CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!
Threat and Vulnerability Intelligence Database
Example Searches:
CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited
|
Description: Microsoft Security Advisory CVE-2025-24070: .NET Elevation of Privilege Vulnerability
Executive summary
Microsoft is releasing this security advisory to provide information about a vulnerability in ASP.NET Core 9.0 , ASP.NET Core 8.0, and ASP.NET Core 2.3. This advisory also provides guidance on what developers can do to update their applications to address this vulnerability.
A vulnerability exists in ASP.NET Core applications calling RefreshSignInAsync with an improperly authenticated user parameter that could allow an attacker to sign into another user's account, resulting in Elevation of Privilege.
Announcement
Announcement for this issue can be found at https://github.com/dotnet/announcements/issues/348
Mitigation factors
Microsoft has not identified any mitigating factors for this vulnerability.
Affected software
Any ASP.NET Core 9.0 application running on ASP.NET Core 9.0.2 or earlier.
Any ASP.NET Core application running on ASP.NET Core 8.0.13 or earlier.
Any ASP.NET Core 2.x application consuming the package Microsoft.AspNetCore.Identity version 2.3.0 or earlier.
Affected Packages
The vulnerability affects any Microsoft .NET Core project if it uses any of affected packages versions listed below
Package name
Affected version
Patched version
Microsoft.AspNetCore.Identity
2.3.0
2.3.1
ASP.NET Core 9
Package name
Affected version
Patched version
Microsoft.AspNetCore.App.Runtime.linux-arm
>= 9.0.0, <= 9.0.2
9.0.3
Microsoft.AspNetCore.App.Runtime.linux-...
CVSS: HIGH (7.0) EPSS Score: 0.16%
March 11th, 2025 (4 months ago)
|
|
|
Description: Microsoft Security Advisory CVE-2025-24070: .NET Elevation of Privilege Vulnerability
Executive summary
Microsoft is releasing this security advisory to provide information about a vulnerability in ASP.NET Core 9.0 , ASP.NET Core 8.0, and ASP.NET Core 2.3. This advisory also provides guidance on what developers can do to update their applications to address this vulnerability.
A vulnerability exists in ASP.NET Core applications calling RefreshSignInAsync with an improperly authenticated user parameter that could allow an attacker to sign into another user's account, resulting in Elevation of Privilege.
Announcement
Announcement for this issue can be found at https://github.com/dotnet/announcements/issues/348
Mitigation factors
Microsoft has not identified any mitigating factors for this vulnerability.
Affected software
Any ASP.NET Core 9.0 application running on ASP.NET Core 9.0.2 or earlier.
Any ASP.NET Core application running on ASP.NET Core 8.0.13 or earlier.
Any ASP.NET Core 2.x application consuming the package Microsoft.AspNetCore.Identity version 2.3.0 or earlier.
Affected Packages
The vulnerability affects any Microsoft .NET Core project if it uses any of affected packages versions listed below
Package name
Affected version
Patched version
Microsoft.AspNetCore.Identity
2.3.0
2.3.1
ASP.NET Core 9
Package name
Affected version
Patched version
Microsoft.AspNetCore.App.Runtime.linux-arm
>= 9.0.0, <= 9.0.2
9.0.3
Microsoft.AspNetCore.App.Runtime.linux-...
CVSS: HIGH (7.0) EPSS Score: 0.16%
March 11th, 2025 (4 months ago)
|
|
|
Description: Microsoft Security Advisory CVE-2025-24070: .NET Elevation of Privilege Vulnerability
Executive summary
Microsoft is releasing this security advisory to provide information about a vulnerability in ASP.NET Core 9.0 , ASP.NET Core 8.0, and ASP.NET Core 2.3. This advisory also provides guidance on what developers can do to update their applications to address this vulnerability.
A vulnerability exists in ASP.NET Core applications calling RefreshSignInAsync with an improperly authenticated user parameter that could allow an attacker to sign into another user's account, resulting in Elevation of Privilege.
Announcement
Announcement for this issue can be found at https://github.com/dotnet/announcements/issues/348
Mitigation factors
Microsoft has not identified any mitigating factors for this vulnerability.
Affected software
Any ASP.NET Core 9.0 application running on ASP.NET Core 9.0.2 or earlier.
Any ASP.NET Core application running on ASP.NET Core 8.0.13 or earlier.
Any ASP.NET Core 2.x application consuming the package Microsoft.AspNetCore.Identity version 2.3.0 or earlier.
Affected Packages
The vulnerability affects any Microsoft .NET Core project if it uses any of affected packages versions listed below
Package name
Affected version
Patched version
Microsoft.AspNetCore.Identity
2.3.0
2.3.1
ASP.NET Core 9
Package name
Affected version
Patched version
Microsoft.AspNetCore.App.Runtime.linux-arm
>= 9.0.0, <= 9.0.2
9.0.3
Microsoft.AspNetCore.App.Runtime.linux-...
CVSS: HIGH (7.0) EPSS Score: 0.16%
March 11th, 2025 (4 months ago)
|
|
|
Description: Microsoft Security Advisory CVE-2025-24070: .NET Elevation of Privilege Vulnerability
Executive summary
Microsoft is releasing this security advisory to provide information about a vulnerability in ASP.NET Core 9.0 , ASP.NET Core 8.0, and ASP.NET Core 2.3. This advisory also provides guidance on what developers can do to update their applications to address this vulnerability.
A vulnerability exists in ASP.NET Core applications calling RefreshSignInAsync with an improperly authenticated user parameter that could allow an attacker to sign into another user's account, resulting in Elevation of Privilege.
