CyberAlerts

Threat Attack Daily - March 12th, 2025

Description: Threat Attack Daily - March 12th, 2025

Source: DarkWebInformer

March 12th, 2025 (4 months ago)

CVE-2024-47170

Agnai File Disclosure Vulnerability: JSON via Path Traversal

Description: Agnai is an artificial-intelligence-agnostic multi-user, mult-bot roleplaying chat system. A vulnerability in versions prior to 1.0.330 permits attackers to read arbitrary JSON files at attacker-chosen locations on the server. This issue can lead to unauthorized access to sensitive information and exposure of confidential configuration files. This only affects installations with `JSON_STORAGE` enabled which is intended to local/self-hosting only. Version 1.0.330 fixes this issue.

CVSS: MEDIUM (4.3)

EPSS Score: 0.15%

SSVC Exploitation: none

Source: CVE

March 12th, 2025 (4 months ago)

CVE-2024-45374

goTenna Pro ATAK Plugin Weak Password Requirements

Description: The goTenna Pro ATAK plugin uses a weak password for sharing encryption keys via the key broadcast method. If the broadcasted encryption key is captured over RF, and password is cracked via brute force attack, it is possible to decrypt it and use it to decrypt all future and past messages sent via encrypted broadcast with that particular key. This only applies when the key is broadcasted over RF. This is an optional feature, so it is advised to use local QR encryption key sharing for additional security on this and previous versions.

CVSS: MEDIUM (5.3)

EPSS Score: 0.02%

SSVC Exploitation: none

Source: CVE

March 12th, 2025 (4 months ago)

CVE-2024-45042

Ory Kratos's `highest_available` setting does not properly respect code + mfa credentials

Description: Ory Kratos is an identity, user management and authentication system for cloud services. Prior to version 1.3.0, given a number of preconditions, the `highest_available` setting will incorrectly assume that the identity’s highest available AAL is `aal1` even though it really is `aal2`. This means that the `highest_available` configuration will act as if the user has only one factor set up, for that particular user. This means that they can call the settings and whoami endpoint without a `aal2` session, even though that should be disallowed. An attacker would need to steal or guess a valid login OTP of a user who has only OTP for login enabled and who has an incorrect `available_aal` value stored, to exploit this vulnerability. All other aspects of the session (e.g. the session’s aal) are not impacted by this issue. On the Ory Network, only 0.00066% of registered users were affected by this issue, and most of those users appeared to be test users. Their respective AAL values have since been updated and they are no longer vulnerable to this attack. Version 1.3.0 is not affected by this issue. As a workaround, those who require MFA should disable the passwordless code login method. If that is not possible, check the sessions `aal` to identify if the user has `aal1` or `aal2`.

CVSS: MEDIUM (4.4)

EPSS Score: 0.12%

SSVC Exploitation: none

Source: CVE

March 12th, 2025 (4 months ago)

CVE-2024-25706

HTMLi at createFolder Content Injection

Description: There is an HTML injection vulnerability in Esri Portal for ArcGIS <=11.0 that may allow a remote, unauthenticated attacker to craft a URL which, when clicked, could potentially generate a message that may entice an unsuspecting victim to visit an arbitrary website. This could simplify phishing attacks.

CVSS: MEDIUM (6.1)

EPSS Score: 0.32%

SSVC Exploitation: none

Source: CVE

March 12th, 2025 (4 months ago)

CVE-2025-25293

ruby-saml vulnerable to Remote Denial of Service (DoS) with compressed SAML responses

Description: ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. Prior to versions 1.12.4 and 1.18.0, ruby-saml is susceptible to remote Denial of Service (DoS) with compressed SAML responses. ruby-saml uses zlib to decompress SAML responses in case they're compressed. It is possible to bypass the message size check with a compressed assertion since the message size is checked before inflation and not after. This issue may lead to remote Denial of Service (DoS). Versions 1.12.4 and 1.18.0 fix the issue.

CVSS: MEDIUM (6.6)

EPSS Score: 0.15%

SSVC Exploitation: none

Source: CVE

March 12th, 2025 (4 months ago)

CVE-2025-25292

Ruby SAML vulnerable to SAML authentication bypass due to namespace handling (parser differential)

Description: ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. An authentication bypass vulnerability was found in ruby-saml prior to versions 1.12.4 and 1.18.0 due to a parser differential. ReXML and Nokogiri parse XML differently, the parsers can generate entirely different document structures from the same XML input. That allows an attacker to be able to execute a Signature Wrapping attack. This issue may lead to authentication bypass. Versions 1.12.4 and 1.18.0 contain a patch for the issue.

