CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!
Threat and Vulnerability Intelligence Database
Example Searches:
CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited
|
Description: This daily article is intended to make it easier for those who want to stay updated with my regular Dark Web Informer and X/Twitter posts.
March 12th, 2025 (4 months ago)
|
|
Description: Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. For example, when the NO_PROXY environment variable is set to "*.example.com", a request to "[::1%25.example.com]:80` will incorrectly match and not be proxied.
References
https://nvd.nist.gov/vuln/detail/CVE-2025-22870
https://go.dev/cl/654697
https://go.dev/issue/71984
https://pkg.go.dev/vuln/GO-2025-3503
http://www.openwall.com/lists/oss-security/2025/03/07/2
https://github.com/advisories/GHSA-qxp5-gwg8-xv66
EPSS Score: 0.02%
March 12th, 2025 (4 months ago)
|
|
|
Description: Summary
A session hijacking vulnerability exists when an attacker-controlled authoritative subdomain under a parent domain (e.g., subdomain.host.com) sets cookies scoped to the parent domain (.host.com). This allows session token replacement for applications hosted on sibling subdomains (e.g., community.host.com) if session tokens aren't rotated post-authentication.
Key Constraints:
Attacker must control any subdomain under the parent domain (e.g., evil.host.com or x.y.host.com).
Parent domain must not be on the Public Suffix List.
Due to non-existent session token rotation after authenticating we can theoretically reproduce the vulnerability by using browser dev tools, but due to the browser's security measures this does not seem to be exploitable as described.
Proof of Concept (Deno)
Deno.serve({
port: 8000, // default
hostname: 'localhost',
onListen: (o) => console.log(`Server started at http://${o.hostname}:${o.port}`, o),
},
async (req) => (console.log(req), new Response(
`You've been served! You came from ${req.headers.get('referer')}`,
{
//status: 302, // would redirect user to page they came from
status: 200,
headers: {
'set-cookie': 'session_cookie=mytoken; Domain=.deno.dev; Secure; HttpOnly',
'location': req.headers.get('referer')
}
}
))
);
Attack Flow
Attacker Setup: Hosts server at evil.host.com.
Harvest Session Token: Attacker visits community.host.com to get a session token for h...
CVSS: MEDIUM (6.8) EPSS Score: 0.05%
March 12th, 2025 (4 months ago)
|
|
|
Description: Summary
A session hijacking vulnerability exists when an attacker-controlled authoritative subdomain under a parent domain (e.g., subdomain.host.com) sets cookies scoped to the parent domain (.host.com). This allows session token replacement for applications hosted on sibling subdomains (e.g., community.host.com) if session tokens aren't rotated post-authentication.
Key Constraints:
Attacker must control any subdomain under the parent domain (e.g., evil.host.com or x.y.host.com).
Parent domain must not be on the Public Suffix List.
Due to non-existent session token rotation after authenticating we can theoretically reproduce the vulnerability by using browser dev tools, but due to the browser's security measures this does not seem to be exploitable as described.
Proof of Concept (Deno)
Deno.serve({
port: 8000, // default
hostname: 'localhost',
onListen: (o) => console.log(`Server started at http://${o.hostname}:${o.port}`, o),
},
async (req) => (console.log(req), new Response(
`You've been served! You came from ${req.headers.get('referer')}`,
{
//status: 302, // would redirect user to page they came from
status: 200,
headers: {
'set-cookie': 'session_cookie=mytoken; Domain=.deno.dev; Secure; HttpOnly',
'location': req.headers.get('referer')
}
}
))
);
Attack Flow
Attacker Setup: Hosts server at evil.host.com.
Harvest Session Token: Attacker visits community.host.com to get a session token for h...
CVSS: MEDIUM (6.8) EPSS Score: 0.05%
March 12th, 2025 (4 months ago)
|
|
Description: Ransomware Attack Update for the 12th of March 2025
March 12th, 2025 (4 months ago)
|
|
Description: Threat Attack Daily - March 12th, 2025
March 12th, 2025 (4 months ago)
|
CVE-2024-47170 |
Description: Agnai is an artificial-intelligence-agnostic multi-user, mult-bot roleplaying chat system. A vulnerability in versions prior to 1.0.330 permits attackers to read arbitrary JSON files at attacker-chosen locations on the server. This issue can lead to unauthorized access to sensitive information and exposure of confidential configuration files. This only affects installations with `JSON_STORAGE` enabled which is intended to local/self-hosting only. Version 1.0.330 fixes this issue.
CVSS: MEDIUM (4.3) EPSS Score: 0.15% SSVC Exploitation: none
March 12th, 2025 (4 months ago)
|
|
CVE-2024-45374 |
Description: The goTenna Pro ATAK plugin uses a weak password for sharing encryption
keys via the key broadcast method. If the broadcasted encryption key is
captured over RF, and password is cracked via brute force attack, it is
possible to decrypt it and use it to decrypt all future and past
messages sent via encrypted broadcast with that particular key. This
only applies when the key is broadcasted over RF. This is an optional
feature, so it is advised to use local QR encryption key sharing for
additional security on this and previous versions.
CVSS: MEDIUM (5.3) EPSS Score: 0.02% SSVC Exploitation: none
March 12th, 2025 (4 months ago)
|
|
CVE-2024-45042 |
Description: Ory Kratos is an identity, user management and authentication system for cloud services. Prior to version 1.3.0, given a number of preconditions, the `highest_available` setting will incorrectly assume that the identity’s highest available AAL is `aal1` even though it really is `aal2`. This means that the `highest_available` configuration will act as if the user has only one factor set up, for that particular user. This means that they can call the settings and whoami endpoint without a `aal2` session, even though that should be disallowed. An attacker would need to steal or guess a valid login OTP of a user who has only OTP for login enabled and who has an incorrect `available_aal` value stored, to exploit this vulnerability. All other aspects of the session (e.g. the session’s aal) are not impacted by this issue. On the Ory Network, only 0.00066% of registered users were affected by this issue, and most of those users appeared to be test users. Their respective AAL values have since been updated and they are no longer vulnerable to this attack. Version 1.3.0 is not affected by this issue. As a workaround, those who require MFA should disable the passwordless code login method. If that is not possible, check the sessions `aal` to identify if the user has `aal1` or `aal2`.
CVSS: MEDIUM (4.4) EPSS Score: 0.12% SSVC Exploitation: none
March 12th, 2025 (4 months ago)
|
|
CVE-2024-25706 |
Description: There is an HTML injection vulnerability in Esri Portal for ArcGIS <=11.0 that may allow a remote, unauthenticated attacker to craft a URL which, when clicked, could potentially generate a message that may entice an unsuspecting victim to visit an arbitrary website. This could simplify phishing attacks.
CVSS: MEDIUM (6.1) EPSS Score: 0.32% SSVC Exploitation: none
March 12th, 2025 (4 months ago)
|