or forgery when logs are viewed in terminals or processed by external systems.
References
https://nvd.nist.gov/vuln/detail/CVE-2025-48432
https://docs.djangoproject.com/en/dev/releases/security
https://groups.google.com/g/django-announce
https://www.djangoproject.com/weblog/2025/jun/04/security-releases
http://www.openwall.com/lists/oss-security/2025/06/04/5
https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2025-47.yaml
https://github.com/advisories/GHSA-7xr5-9hcq-chf9
CVSS: MEDIUM (4.0) EPSS Score: 0.05%
June 6th, 2025 (4 days ago)
|
|
|
Description: Overview
The laravel-auth0 SDK contains a critical vulnerability due to insecure deserialization of cookie data. If exploited, since SDKs process cookie content without prior authentication, a threat actor could send a specially crafted cookie containing malicious serialized data.
Am I Affected?
You are affected by this vulnerability if you meet the following preconditions:
Applications using laravel-auth0 SDK, versions between 7.0.0-BETA1 to 7.2.1.
Laravel-auth0 SDK uses the Auth0-PHP SDK with version 8.0.0-BETA3 to 8.3.0.
Fix
Upgrade Auth0/laravel-auth0 to the latest version (v7.17.0).
Acknowledgement
Okta would like to thank Andreas Forsblom for discovering this vulnerability.
References
https://github.com/auth0/auth0-PHP/security/advisories/GHSA-v9m8-9xxp-q492
https://github.com/auth0/laravel-auth0/security/advisories/GHSA-c42h-56wx-h85q
https://github.com/auth0/symfony/security/advisories/GHSA-98j6-67v3-mw34
https://github.com/auth0/wordpress/security/advisories/GHSA-862m-5253-832r
https://nvd.nist.gov/vuln/detail/CVE-2025-48951
https://github.com/advisories/GHSA-c42h-56wx-h85q
CVSS: CRITICAL (9.3) EPSS Score: 0.1%
June 6th, 2025 (4 days ago)
|
|
|
Description: CWE ID: CWE-532 (Insertion of Sensitive Information into Log File)
CVSS: 6.2 (Medium)
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Affected Component: Facebook Authentication Logging
Version: Para v1.50.6
File Path: para-1.50.6/para-server/src/main/java/com/erudika/para/server/security/filters/FacebookAuthFilter.java
Vulnerable Line(s): Line 184 (logger.warn(...) with raw access token)
Technical Details:
The vulnerability is located in FacebookAuthFilter.java, where a failed request to Facebook’s user profile endpoint triggers the following log statement:
logger.warn("Facebook auth request failed: GET " + PROFILE_URL + accessToken, e);`
Here, PROFILE_URL is a constant:
private static final String PROFILE_URL = "https://graph.facebook.com/me?fields=name,email,picture.width(400).type(square).height(400)&access_token=";
This results in the full request URL being logged, including the user's access token in plain text. Since WARN-level logs are often retained in production and accessible to operators or log aggregation systems, this poses a risk of token exposure.
References
https://github.com/Erudika/para/security/advisories/GHSA-qx7g-fx8q-545g
https://nvd.nist.gov/vuln/detail/CVE-2025-49009
https://github.com/Erudika/para/commit/46a908d887da02037384193f70a69345f04887cf
https://github.com/advisories/GHSA-qx7g-fx8q-545g
CVSS: MEDIUM (6.2) EPSS Score: 0.01%
June 6th, 2025 (4 days ago)
|
|
Description: Charles Brooks knows that people will share and alter his work. He just wants credit for his photos when it happens.
June 6th, 2025 (4 days ago)
|
|
June 6th, 2025 (4 days ago)
|
CVE-2025-5779 |
Description: A vulnerability has been found in code-projects Patient Record Management System 1.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /birthing.php. The manipulation of the argument itr_no/comp_id leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. In code-projects Patient Record Management System 1.0 wurde eine Schwachstelle gefunden. Sie wurde als kritisch eingestuft. Dabei geht es um eine nicht genauer bekannte Funktion der Datei /birthing.php. Dank Manipulation des Arguments itr_no/comp_id mit unbekannten Daten kann eine sql injection-Schwachstelle ausgenutzt werden. Die Umsetzung des Angriffs kann dabei über das Netzwerk erfolgen. Der Exploit steht zur öffentlichen Verfügung.
CVSS: MEDIUM (5.3) EPSS Score: 0.03% SSVC Exploitation: poc
June 6th, 2025 (5 days ago)
|
|
CVE-2025-41646 |
Description: An unauthorized remote attacker can bypass the authentication of the affected software package by misusing an incorrect type conversion. This leads to full compromise of the device
CVSS: CRITICAL (9.8) EPSS Score: 0.35%
June 6th, 2025 (5 days ago)
|
|
CVE-2025-27531 |
Description: Deserialization of Untrusted Data vulnerability in Apache InLong.
This issue affects Apache InLong: from 1.13.0 before 2.1.0,
this issue would allow an authenticated attacker to read arbitrary files by double writing the param.
Users are recommended to upgrade to version 2.1.0, which fixes the issue.
EPSS Score: 0.02%
June 6th, 2025 (5 days ago)
|