CVSS: HIGH (8.0)

EPSS Score: 1.05%

Source: CVE

March 12th, 2025 (4 months ago)

CVE-2025-25291

ruby-saml vulnerable to SAML authentication bypass due to DOCTYPE handling (parser differential)

Description: ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. An authentication bypass vulnerability was found in ruby-saml prior to versions 1.12.4 and 1.18.0 due to a parser differential. ReXML and Nokogiri parse XML differently; the parsers can generate entirely different document structures from the same XML input. That allows an attacker to be able to execute a Signature Wrapping attack. This issue may lead to authentication bypass. Versions 1.12.4 and 1.18.0 fix the issue.

CVSS: HIGH (8.0)

EPSS Score: 1.11%

SSVC Exploitation: none

Source: CVE

March 12th, 2025 (4 months ago)

China-Backed Hackers Backdoor US Carrier-Grade Juniper MX Routers

Description: Mandiant researchers found the routers of several unnamed organizations (likely telcos and ISPs) were hacked by UNC3886, and contained a custom backdoor called "TinyShell."

Source: Dark Reading

March 12th, 2025 (4 months ago)

[ruby-saml] Ruby SAML allows a SAML authentication bypass due to namespace handling (parser differential)

Description: Summary An authentication bypass vulnerability was found in ruby-saml due to a parser differential. ReXML and Nokogiri parse XML differently, the parsers can generate entirely different document structures from the same XML input. That allows an attacker to be able to execute a Signature Wrapping attack. Impact This issue may lead to authentication bypass. References https://github.com/SAML-Toolkits/ruby-saml/security/advisories/GHSA-754f-8gm6-c4r2 https://github.com/omniauth/omniauth-saml/security/advisories/GHSA-hw46-3hmr-x9xv https://github.com/SAML-Toolkits/ruby-saml/commit/e76c5b36bac40aedbf1ba7ffaaf495be63328cd9 https://github.com/SAML-Toolkits/ruby-saml/commit/e9c1cdbd0f9afa467b585de279db0cbd0fb8ae97 https://about.gitlab.com/releases/2025/03/12/patch-release-gitlab-17-9-2-released https://github.com/SAML-Toolkits/ruby-saml/releases/tag/v1.12.4 https://github.com/SAML-Toolkits/ruby-saml/releases/tag/v1.18.0 https://github.com/advisories/GHSA-754f-8gm6-c4r2

Source: Github Advisory Database (RubyGems)

March 12th, 2025 (4 months ago)

Threat and Vulnerability Intelligence Database

Example Searches:

