CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!
Threat and Vulnerability Intelligence Database
Example Searches:
CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited
CVE-2024-53263 |
Description: Impact
When Git LFS requests credentials from Git for a remote host, it passes portions of the host's URL to the git-credential(1) command without checking for embedded line-ending control characters, and then sends any credentials it receives back from the Git credential helper to the remote host. By inserting URL-encoded control characters such as line feed (LF) or carriage return (CR) characters into the URL, an attacker may be able to retrieve a user's Git credentials.
Patches
This problem exists in all previous versions and is patched in v3.6.1. All users should upgrade to v3.6.1.
Workarounds
There are no workarounds known at this time.
References
https://github.com/git-lfs/git-lfs/security/advisories/GHSA-q6r2-x2cc-vrp7
https://nvd.nist.gov/vuln/detail/CVE-2024-53263
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-53263
https://github.com/git-lfs/git-lfs/releases/tag/v3.6.1
git-lfs/git-lfs@0345b6f816
For more information
If you have any questions or comments about this advisory:
For general questions, start a discussion in the Git LFS discussion forum.
For reports of additional vulnerabilities, please follow the Git LFS security reporting policy.
References
https://github.com/git-lfs/git-lfs/security/advisories/GHSA-q6r2-x2cc-vrp7
https://github.com/git-lfs/git-lfs/commit/0345b6f816e611d050c0df67b61f0022916a1c90
https://github.com/git-lfs/git-lfs/releases/tag/v3.6.1
https://nvd.nist.gov/vuln/detail/CVE-2024-53263
https://github.com/advisories/GHSA-q6r2...
CVSS: HIGH (8.5) EPSS Score: 0.05%
January 14th, 2025 (6 months ago)
|
|
CVE-2024-53263 |
Description: Impact
When Git LFS requests credentials from Git for a remote host, it passes portions of the host's URL to the git-credential(1) command without checking for embedded line-ending control characters, and then sends any credentials it receives back from the Git credential helper to the remote host. By inserting URL-encoded control characters such as line feed (LF) or carriage return (CR) characters into the URL, an attacker may be able to retrieve a user's Git credentials.
Patches
This problem exists in all previous versions and is patched in v3.6.1. All users should upgrade to v3.6.1.
Workarounds
There are no workarounds known at this time.
References
https://github.com/git-lfs/git-lfs/security/advisories/GHSA-q6r2-x2cc-vrp7
https://nvd.nist.gov/vuln/detail/CVE-2024-53263
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-53263
https://github.com/git-lfs/git-lfs/releases/tag/v3.6.1
git-lfs/git-lfs@0345b6f816
For more information
If you have any questions or comments about this advisory:
For general questions, start a discussion in the Git LFS discussion forum.
For reports of additional vulnerabilities, please follow the Git LFS security reporting policy.
References
https://github.com/git-lfs/git-lfs/security/advisories/GHSA-q6r2-x2cc-vrp7
https://github.com/git-lfs/git-lfs/commit/0345b6f816e611d050c0df67b61f0022916a1c90
https://github.com/git-lfs/git-lfs/releases/tag/v3.6.1
https://nvd.nist.gov/vuln/detail/CVE-2024-53263
https://github.com/advisories/GHSA-q6r2...
CVSS: HIGH (8.5) EPSS Score: 0.05%
January 14th, 2025 (6 months ago)
|
|
Description: Texas Attorney General Ken Paxton has filed a lawsuit against Allstate and its data subsidiary Arity for unlawfully collecting, using, and selling driving data from over 45 million Americans. [...]
January 14th, 2025 (6 months ago)
|
|
|
Description: Microsoft is warning that the January 2025 Windows 11 and Windows 10 cumulative updates may fail if Citrix Session Recording Agent (SRA) version 2411 is installed on the device. [...]
January 14th, 2025 (6 months ago)
|
|
|
Description: Eight 0-days. Access: triple zero-day RCE; Hyper-V NT Kernel Integration VSP: triple zero-day EoP; Windows Themes: zero-day NTLM disclosure; Windows Installer: zero-day EoP; PGM: critical RCE; OLE: critical RCE.
January 14th, 2025 (6 months ago)
|
|
|
Description: Two hacker groups were paid to develop malware targeting victims in the US, Europe, and Asia, as well as various Chinese dissident groups.
January 14th, 2025 (6 months ago)
|
|
|
Description: Microsoft has released its monthly security update for January of 2025 which includes 159 vulnerabilities, including 10 that Microsoft marked as “critical.” The remaining vulnerabilities listed are classified as “important.”
January 14th, 2025 (6 months ago)
|
|
|
Description: Microsoft's January 2025 Patch Tuesday update addresses 159 vulnerabilities, including three previously undisclosed actively exploited zero-day vulnerabilities. The update is applicable to Windows 11 OS Builds 22621.4751 and 22631.4751 and is part of Microsoft's ongoing effort to secure its flagship operating system against emerging threats. New zero-day flaws Microsoft has confirmed three vulnerabilities under active …
The post Windows January 2025 Patch Tuesday Fixes 159 Vulnerabilities appeared first on CyberInsider.
January 14th, 2025 (6 months ago)
|
|
CVE-2025-23081 |
Description: Cross-Site Request Forgery (CSRF), Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation Mediawiki - DataTransfer Extension allows Cross Site Request Forgery, Cross-Site Scripting (XSS).This issue affects Mediawiki - DataTransfer Extension: from 1.39.X before 1.39.11, from 1.41.X before 1.41.3, from 1.42.X before 1.42.2.
References
https://nvd.nist.gov/vuln/detail/CVE-2025-23081
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/DataTransfer/+/1080451
https://gerrit.wikimedia.org/r/c/mediawiki/extensions/DataTransfer/+/1093931
https://gerrit.wikimedia.org/r/q/I5e1538a3bf66378810f905834c05626e1d2c82f0
https://gerrit.wikimedia.org/r/q/I773c616db781d2f3f30893ad01ef503bf251a2b3
https://gerrit.wikimedia.org/r/q/I7c9de4c8dcdb3276ba923c6bc7c8eef3531324c7
https://gerrit.wikimedia.org/r/q/I9223c31f02f31f1e06e1a8cddf7d539cc8d3a3d9
https://phabricator.wikimedia.org/T379749
https://github.com/advisories/GHSA-c3h5-h73c-29hq
EPSS Score: 0.04%
January 14th, 2025 (6 months ago)
|
|
CVE-2024-45627 |
Description: Affected versions:
Apache Linkis Metadata Query Service JDBC 1.5.0 before 1.7.0
Description:
In Apache Linkis <1.7.0, due to the lack of effective filtering of parameters, an attacker configuring malicious Mysql JDBC parameters in the DataSource Manager Module will allow the attacker to read arbitrary files from the Linkis server. Therefore, the parameters in the Mysql JDBC URL should be blacklisted. This attack requires the attacker to obtain an authorized account from Linkis before it can be carried out. Versions of Apache Linkis < 1.6.0 will be affected.
We recommend users upgrade the version of Linkis to version 1.7.0.
References
https://nvd.nist.gov/vuln/detail/CVE-2024-45627
https://lists.apache.org/thread/0zzx8lldwoqgzq98mg61hojgpvn76xsh
http://www.openwall.com/lists/oss-security/2025/01/14/1
https://github.com/advisories/GHSA-8cvq-3jjp-ph9p
EPSS Score: 0.04%
January 14th, 2025 (6 months ago)
|