CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!
Threat and Vulnerability Intelligence Database
Example Searches:
CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited
|
Description: Summary
matrix-sdk-crypto since version 0.8.0 up to 0.11.0 does not correctly validate the sender of an encrypted event. Accordingly, a malicious homeserver operator can modify events served to clients, making those events appear to the recipient as if they were sent by another user.
Although the CVSS score is 4.9 (AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N), we consider this a High Severity security issue.
Details
The Matrix specification requires that clients ensure that "the event’s sender, room_id, and the recorded session_id match a trusted session". The vulnerable matrix-sdk-crypto versions check that the room_id matches that of the session denoted by session_id, but do not check the sender.
Patches
The issue is resolved by 13c1d20, included in versions 0.11.1 and 0.12.0 of matrix-sdk-crypto.
Workarounds
Since a successful attack requires administrator access to the homeserver, users who trust the administrators of their local homeserver are not affected.
References
https://spec.matrix.org/v1.14/client-server-api/#mmegolmv1aes-sha2
References
https://github.com/matrix-org/matrix-rust-sdk/security/advisories/GHSA-x958-rvg6-956w
https://nvd.nist.gov/vuln/detail/CVE-2025-48937
https://github.com/matrix-org/matrix-rust-sdk/commit/13c1d2048286bbabf5e7bc6b015aafee98f04d55
https://github.com/matrix-org/matrix-rust-sdk/commit/56980745b4f27f7dc72ac296e6aa003e5d92a75b
https://spec.matrix.org/v1.14/client-server-api/#mmegolmv1aes-sha2
https://github.com/advisories/GHSA-x958-rvg6-95...
CVSS: MEDIUM (4.9) EPSS Score: 0.03%
June 10th, 2025 (7 days ago)
|
|
Description: Security researchers have disclosed a new Secure Boot bypass tracked as CVE-2025-3052 that can be used to turn off security on PCs and servers and install bootkit malware. [...]
CVSS: HIGH (8.2) EPSS Score: 0.02%
June 10th, 2025 (7 days ago)
|
|
Description: WebDAV & SMB client zero-days. KDC Proxy Service & Office critical RCEs.
June 10th, 2025 (7 days ago)
|
|
|
Description: Summary
It is possible to bypass the default REST API security and access the index page.
Details
The REST API security handles rest and its subpaths but not rest with an extension (e.g., rest.html).
Impact
The REST API index can disclose whether certain extensions are installed.
Workaround
In ${GEOSERVER_DATA_DIR}/security/config.xml, change the paths for the rest filter to /rest.*,/rest/** and change the paths for the gwc filter to /gwc/rest.*,/gwc/rest/** and restart GeoServer.
References
https://osgeo-org.atlassian.net/browse/GEOS-11664https://osgeo-org.atlassian.net/browse/GEOS-11776https://github.com/geoserver/geoserver/pull/8170
References
https://github.com/geoserver/geoserver/security/advisories/GHSA-h86g-x8mm-78m5
https://nvd.nist.gov/vuln/detail/CVE-2025-27505
https://github.com/geoserver/geoserver/pull/8170
https://osgeo-org.atlassian.net/browse/GEOS-11664
https://osgeo-org.atlassian.net/browse/GEOS-11776
https://github.com/advisories/GHSA-h86g-x8mm-78m5
CVSS: MEDIUM (5.3) EPSS Score: 0.04%
June 10th, 2025 (7 days ago)
|
|
|
Description: Summary
It is possible to bypass the default REST API security and access the index page.
Details
The REST API security handles rest and its subpaths but not rest with an extension (e.g., rest.html).
Impact
The REST API index can disclose whether certain extensions are installed.
Workaround
In ${GEOSERVER_DATA_DIR}/security/config.xml, change the paths for the rest filter to /rest.*,/rest/** and change the paths for the gwc filter to /gwc/rest.*,/gwc/rest/** and restart GeoServer.
References
https://osgeo-org.atlassian.net/browse/GEOS-11664https://osgeo-org.atlassian.net/browse/GEOS-11776https://github.com/geoserver/geoserver/pull/8170
References
https://github.com/geoserver/geoserver/security/advisories/GHSA-h86g-x8mm-78m5
https://nvd.nist.gov/vuln/detail/CVE-2025-27505
https://github.com/geoserver/geoserver/pull/8170
https://osgeo-org.atlassian.net/browse/GEOS-11664
https://osgeo-org.atlassian.net/browse/GEOS-11776
https://github.com/advisories/GHSA-h86g-x8mm-78m5
CVSS: MEDIUM (5.3) EPSS Score: 0.04%
June 10th, 2025 (7 days ago)
|
|
|
Description: Summary
Malicious Jiffle scripts can be executed by GeoServer, either as a rendering transformation in WMS dynamic styles or as a WPS process, that can enter an infinite loop to trigger denial of service.
