CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!
Threat and Vulnerability Intelligence Database
Example Searches:
CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited
|
January 8th, 2025 (6 months ago)
|
|
|
January 8th, 2025 (6 months ago)
|
CVE-2025-22145 |
Description: Impact
Application passing unsanitized user input to Carbon::setLocale are at risk of arbitrary file include, if the application allows users to upload files with .php extension in an folder that allows include or require to read it, then they are at risk of arbitrary code ran on their servers.
Patches
3.8.4
2.72.6
Workarounds
Any of the below actions can be taken to prevent the issue:
Validate input before calling setLocale(), for instance by forbidding or removing / and \
Call setLocale() only with a locale from a whitelist of supported locales
When uploading files, rename them so they cannot have a .php extension (this is recommended even if you're not affected by this issue)
Prefer storage system that are not local to the application (remote service, or local service ran by another user so the uploaded files actually live outside of the application basedir)
References
https://en.wikipedia.org/wiki/File_inclusion_vulnerability
Credits
Thanks to Szczepan Hołyszewski who reported the issue and to Tidelift to coordinate the resolution
References
https://github.com/CarbonPHP/carbon/security/advisories/GHSA-j3f9-p6hm-5w6q
https://github.com/briannesbitt/Carbon/commit/129700ed449b1f02d70272d2ac802357c8c30c58
https://nvd.nist.gov/vuln/detail/CVE-2025-22145
https://github.com/advisories/GHSA-j3f9-p6hm-5w6q
CVSS: MEDIUM (6.3) EPSS Score: 0.04%
January 8th, 2025 (6 months ago)
|
|
|
Description: Premium WordPress plugin Fancy Product Designer from Radykal is vulnerable to two critical severity flaws that remain unfixed in the current latest version. [...]
January 8th, 2025 (6 months ago)
|
|
|
Description: Ransomware Negotiation Between Akira and a Withheld Victim
January 8th, 2025 (6 months ago)
|
|
CVE-2024-55459 |
Description: An issue in keras 3.7.0 allows attackers to write arbitrary files to the user's machine via downloading a crafted tar file through the get_file function.
References
https://nvd.nist.gov/vuln/detail/CVE-2024-55459
https://github.com/keras-team/keras
https://keras.io
https://river-bicycle-f1e.notion.site/Arbitrary-File-Write-Vulnerability-in-get_file-function-11888e31952580179224e50892976d32
https://github.com/keras-team/keras/blob/8f5592bcb61ff48c96560c8923e482db1076b54a/keras/src/utils/file_utils.py#L115
https://github.com/advisories/GHSA-cjgq-5qmw-rcj6
EPSS Score: 0.05%
January 8th, 2025 (6 months ago)
|
|
|
|
|
|
Description: A Threat Actor is Allegedly Selling Unauthorized Access to the Global Network Bank Corporation
January 8th, 2025 (6 months ago)
|
|
|
Description: SonicWall is emailing customers urging them to upgrade their firewall's SonicOS firmware to patch an authentication bypass vulnerability in SSL VPN and SSH management that is "susceptible to actual exploitation." [...]
January 8th, 2025 (6 months ago)
|
|
|
Description: Russian internet service provider Nodex confirmed on Tuesday that its network was "destroyed" in a cyberattack claimed by Ukrainian hacktivists part of the Ukrainian Cyber Alliance [...]
January 8th, 2025 (6 months ago)
|