CVE-2024-54676 |
Description: Vendor: The Apache Software Foundation
Versions Affected: Apache OpenMeetings from 2.1.0 before 8.0.0
Description: Default clustering instructions at https://openmeetings.apache.org/Clustering.html doesn't specify white/black lists for OpenJPA this leads to possible deserialisation of untrusted data.
Users are recommended to upgrade to version 8.0.0 and update their startup scripts to include the relevant 'openjpa.serialization.class.blacklist' and 'openjpa.serialization.class.whitelist' configurations as shown in the documentation.
References
https://nvd.nist.gov/vuln/detail/CVE-2024-54676
https://lists.apache.org/thread/o0k05jxrt5tp4nm45lj14yfjxmg67m95
http://www.openwall.com/lists/oss-security/2025/01/08/1
https://github.com/apache/openmeetings/commit/1c3426c6d3abbd984a3c01a61decf1242ea38923
https://issues.apache.org/jira/browse/OPENMEETINGS-2787
https://github.com/advisories/GHSA-mjf9-4pcv-vfg7
EPSS Score: 0.18%
January 8th, 2025 (6 months ago)
|
![]() |
Description: Using the Cloud Security Principles to evaluate the suitability of a cloud service.
January 8th, 2025 (6 months ago)
|
![]() |
Description: Alixsec Targeted Many Websites in Finland
January 8th, 2025 (6 months ago)
|
![]() |
Description: Attackers are abusing a Microsoft 365 feature to send payment requests to users, tricking them into logging in to their accounts so attackers can seize control over them.
January 8th, 2025 (6 months ago)
|
![]() |
Description: Impact
Path traversal attack gives access to existing non-admin users to access and take over other user's repositories. A malicious user then can modify, delete, and arbitrarily repositories as if they were an admin user without explicitly giving them permissions.
Patches
This is patched in v0.8.2
Workarounds
Single user set-ups are not affected. This only affects multi-user Soft Serve set-ups that enable repository creation for users. Otherwise, upgrading is necessary to circumvent the attack.
References
https://github.com/charmbracelet/soft-serve/security/advisories/GHSA-j4jw-m6xr-fv6c
https://github.com/charmbracelet/soft-serve/commit/a8d1bf3f9349c138383b65079b7b8ad97fff78f4
https://github.com/charmbracelet/soft-serve/releases/tag/v0.8.2
https://github.com/advisories/GHSA-j4jw-m6xr-fv6c
January 8th, 2025 (6 months ago)
|
![]() |
Description: DEFACER KAMPUNG Defaced the Website of Government Polytechnic Mau
January 8th, 2025 (6 months ago)
|
![]() |
Description: Anonymous Sudan Targeted the Website of Bank of Central African States (BEAC)
January 8th, 2025 (6 months ago)
|
![]() |
Description: The International Civil Aviation Organization (ICAO), a specialized agency of the United Nations responsible for setting global aviation standards, has confirmed a data breach involving the exposure of over 42,000 recruitment application records. The breach, attributed to a threat actor known as “Natohub,” was first reported on BreachForums, where the stolen data was advertised. In …
The post International Civil Aviation Organization Confirms Data Breach appeared first on CyberInsider.
January 8th, 2025 (6 months ago)
|
![]() |
Description: A Threat Actor Claims to be Selling the Data of DE Photo
January 8th, 2025 (6 months ago)
|
![]() |
Description: Cybersecurity researchers from WatchTowr Labs have uncovered a troubling method for exploiting abandoned domains linked to backdoors in compromised systems. By purchasing unregistered domains referenced in web shells — backdoors used by hackers — the team managed to commandeer thousands of systems worldwide with minimal effort. This follows their earlier work on vulnerabilities in the …
The post Researchers Hijack Over 4,000 Backdoors Using Expired Domains appeared first on CyberInsider.
January 8th, 2025 (6 months ago)
|