Details
The Jiffle language supports multiple loop constructs that will cause its code block to be continuously executed until a certain condition is met. The Jiffle runtime should be updated to throw an exception if the script exceeds a certain number of loop iterations.
Impact
This vulnerability allows attackers to conduct denial-of-service attacks.
Mitigation
This vulnerability can be mitigated by disabling WMS dynamic styling (see WMS Settings).
If the WPS extension is installed, the Jiffle process must also be disabled to mitigate this vulnerability (see WPS Settings)
References
https://github.com/geosolutions-it/jai-ext/pull/307
https://osgeo-org.atlassian.net/browse/GEOS-11778
References
https://github.com/geoserver/geoserver/security/advisories/GHSA-gr67-pwcv-76gf
https://nvd.nist.gov/vuln/detail/CVE-2025-30145
https://github.com/geosolutions-it/jai-ext/pull/307
https://osgeo-org.atlassian.net/browse/GEOS-11778
https://github.com/advisories/GHSA-gr67-pwcv-76gf
CVSS: HIGH (7.5) EPSS Score: 0.05%
June 10th, 2025 (7 days ago)
|
|
|
Description: Summary
Malicious Jiffle scripts can be executed by GeoServer, either as a rendering transformation in WMS dynamic styles or as a WPS process, that can enter an infinite loop to trigger denial of service.
Details
The Jiffle language supports multiple loop constructs that will cause its code block to be continuously executed until a certain condition is met. The Jiffle runtime should be updated to throw an exception if the script exceeds a certain number of loop iterations.
Impact
This vulnerability allows attackers to conduct denial-of-service attacks.
Mitigation
This vulnerability can be mitigated by disabling WMS dynamic styling (see WMS Settings).
If the WPS extension is installed, the Jiffle process must also be disabled to mitigate this vulnerability (see WPS Settings)
References
https://github.com/geosolutions-it/jai-ext/pull/307
https://osgeo-org.atlassian.net/browse/GEOS-11778
References
https://github.com/geoserver/geoserver/security/advisories/GHSA-gr67-pwcv-76gf
https://nvd.nist.gov/vuln/detail/CVE-2025-30145
https://github.com/geosolutions-it/jai-ext/pull/307
https://osgeo-org.atlassian.net/browse/GEOS-11778
https://github.com/advisories/GHSA-gr67-pwcv-76gf
CVSS: HIGH (7.5) EPSS Score: 0.05%
June 10th, 2025 (7 days ago)
|
|
|
Description: Summary
Malicious Jiffle scripts can be executed by GeoServer, either as a rendering transformation in WMS dynamic styles or as a WPS process, that can enter an infinite loop to trigger denial of service.
Details
The Jiffle language supports multiple loop constructs that will cause its code block to be continuously executed until a certain condition is met. The Jiffle runtime should be updated to throw an exception if the script exceeds a certain number of loop iterations.
Impact
This vulnerability allows attackers to conduct denial-of-service attacks.
Mitigation
This vulnerability can be mitigated by disabling WMS dynamic styling (see WMS Settings).
If the WPS extension is installed, the Jiffle process must also be disabled to mitigate this vulnerability (see WPS Settings)
References
https://github.com/geosolutions-it/jai-ext/pull/307
https://osgeo-org.atlassian.net/browse/GEOS-11778
References
https://github.com/geoserver/geoserver/security/advisories/GHSA-gr67-pwcv-76gf
https://nvd.nist.gov/vuln/detail/CVE-2025-30145
https://github.com/geosolutions-it/jai-ext/pull/307
https://osgeo-org.atlassian.net/browse/GEOS-11778
https://github.com/advisories/GHSA-gr67-pwcv-76gf
CVSS: HIGH (7.5) EPSS Score: 0.05%
June 10th, 2025 (7 days ago)
|
|
Description: Founded in 1972, Rotary is one of the region’s leading oil and gas infrastructure services companies with extensive international experience offering fully inte... - On 31 May 2025, we hacked rotaryeng.com.sg and exfiltrated 4+ TB of data. Today, we make the first disclosure which incl...
June 10th, 2025 (7 days ago)
|
|
|
Description: Mount Rogers Community Services provides Mental Health, Developmental Disability, and Substance Use Services to the people of Bland, Carroll, Grayson, Smyth, and Wythe Counties as well as the City of Galax.
June 10th, 2025 (7 days ago)
|