CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!
Threat and Vulnerability Intelligence Database
Example Searches:
CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited
|
Description: CISOs are planning to adjust their budgets this year to reflect their growing concerns for cybersecurity preparedness in the event of a cyberattack.
January 27th, 2025 (5 months ago)
|
|
|
Description: Apple has released a series of security updates across its product ecosystem, addressing multiple vulnerabilities, including a zero-day flaw that has reportedly been exploited in the wild. The updates covering iOS, iPadOS, macOS, watchOS, tvOS, and visionOS, provide fixes for critical security issues that could allow privilege escalation, arbitrary code execution, and denial-of-service attacks. Actively …
The post Apple Fixes Zero-Day Flaw Exploited in Attacks Against iPhones appeared first on CyberInsider.
January 27th, 2025 (5 months ago)
|
|
|
Description: KINGSMAN INDIA Defaced the Websites of GOSRA ISLAMIA DAKHIL MADRASAH and GABTALI ALIM MADRASAH
January 27th, 2025 (5 months ago)
|
CVE-2025-24354 |
Description: Summary
Imgproxy does not block the 0.0.0.0 address, even with IMGPROXY_ALLOW_LOOPBACK_SOURCE_ADDRESSES set to false. This can expose services on the local host.
Details
imgproxy protects against SSRF against a loopback address with the following check (source):
if !config.AllowLoopbackSourceAddresses && ip.IsLoopback() {
return ErrSourceAddressNotAllowed
}
This check is insufficient to prevent accessing services on the local host, as services may receive traffic on 0.0.0.0. Go's IsLoopback (source) strictly follows the definition of loopback IPs beginning with 127. 0.0.0.0 is not blocked.
References
https://github.com/imgproxy/imgproxy/security/advisories/GHSA-j2hp-6m75-v4j4
https://nvd.nist.gov/vuln/detail/CVE-2025-24354
https://github.com/imgproxy/imgproxy/commit/3d4fed6842aa8930ec224d0ad75b0079b858e081
https://github.com/advisories/GHSA-j2hp-6m75-v4j4
CVSS: MEDIUM (5.3) EPSS Score: 0.04%
January 27th, 2025 (5 months ago)
|
|
|
Description: Open-source password manager Bitwarden is adding an extra layer of security for accounts that are not protected by two-factor authentication, requiring email verification before allowing access to accounts. [...]
January 27th, 2025 (5 months ago)
|
|
CVE-2025-24357 |
Description: Description
The vllm/model_executor/weight_utils.py implements hf_model_weights_iterator to load the model checkpoint, which is downloaded from huggingface. It use torch.load function and weights_only parameter is default value False. There is a security warning on https://pytorch.org/docs/stable/generated/torch.load.html, when torch.load load a malicious pickle data it will execute arbitrary code during unpickling.
Impact
This vulnerability can be exploited to execute arbitrary codes and OS commands in the victim machine who fetch the pretrained repo remotely.
Note that most models now use the safetensors format, which is not vulnerable to this issue.
References
https://pytorch.org/docs/stable/generated/torch.load.html
Fix: https://github.com/vllm-project/vllm/pull/12366
References
https://github.com/vllm-project/vllm/security/advisories/GHSA-rh4j-5rhw-hr54
https://nvd.nist.gov/vuln/detail/CVE-2025-24357
https://github.com/vllm-project/vllm/pull/12366
https://github.com/vllm-project/vllm/commit/d3d6bb13fb62da3234addf6574922a4ec0513d04
https://github.com/vllm-project/vllm/releases/tag/v0.7.0
https://pytorch.org/docs/stable/generated/torch.load.html
https://github.com/advisories/GHSA-rh4j-5rhw-hr54
CVSS: HIGH (7.5) EPSS Score: 0.05%
January 27th, 2025 (5 months ago)
|
|
CVE-2024-55227 |
Description: A cross-site scripting (XSS) vulnerability in the Events/Agenda module of Dolibarr v21.0.0-beta allows attackers to execute arbitrary web scripts or HTMl via a crafted payload injected into the Title parameter.
References
https://nvd.nist.gov/vuln/detail/CVE-2024-55227
https://github.com/Dolibarr/dolibarr/commit/56710ce9b79a97df093f586c90bdaf6cce6a5808
https://github.com/Dolibarr/dolibarr/commit/9aa24d9d9aeab36358c725dae3fe20c9631082e7
https://github.com/Dolibarr/dolibarr/commit/c0250e4c9106b5c889e512a4771f0205d4f99b99
https://gist.github.com/Dqtdqt/9762466cd6ec541ea265ba33b09489ff
https://github.com/Dolibarr/dolibarr/security/policy
https://github.com/advisories/GHSA-2v3r-gvq5-qqgh
EPSS Score: 0.12%
January 27th, 2025 (5 months ago)
|
|
CVE-2024-55228 |
Description: A cross-site scripting (XSS) vulnerability in the Product module of Dolibarr v21.0.0-beta allows attackers to execute arbitrary web scripts or HTMl via a crafted payload injected into the Title parameter.
References
https://nvd.nist.gov/vuln/detail/CVE-2024-55228
https://github.com/Dolibarr/dolibarr/commit/56710ce9b79a97df093f586c90bdaf6cce6a5808
https://github.com/Dolibarr/dolibarr/commit/9aa24d9d9aeab36358c725dae3fe20c9631082e7
https://github.com/Dolibarr/dolibarr/commit/c0250e4c9106b5c889e512a4771f0205d4f99b99
https://gist.github.com/Dqtdqt/a942bbce9a5fc851dce366902411c768
https://github.com/Dolibarr/dolibarr/security/policy
https://github.com/advisories/GHSA-x2j8-vjg7-386r
EPSS Score: 0.12%
January 27th, 2025 (5 months ago)
|
|
|
Description: Microsoft has confirmed that the January 2025 Windows security updates are breaking audio playback on some systems with external DACs (digital-to-analog converters). [...]
January 27th, 2025 (5 months ago)
|
|
|
Description: Hackers behind the breach of “nearly all” of AT&T customers’ metadata searched for records associated with members of the Trump family, Kamala Harris, and Marco Rubio’s wife.
January 27th, 2025 (5 months ago)
|