Announcement
Announcement for this issue can be found at https://github.com/dotnet/announcements/issues/348
Mitigation factors
Microsoft has not identified any mitigating factors for this vulnerability.
Affected software
Any ASP.NET Core 9.0 application running on ASP.NET Core 9.0.2 or earlier.
Any ASP.NET Core application running on ASP.NET Core 8.0.13 or earlier.
Any ASP.NET Core 2.x application consuming the package Microsoft.AspNetCore.Identity version 2.3.0 or earlier.
Affected Packages
The vulnerability affects any Microsoft .NET Core project if it uses any of affected packages versions listed below
Package name
Affected version
Patched version
Microsoft.AspNetCore.Identity
2.3.0
2.3.1
ASP.NET Core 9
Package name
Affected version
Patched version
Microsoft.AspNetCore.App.Runtime.linux-arm
>= 9.0.0, <= 9.0.2
9.0.3
Microsoft.AspNetCore.App.Runtime.linux-...
CVSS: HIGH (7.0) EPSS Score: 0.16%
March 11th, 2025 (4 months ago)
|
|
|
Description: Summary
There's a signature confusion attack in the HTTPRedirect binding. An attacker with any signed SAMLResponse via the HTTP-Redirect binding can cause the application to accept an unsigned message.
I believe that it exists for v4 only. I have not yet developed a PoC.
V5 is well designed and instead builds the signed query from the same message that will be consumed.
Details
What is verified
The data['SignedQuery'] is the string that will be verified by the public key.
It is defined here:
https://github.com/simplesamlphp/saml2/blob/9545abd0d9d48388f2fa00469c5c1e0294f0303e/src/SAML2/HTTPRedirect.php#L178-L217
THe code will iterate through each parameter name. Notably, sigQuery is overridden each time when processing, making the last of SAMLRequest/SAMLResponse used for sigQuery.
For example, given:
SAMLRequest=a&SAMLResponse=idpsigned
SAMLResponse=idpsigned will be set as sigQuery, then later verified
What is actually processed
Processing uses SAMLRequest parameter value first, (if it exists) then SAMLResponse:
https://github.com/simplesamlphp/saml2/blob/9545abd0d9d48388f2fa00469c5c1e0294f0303e/src/SAML2/HTTPRedirect.php#L104-L113
Given this, the contents that are processed might not be the same as the data that is actually verified.
Exploiting
Suppose an attacker has a signed HTTP Redirect binding from IdP, say a signed logout response. :
SAMLResponse=idpsigned&RelayState=...&SigAlg=...&Signature
Then an attacker can append SAMLRequest in front:
SAMLRequest=unverifiedd...
March 11th, 2025 (4 months ago)
|
|
|
Description: Summary
There's a signature confusion attack in the HTTPRedirect binding. An attacker with any signed SAMLResponse via the HTTP-Redirect binding can cause the application to accept an unsigned message.
I believe that it exists for v4 only. I have not yet developed a PoC.
V5 is well designed and instead builds the signed query from the same message that will be consumed.
Details
What is verified
The data['SignedQuery'] is the string that will be verified by the public key.
It is defined here:
https://github.com/simplesamlphp/saml2/blob/9545abd0d9d48388f2fa00469c5c1e0294f0303e/src/SAML2/HTTPRedirect.php#L178-L217
THe code will iterate through each parameter name. Notably, sigQuery is overridden each time when processing, making the last of SAMLRequest/SAMLResponse used for sigQuery.
For example, given:
SAMLRequest=a&SAMLResponse=idpsigned
SAMLResponse=idpsigned will be set as sigQuery, then later verified
What is actually processed
Processing uses SAMLRequest parameter value first, (if it exists) then SAMLResponse:
https://github.com/simplesamlphp/saml2/blob/9545abd0d9d48388f2fa00469c5c1e0294f0303e/src/SAML2/HTTPRedirect.php#L104-L113
Given this, the contents that are processed might not be the same as the data that is actually verified.
Exploiting
Suppose an attacker has a signed HTTP Redirect binding from IdP, say a signed logout response. :
SAMLResponse=idpsigned&RelayState=...&SigAlg=...&Signature
Then an attacker can append SAMLRequest in front:
SAMLRequest=unverifiedd...
March 11th, 2025 (4 months ago)
|
|
Description: A Libya-linked threat actor has resurfaced, using the same old political phishing tricks to deliver AsyncRAT that have worked for years.
March 11th, 2025 (4 months ago)
|
CVE-2025-27591 |
Description: A privilege escalation vulnerability existed in the Below service prior to v0.9.0 due to the creation of a world-writable directory at /var/log/below. This could have allowed local unprivileged users to escalate to root privileges through symlink attacks that manipulate files such as /etc/shadow.
EPSS Score: 0.02%
March 11th, 2025 (4 months ago)
|
|
CVE-2025-27174 |
Description: Acrobat Reader versions 24.001.30225, 20.005.30748, 25.001.20428 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
CVSS: HIGH (7.8) EPSS Score: 0.02% SSVC Exploitation: none
March 11th, 2025 (4 months ago)
|
|
CVE-2025-27170 |
Description: Illustrator versions 29.2.1, 28.7.4 and earlier are affected by a NULL Pointer Dereference vulnerability that could result in an application denial-of-service. An attacker could exploit this vulnerability to crash the application, leading to a denial of service condition. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
CVSS: MEDIUM (5.5) EPSS Score: 0.03% SSVC Exploitation: none
March 11th, 2025 (4 months ago)
|