CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!
Threat and Vulnerability Intelligence Database
Example Searches:
CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited
|
Description: AI generated slop is tricking people into thinking an already devastating series of wildfires in Los Angeles are even worse than they are — and using it to score political points.
January 9th, 2025 (6 months ago)
|
|
|
Description: Vulnerability Summary
A type confusion vulnerability exists in Strawberry GraphQL's relay integration that affects multiple ORM integrations (Django, SQLAlchemy, Pydantic). The vulnerability occurs when multiple GraphQL types are mapped to the same underlying model while using the relay node interface.
Affected Components
Strawberry GraphQL relay integration
Specifically impacts implementations using:
Django integration
SQLAlchemy integration
Pydantic integration
Technical Details
The vulnerability manifests when:
Multiple GraphQL types inherit from relay.Node
These types are mapped to the same database model
The global node field is used for type resolution
Example of vulnerable code:
from fruits.models import Fruit
import strawberry_django
import strawberry
@strawberry_django.type(Fruit)
class FruitType(relay.Node):
name: strawberry.auto
@strawberry_django.type(Fruit)
class SpecialFruitType(relay.Node):
secret_name: strawberry.auto
@strawberry.type
class Query:
node: relay.Node = strawberry_django.node()
Security Impact
When querying for a specific type using the global node field (e.g., FruitType:some-id), the resolver may incorrectly return an instance of a different type mapped to the same model (e.g., SpecialFruitType). This can lead to:
Information disclosure if the alternate type exposes sensitive fields
Potential privilege escalation if the alternate type contains data intended for restricted access
Note
Even with knowledge of the correct t...
January 9th, 2025 (6 months ago)
|
|
|
Description: A new version of the Banshee info-stealing malware for macOS has been evading detection over the past two months by adopting string encryption from Apple's XProtect. [...]
January 9th, 2025 (6 months ago)
|
|
|
Description: [Darknetlive Archive] Italian Man Allegedly Hired a Hitman on the Darkweb
January 9th, 2025 (6 months ago)
|
|
|
Description: Microsoft has fixed a known issue causing macOS applications to freeze when opening or saving files in OneDrive. [...]
January 9th, 2025 (6 months ago)
|
|
|
Description: Impact
The project's provided HTTP client's local JWK Set cache should do a full replacement when the goroutine refreshes the remote JWK Set. The current behavior is to overwrite or append. This is a security issue for use cases that utilize the provided auto-caching HTTP client and where key removal from a JWK Set is equivalent to revocation.
Example attack scenario:
An attacker has stolen the private key for a key published in JWK Set.
The publishers of that JWK Set remove that key from the JWK Set.
Enough time has passed that the program using the auto-caching HTTP client found in github.com/MicahParks/jwkset v0.5.0-v0.5.21 has elapsed its HTTPClientStorageOptions.RefreshInterval duration, causing a refresh of the remote JWK Set.
The attacker is signing content (such as JWTs) with the stolen private key and the system has no other forms of revocation.
Patches
The affected auto-caching HTTP client was added in version v0.5.0 and fixed in v0.6.0. Upgrade to v0.6.0 or later.
Workarounds
The only workaround would be to remove the provided auto-caching HTTP client and replace it with a custom implementation. This involves setting the HTTPClientStorageOptions.RefreshInterval to zero (or not specifying the value). Upgrade to v0.6.0 is advised.
References
Please see the tracking issue on GitHub for additional details: https://github.com/MicahParks/jwkset/issues/40
References
https://github.com/MicahParks/jwkset/security/advisories/GHSA-675f-rq2r-jw82
https://github.com/Micah...
January 9th, 2025 (6 months ago)
|
CVE-2025-22449 |
Description: Mattermost versions 9.11.x <= 9.11.5 fail to enforce invite permissions, which allows team admins, with no permission to invite users to their team, to invite users by updating the "allow_open_invite" field via making their team public.
References
https://nvd.nist.gov/vuln/detail/CVE-2025-22449
https://mattermost.com/security-updates
https://github.com/advisories/GHSA-q8fg-cp3q-5jwm
CVSS: LOW (3.8) EPSS Score: 0.04%
January 9th, 2025 (6 months ago)
|
|
CVE-2023-1907 |
Description: A vulnerability was found in pgadmin. Users logging into pgAdmin running in server mode using LDAP authentication may be attached to another user's session if multiple connection attempts occur simultaneously.
References
https://nvd.nist.gov/vuln/detail/CVE-2023-1907
https://bugzilla.redhat.com/show_bug.cgi?id=2218384
https://github.com/pgadmin-org/pgadmin4/issues/6100
https://github.com/pgadmin-org/pgadmin4/commit/fa29ba91632634d961f937ce3ed2c3b5a9d78f59
https://github.com/pgadmin-org/pgadmin4/blob/a9974b418c49760d3989b7fb25e052ff16b89ac6/docs/en_US/release_notes_7_0.rst
https://github.com/advisories/GHSA-7w6r-748w-mh52
CVSS: HIGH (8.0)
January 9th, 2025 (6 months ago)
|
|
CVE-2024-50603 |
Description: Critical Vulnerability Alert: CVE-2024-50603 Critical Command Injection Vulnerability in Aviatrix Controller
CVSS: CRITICAL (10.0) EPSS Score: 92.43%
January 9th, 2025 (6 months ago)
|
|
|
Description: Privacy firm Proton suffered a massive worldwide outage today, taking down most services, with Proton Mail and Calendar users still unable to connect to their accounts. [...]
January 9th, 2025 (6 months ago)
|