	Threat Attack Daily - March 12th, 2025 Description: Threat Attack Daily - March 12th, 2025 Source: DarkWebInformer March 12th, 2025 (4 months ago)
CVE-2024-47170	Agnai File Disclosure Vulnerability: JSON via Path Traversal Description: Agnai is an artificial-intelligence-agnostic multi-user, mult-bot roleplaying chat system. A vulnerability in versions prior to 1.0.330 permits attackers to read arbitrary JSON files at attacker-chosen locations on the server. This issue can lead to unauthorized access to sensitive information and exposure of confidential configuration files. This only affects installations with `JSON_STORAGE` enabled which is intended to local/self-hosting only. Version 1.0.330 fixes this issue. CVSS: MEDIUM (4.3) EPSS Score: 0.15% SSVC Exploitation: none Source: CVE March 12th, 2025 (4 months ago)
CVE-2024-45374	goTenna Pro ATAK Plugin Weak Password Requirements Description: The goTenna Pro ATAK plugin uses a weak password for sharing encryption keys via the key broadcast method. If the broadcasted encryption key is captured over RF, and password is cracked via brute force attack, it is possible to decrypt it and use it to decrypt all future and past messages sent via encrypted broadcast with that particular key. This only applies when the key is broadcasted over RF. This is an optional feature, so it is advised to use local QR encryption key sharing for additional security on this and previous versions. CVSS: MEDIUM (5.3) EPSS Score: 0.02% SSVC Exploitation: none Source: CVE March 12th, 2025 (4 months ago)
CVE-2024-45042	Ory Kratos's `highest_available` setting does not properly respect code + mfa credentials Description: Ory Kratos is an identity, user management and authentication system for cloud services. Prior to version 1.3.0, given a number of preconditions, the `highest_available` setting will incorrectly assume that the identity’s highest available AAL is `aal1` even though it really is `aal2`. This means that the `highest_available` configuration will act as if the user has only one factor set up, for that particular user. This means that they can call the settings and whoami endpoint without a `aal2` session, even though that should be disallowed. An attacker would need to steal or guess a valid login OTP of a user who has only OTP for login enabled and who has an incorrect `available_aal` value stored, to exploit this vulnerability. All other aspects of the session (e.g. the session’s aal) are not impacted by this issue. On the Ory Network, only 0.00066% of registered users were affected by this issue, and most of those users appeared to be test users. Their respective AAL values have since been updated and they are no longer vulnerable to this attack. Version 1.3.0 is not affected by this issue. As a workaround, those who require MFA should disable the passwordless code login method. If that is not possible, check the sessions `aal` to identify if the user has `aal1` or `aal2`. CVSS: MEDIUM (4.4) EPSS Score: 0.12% SSVC Exploitation: none Source: CVE March 12th, 2025 (4 months ago)
CVE-2024-25706	HTMLi at createFolder Content Injection Description: There is an HTML injection vulnerability in Esri Portal for ArcGIS <=11.0 that may allow a remote, unauthenticated attacker to craft a URL which, when clicked, could potentially generate a message that may entice an unsuspecting victim to visit an arbitrary website. This could simplify phishing attacks. CVSS: MEDIUM (6.1) EPSS Score: 0.32% SSVC Exploitation: none Source: CVE March 12th, 2025 (4 months ago)
CVE-2025-25293	ruby-saml vulnerable to Remote Denial of Service (DoS) with compressed SAML responses Description: ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. Prior to versions 1.12.4 and 1.18.0, ruby-saml is susceptible to remote Denial of Service (DoS) with compressed SAML responses. ruby-saml uses zlib to decompress SAML responses in case they're compressed. It is possible to bypass the message size check with a compressed assertion since the message size is checked before inflation and not after. This issue may lead to remote Denial of Service (DoS). Versions 1.12.4 and 1.18.0 fix the issue. CVSS: MEDIUM (6.6) EPSS Score: 0.15% SSVC Exploitation: none Source: CVE March 12th, 2025 (4 months ago)
CVE-2025-25292	Ruby SAML vulnerable to SAML authentication bypass due to namespace handling (parser differential) Description: ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. An authentication bypass vulnerability was found in ruby-saml prior to versions 1.12.4 and 1.18.0 due to a parser differential. ReXML and Nokogiri parse XML differently, the parsers can generate entirely different document structures from the same XML input. That allows an attacker to be able to execute a Signature Wrapping attack. This issue may lead to authentication bypass. Versions 1.12.4 and 1.18.0 contain a patch for the issue. CVSS: HIGH (8.0) EPSS Score: 1.05% Source: CVE March 12th, 2025 (4 months ago)
CVE-2025-25291	ruby-saml vulnerable to SAML authentication bypass due to DOCTYPE handling (parser differential) Description: ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. An authentication bypass vulnerability was found in ruby-saml prior to versions 1.12.4 and 1.18.0 due to a parser differential. ReXML and Nokogiri parse XML differently; the parsers can generate entirely different document structures from the same XML input. That allows an attacker to be able to execute a Signature Wrapping attack. This issue may lead to authentication bypass. Versions 1.12.4 and 1.18.0 fix the issue. CVSS: HIGH (8.0) EPSS Score: 1.11% SSVC Exploitation: none Source: CVE March 12th, 2025 (4 months ago)
	China-Backed Hackers Backdoor US Carrier-Grade Juniper MX Routers Description: Mandiant researchers found the routers of several unnamed organizations (likely telcos and ISPs) were hacked by UNC3886, and contained a custom backdoor called "TinyShell." Source: Dark Reading March 12th, 2025 (4 months ago)
	[ruby-saml] Ruby SAML allows a SAML authentication bypass due to namespace handling (parser differential) Description: Summary An authentication bypass vulnerability was found in ruby-saml due to a parser differential. ReXML and Nokogiri parse XML differently, the parsers can generate entirely different document structures from the same XML input. That allows an attacker to be able to execute a Signature Wrapping attack. Impact This issue may lead to authentication bypass. References https://github.com/SAML-Toolkits/ruby-saml/security/advisories/GHSA-754f-8gm6-c4r2 https://github.com/omniauth/omniauth-saml/security/advisories/GHSA-hw46-3hmr-x9xv https://github.com/SAML-Toolkits/ruby-saml/commit/e76c5b36bac40aedbf1ba7ffaaf495be63328cd9 https://github.com/SAML-Toolkits/ruby-saml/commit/e9c1cdbd0f9afa467b585de279db0cbd0fb8ae97 https://about.gitlab.com/releases/2025/03/12/patch-release-gitlab-17-9-2-released https://github.com/SAML-Toolkits/ruby-saml/releases/tag/v1.12.4 https://github.com/SAML-Toolkits/ruby-saml/releases/tag/v1.18.0 https://github.com/advisories/GHSA-754f-8gm6-c4r2 Source: Github Advisory Database (RubyGems) March 12th, 2025 (4 months ago)