CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

Threat and Vulnerability Intelligence Database

RSS Feed

Example Searches:

CVE-2024-53263

Description: Impact When Git LFS requests credentials from Git for a remote host, it passes portions of the host's URL to the git-credential(1) command without checking for embedded line-ending control characters, and then sends any credentials it receives back from the Git credential helper to the remote host. By inserting URL-encoded control characters such as line feed (LF) or carriage return (CR) characters into the URL, an attacker may be able to retrieve a user's Git credentials. Patches This problem exists in all previous versions and is patched in v3.6.1. All users should upgrade to v3.6.1. Workarounds There are no workarounds known at this time. References https://github.com/git-lfs/git-lfs/security/advisories/GHSA-q6r2-x2cc-vrp7 https://nvd.nist.gov/vuln/detail/CVE-2024-53263 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-53263 https://github.com/git-lfs/git-lfs/releases/tag/v3.6.1 git-lfs/git-lfs@0345b6f816 For more information If you have any questions or comments about this advisory: For general questions, start a discussion in the Git LFS discussion forum. For reports of additional vulnerabilities, please follow the Git LFS security reporting policy. References https://github.com/git-lfs/git-lfs/security/advisories/GHSA-q6r2-x2cc-vrp7 https://github.com/git-lfs/git-lfs/commit/0345b6f816e611d050c0df67b61f0022916a1c90 https://github.com/git-lfs/git-lfs/releases/tag/v3.6.1 https://nvd.nist.gov/vuln/detail/CVE-2024-53263 https://github.com/advisories/GHSA-q6r2...

CVSS: HIGH (8.5)

EPSS Score: 0.05%

Source: Github Advisory Database (Go)
January 14th, 2025 (6 months ago)

CVE-2024-53263

Description: Impact When Git LFS requests credentials from Git for a remote host, it passes portions of the host's URL to the git-credential(1) command without checking for embedded line-ending control characters, and then sends any credentials it receives back from the Git credential helper to the remote host. By inserting URL-encoded control characters such as line feed (LF) or carriage return (CR) characters into the URL, an attacker may be able to retrieve a user's Git credentials. Patches This problem exists in all previous versions and is patched in v3.6.1. All users should upgrade to v3.6.1. Workarounds There are no workarounds known at this time. References https://github.com/git-lfs/git-lfs/security/advisories/GHSA-q6r2-x2cc-vrp7 https://nvd.nist.gov/vuln/detail/CVE-2024-53263 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-53263 https://github.com/git-lfs/git-lfs/releases/tag/v3.6.1 git-lfs/git-lfs@0345b6f816 For more information If you have any questions or comments about this advisory: For general questions, start a discussion in the Git LFS discussion forum. For reports of additional vulnerabilities, please follow the Git LFS security reporting policy. References https://github.com/git-lfs/git-lfs/security/advisories/GHSA-q6r2-x2cc-vrp7 https://github.com/git-lfs/git-lfs/commit/0345b6f816e611d050c0df67b61f0022916a1c90 https://github.com/git-lfs/git-lfs/releases/tag/v3.6.1 https://nvd.nist.gov/vuln/detail/CVE-2024-53263 https://github.com/advisories/GHSA-q6r2...

CVSS: HIGH (8.5)

EPSS Score: 0.05%

Source: Github Advisory Database (Go)
January 14th, 2025 (6 months ago)
Description: Texas Attorney General Ken Paxton has filed a lawsuit against Allstate and its data subsidiary Arity for unlawfully collecting, using, and selling driving data from over 45 million Americans. [...]
Source: BleepingComputer
January 14th, 2025 (6 months ago)
Description: Microsoft is warning that the January 2025 Windows 11 and Windows 10 cumulative updates may fail if Citrix Session Recording Agent (SRA) version 2411 is installed on the device. [...]
Source: BleepingComputer
January 14th, 2025 (6 months ago)
Description: Eight 0-days. Access: triple zero-day RCE; Hyper-V NT Kernel Integration VSP: triple zero-day EoP; Windows Themes: zero-day NTLM disclosure; Windows Installer: zero-day EoP; PGM: critical RCE; OLE: critical RCE.
Source: Rapid7
January 14th, 2025 (6 months ago)
Description: Two hacker groups were paid to develop malware targeting victims in the US, Europe, and Asia, as well as various Chinese dissident groups.
Source: Dark Reading
January 14th, 2025 (6 months ago)
Description: Microsoft has released its monthly security update for January of 2025 which includes 159 vulnerabilities, including 10 that Microsoft marked as “critical.” The remaining vulnerabilities listed are classified as “important.” 
Source: Cisco Talos Blog
January 14th, 2025 (6 months ago)
Description: Microsoft's January 2025 Patch Tuesday update addresses 159 vulnerabilities, including three previously undisclosed actively exploited zero-day vulnerabilities. The update is applicable to Windows 11 OS Builds 22621.4751 and 22631.4751 and is part of Microsoft's ongoing effort to secure its flagship operating system against emerging threats. New zero-day flaws Microsoft has confirmed three vulnerabilities under active … The post Windows January 2025 Patch Tuesday Fixes 159 Vulnerabilities appeared first on CyberInsider.
Source: CyberInsider
January 14th, 2025 (6 months ago)

CVE-2025-23081

Description: Cross-Site Request Forgery (CSRF), Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation Mediawiki - DataTransfer Extension allows Cross Site Request Forgery, Cross-Site Scripting (XSS).This issue affects Mediawiki - DataTransfer Extension: from 1.39.X before 1.39.11, from 1.41.X before 1.41.3, from 1.42.X before 1.42.2. References https://nvd.nist.gov/vuln/detail/CVE-2025-23081 https://gerrit.wikimedia.org/r/c/mediawiki/extensions/DataTransfer/+/1080451 https://gerrit.wikimedia.org/r/c/mediawiki/extensions/DataTransfer/+/1093931 https://gerrit.wikimedia.org/r/q/I5e1538a3bf66378810f905834c05626e1d2c82f0 https://gerrit.wikimedia.org/r/q/I773c616db781d2f3f30893ad01ef503bf251a2b3 https://gerrit.wikimedia.org/r/q/I7c9de4c8dcdb3276ba923c6bc7c8eef3531324c7 https://gerrit.wikimedia.org/r/q/I9223c31f02f31f1e06e1a8cddf7d539cc8d3a3d9 https://phabricator.wikimedia.org/T379749 https://github.com/advisories/GHSA-c3h5-h73c-29hq

EPSS Score: 0.04%

Source: Github Advisory Database (Composer)
January 14th, 2025 (6 months ago)

CVE-2024-45627

Description: Affected versions: Apache Linkis Metadata Query Service JDBC 1.5.0 before 1.7.0 Description: In Apache Linkis <1.7.0, due to the lack of effective filtering of parameters, an attacker configuring malicious Mysql JDBC parameters in the DataSource Manager Module will allow the attacker to read arbitrary files from the Linkis server. Therefore, the parameters in the Mysql JDBC URL should be blacklisted. This attack requires the attacker to obtain an authorized account from Linkis before it can be carried out. Versions of Apache Linkis < 1.6.0 will be affected. We recommend users upgrade the version of Linkis to version 1.7.0. References https://nvd.nist.gov/vuln/detail/CVE-2024-45627 https://lists.apache.org/thread/0zzx8lldwoqgzq98mg61hojgpvn76xsh http://www.openwall.com/lists/oss-security/2025/01/14/1 https://github.com/advisories/GHSA-8cvq-3jjp-ph9p

EPSS Score: 0.04%

Source: Github Advisory Database (Maven)
January 14th, 2025 (6 months ago)