Threat and Vulnerability Intelligence Database

RSS Feed

Example Searches:

CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited
[idna] `idna` accepts Punycode labels that do not produce any non-ASCII when decoded
Description: idna 0.5.0 and earlier accepts Punycode labels that do not produce any non-ASCII output, which means that either ASCII labels or the empty root label can be masked such that they appear unequal without IDNA processing or when processed with a different implementation and equal when processed with idna 0.5.0 or earlier. Concretely, example.org and xn--example-.org become equal after processing by idna 0.5.0 or earlier. Also, example.org.xn-- and example.org. become equal after processing by idna 0.5.0 or earlier. In applications using idna (but not in idna itself) this may be able to lead to privilege escalation when host name comparison is part of a privilege check and the behavior is combined with a client that resolves domains with such labels instead of treating them as errors that preclude DNS resolution / URL fetching and with the attacker managing to introduce a DNS entry (and TLS certificate) for an xn---masked name that turns into the name of the target when processed by idna 0.5.0 or earlier. Remedy Upgrade to idna 1.0.3 or later, if depending on idna directly, or to url 2.5.4 or later, if depending on idna via url. (This issue was fixed in idna 1.0.0, but versions earlier than 1.0.3 are not recommended for other reasons.) When upgrading, please take a moment to read about alternative Unicode back ends for idna. If you are using Rust earlier than 1.81 in combination with SQLx 0.8.2 or earlier, please also read an issue about combining them with url 2.5.4 and idna ...
Source: Github Advisory Database (Rust)
December 9th, 2024 (4 months ago)
[github.com/gohugoio/hugo] Hugo does not escape some attributes in internal templates
Description: Impact Some HTML attributes in Markdown in the internal templates listed below not escaped. Impacted are Hugo users who do not trust their Markdown content files and are using one or more of these templates. _default/_markup/render-link.html from v0.123.0 _default/_markup/render-image.html from v0.123.0 _default/_markup/render-table.html from v0.134.0 shortcodes/youtube.html from v0.125.0 Patches Patched in v0.139.4. Workarounds Replace with user defined templates or disable the internal templates: https://gohugo.io/getting-started/configuration-markup/#renderhooksimageenabledefault References https://github.com/gohugoio/hugo/releases/tag/v0.139.4 https://gohugo.io/about/security/ References https://github.com/gohugoio/hugo/security/advisories/GHSA-c2xf-9v2r-r2rx https://github.com/gohugoio/hugo/commit/54398f8d572c689f9785d59e907fd910a23401b0 https://github.com/gohugoio/hugo/releases/tag/v0.139.4 https://github.com/advisories/GHSA-c2xf-9v2r-r2rx
Source: Github Advisory Database (Go)
December 9th, 2024 (4 months ago)
[apache-superset] Apache Superset: Error verbosity exposes metadata in analytics databases
Description: Generation of Error Message Containing analytics metadata Information in Apache Superset. This issue affects Apache Superset: before 4.1.0. Users are recommended to upgrade to version 4.1.0, which fixes the issue. References https://nvd.nist.gov/vuln/detail/CVE-2024-53948 https://lists.apache.org/thread/8howpf3png0wrgpls46ggk441oczlfvf https://github.com/apache/superset/commit/ac3a10d8f192520580b8ce545cf418dc7928d27c http://www.openwall.com/lists/oss-security/2024/12/09/3 https://github.com/advisories/GHSA-2cx9-54hp-r698
Source: Github Advisory Database (PIP)
December 9th, 2024 (4 months ago)
[apache-superset] Apache Superset: Lower privilege users are able to create Role when FAB_ADD_SECURITY_API is enabled
Description: Improper Authorization vulnerability in Apache Superset when FAB_ADD_SECURITY_API is enabled (disabled by default). Allows for lower privilege users to use this API.  issue affects Apache Superset: from 2.0.0 before 4.1.0. Users are recommended to upgrade to version 4.1.0, which fixes the issue. References https://nvd.nist.gov/vuln/detail/CVE-2024-53949 https://lists.apache.org/thread/d3scbwmfpzbpm6npnzdw5y4owtqqyq8d https://github.com/apache/superset/commit/7650c47e72f28559e91524f5d68d50c2060df4c7 http://www.openwall.com/lists/oss-security/2024/12/09/4 https://github.com/advisories/GHSA-35fc-9hrj-3585
Source: Github Advisory Database (PIP)
December 9th, 2024 (4 months ago)
[apache-superset] Apache Superset: Improper SQL authorisation, parse not checking for specific postgres functions
Description: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Apache Superset. Specifically, certain engine-specific functions are not checked, which allows attackers to bypass Apache Superset's SQL authorization. This issue is a follow-up to CVE-2024-39887 with additional disallowed PostgreSQL functions now included: query_to_xml_and_xmlschema, table_to_xml, table_to_xml_and_xmlschema. This issue affects Apache Superset: <4.1.0. Users are recommended to upgrade to version 4.1.0, which fixes the issue or add these Postgres functions to the config set DISALLOWED_SQL_FUNCTIONS. References https://nvd.nist.gov/vuln/detail/CVE-2024-53947 https://lists.apache.org/thread/hj3gfsjh67vqw12nlrshlsym4bkopjmn https://github.com/apache/superset/commit/0e0028260fc8a2099250701524a489f3c9aa146f https://github.com/advisories/GHSA-92qf-8gh3-gwcm
Source: Github Advisory Database (PIP)
December 9th, 2024 (4 months ago)
[trix] Trix editor subject to XSS vulnerabilities on copy & paste
Description: The Trix editor, in versions prior to 2.1.9 and 1.3.3, is vulnerable to XSS + mutation XSS attacks when pasting malicious code. Impact An attacker could trick a user to copy and paste malicious code that would execute arbitrary JavaScript code within the context of the user's session, potentially leading to unauthorized actions being performed or sensitive information being disclosed. Patches Update Recommendation: Users should upgrade to Trix editor version 2.1.9 or later, which uses DOMPurify to sanitize the pasted content. If using Trix 1.x, upgrade to version 1.3.3 or later. Mitigations This is not really a workaround but something that should be considered in addition to upgrading to the patched version. If affected users can disallow browsers that don't support a Content Security Policy, then this would be an effective workaround for this and all XSS vulnerabilities. Set CSP policies such as script-src 'self' to ensure that only scripts hosted on the same origin are executed, and explicitly prohibit inline scripts using script-src-elem. References The XSS vulnerability was reported by HackerOne researcher hiumee. The mutation XSS vulnerability was reported by HackerOne researcher sudi. References https://github.com/basecamp/trix/security/advisories/GHSA-6vx4-v2jw-qwqh https://github.com/basecamp/trix/commit/272c7e27e722608732a67108ad3fe7870e233ac8 https://github.com/advisories/GHSA-6vx4-v2jw-qwqh
Source: Github Advisory Database (NPM)
December 9th, 2024 (4 months ago)
[directus] Directus allows unauthenticated access to WebSocket events and operations
Description: Summary When setting WEBSOCKETS_GRAPHQL_AUTH or WEBSOCKETS_REST_AUTH to "public", an unauthenticated user is able to do any of the supported operations (CRUD, subscriptions) with full admin privileges. Details Accountability for unauthenticated WebSocket requests is set to null, which used to be "public permissions" until the Permissions Policy update which now defaults that to system/admin level access. So instead of null we need to make use of createDefaultAccountability() to ensure public permissions are used for unauthenticated users. PoC Start directus with WEBSOCKETS_ENABLED=true WEBSOCKETS_GRAPHQL_AUTH=public WEBSOCKETS_REST_AUTH=public Subscribe using GQL or REST or do any CRUD operation on a user created collection (system tables are not reachable with crud) subscription { directus_users_mutated { key event data { id email first_name last_name password } } } or { "type": "items", "action": "read", "collection": "your_collection_name" } 3a. Open up the data studio as any user. Observe how the subscriber gets notified on each page navigation (because the users last_page gets updated, the password fields is properly redacted here) 3b. Observe receiving all available items from the your_collection_name collection. Impact This impacts any Directus instance that has either WEBSOCKETS_GRAPHQL_AUTH or WEBSOCKETS_REST_AUTH set to public allowing unauthenticat...
Source: Github Advisory Database (NPM)
December 9th, 2024 (4 months ago)
Radiant links $50 million crypto heist to North Korean hackers
Description: Radiant Capital now says that North Korean threat actors are behind the $50 million cryptocurrency heist that occurred after hackers breached its systems in an October 16 cyberattack. [...]
Source: BleepingComputer
December 9th, 2024 (4 months ago)
Attackers Can Use QR Codes to Bypass Browser Isolation
Description: Researchers demonstrate a proof-of-concept cyberattack vector that gets around remote, on-premises, and local versions of browser isolation security technology to send malicious communications from an attacker-controlled server.
Source: Dark Reading
December 9th, 2024 (4 months ago)
Outdated Google Workspace Sync blocks Windows 11 24H2 upgrades
Description: Microsoft now blocks the Windows 11 24H2 update on computers with outdated Google Workspace Sync installs because they're causing Outlook launch issues. [...]
Source: BleepingComputer
December 9th, 2024 (4 months ago)