CyberAlerts

Description: In August 2024, data aggregator MC2 Data left a database publicly accessible without a password which was subsequently discovered by a security researcher. The breach exposed the personal information of 2.1M subscribers to the service which was marketed under a series of different brand names. The data included email addresses, names and salted SHA-256 password hashes.

Source: HaveIBeenPwnedLatestBreaches

December 18th, 2024 (6 months ago)

Hopamedia - 23,835,870 breached accounts

Description: In 2024, data relating to an unknown service referred to as "Hopamedia" and dating back to 2020 appeared in a publicly exposed database. The data included almost 24M records of email address, name, phone number, the country of the individual and their telecommunications carrier.

Source: HaveIBeenPwnedLatestBreaches

December 18th, 2024 (6 months ago)

CVE-2024-9819

IDOR in NextGEO's NG Analyser

Description: Authorization Bypass Through User-Controlled Key vulnerability in NextGeography NG Analyser allows Functionality Misuse.This issue affects NG Analyser: before 2.2.711.

CVSS: MEDIUM (6.5)

EPSS Score: 0.05%

Source: CVE

December 18th, 2024 (6 months ago)

CVE-2024-9779

Open-cluster-management-io/ocm: cluster-manager permissions may allow a worker node to obtain service account tokens

Description: A flaw was found in Open Cluster Management (OCM) when a user has access to the worker nodes which contain the cluster-manager or klusterlet deployments. The cluster-manager deployment uses a service account with the same name "cluster-manager" which is bound to a ClusterRole also named "cluster-manager", which includes the permission to create Pod resources. If this deployment runs a pod on an attacker-controlled node, the attacker can obtain the cluster-manager's token and steal any service account token by creating and mounting the target service account to control the whole cluster.

EPSS Score: 0.05%

Source: CVE

December 18th, 2024 (6 months ago)

CVE-2024-9654

Easy Digital Downloads 3.1 - 3.3.4 - Improper Authorization to Paywall Bypass

Description: The Easy Digital Downloads plugin for WordPress is vulnerable to Improper Authorization in versions 3.1 through 3.3.4. This is due to a lack of sufficient validation checks within the 'verify_guest_email' function to ensure the requesting user is the intended recipient of the purchase receipt. This makes it possible for unauthenticated attackers to bypass intended security restrictions and view the receipts of other users, which contains a link to download paid content. Successful exploitation requires knowledge of another customers email address as well as the file ID of the content they purchased.

CVSS: LOW (3.7)

EPSS Score: 0.05%

Source: CVE

December 18th, 2024 (6 months ago)

CVE-2024-9624

WP All Import Pro <= 4.9.3 - Authenticated (Administrator+) Server-Side Request Forgery via File Import

Description: The WP All Import Pro plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 4.9.3 due to missing SSRF protection on the pmxi_curl_download function. This makes it possible for authenticated attackers, with Administrator-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. On cloud platforms, it might allow attackers to read the Instance metadata.

CVSS: HIGH (7.6)

EPSS Score: 0.05%

Source: CVE

December 18th, 2024 (6 months ago)

CVE-2024-8972

SQLi in Mobil365 Informatics' Saha365 App

Description: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Mobil365 Informatics Saha365 App allows SQL Injection.This issue affects Saha365 App: before 30.09.2024.

CVSS: CRITICAL (9.8)

EPSS Score: 0.09%

Source: CVE

December 18th, 2024 (6 months ago)

CVE-2024-8475

Protection Mechanism Failure in Digital Operation Services' WiFiBurada

Description: Authentication Bypass by Assumed-Immutable Data vulnerability in Digital Operation Services WiFiBurada allows Manipulating User-Controlled Variables.This issue affects WiFiBurada: before 1.0.5.

CVSS: MEDIUM (6.5)

EPSS Score: 0.05%

Source: CVE

December 18th, 2024 (6 months ago)

CVE-2024-8429

Improper Authentication in Digital Operation Services' WiFiBurada

Description: Improper Restriction of Excessive Authentication Attempts vulnerability in Digital Operation Services WiFiBurada allows Use of Known Domain Credentials.This issue affects WiFiBurada: before 1.0.5.

CVSS: MEDIUM (4.3)

EPSS Score: 0.05%

Source: CVE

December 18th, 2024 (6 months ago)

CVE-2024-8326

s2Member – Excellent for All Kinds of Memberships, Content Restriction Paywalls & Member Access Subscriptions <= 241114 - Authenticated (Contributo...

Description: The s2Member – Excellent for All Kinds of Memberships, Content Restriction Paywalls & Member Access Subscriptions plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 241114 via the 'sc_get_details' function. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive data including user data and database configuration information, which can lead to reading, updating, or dropping database tables. The vulnerability was partially patched in version 241114.

CVSS: HIGH (8.8)

EPSS Score: 0.07%

Source: CVE

December 18th, 2024 (6 months ago)

Threat and Vulnerability Intelligence Database

Example Searches:

	MC2 Data - 2,122,280 breached accounts Description: In August 2024, data aggregator MC2 Data left a database publicly accessible without a password which was subsequently discovered by a security researcher. The breach exposed the personal information of 2.1M subscribers to the service which was marketed under a series of different brand names. The data included email addresses, names and salted SHA-256 password hashes. Source: HaveIBeenPwnedLatestBreaches December 18th, 2024 (6 months ago)
	Hopamedia - 23,835,870 breached accounts Description: In 2024, data relating to an unknown service referred to as "Hopamedia" and dating back to 2020 appeared in a publicly exposed database. The data included almost 24M records of email address, name, phone number, the country of the individual and their telecommunications carrier. Source: HaveIBeenPwnedLatestBreaches December 18th, 2024 (6 months ago)
CVE-2024-9819	IDOR in NextGEO's NG Analyser Description: Authorization Bypass Through User-Controlled Key vulnerability in NextGeography NG Analyser allows Functionality Misuse.This issue affects NG Analyser: before 2.2.711. CVSS: MEDIUM (6.5) EPSS Score: 0.05% Source: CVE December 18th, 2024 (6 months ago)
CVE-2024-9779	Open-cluster-management-io/ocm: cluster-manager permissions may allow a worker node to obtain service account tokens Description: A flaw was found in Open Cluster Management (OCM) when a user has access to the worker nodes which contain the cluster-manager or klusterlet deployments. The cluster-manager deployment uses a service account with the same name "cluster-manager" which is bound to a ClusterRole also named "cluster-manager", which includes the permission to create Pod resources. If this deployment runs a pod on an attacker-controlled node, the attacker can obtain the cluster-manager's token and steal any service account token by creating and mounting the target service account to control the whole cluster. EPSS Score: 0.05% Source: CVE December 18th, 2024 (6 months ago)
CVE-2024-9654	Easy Digital Downloads 3.1 - 3.3.4 - Improper Authorization to Paywall Bypass Description: The Easy Digital Downloads plugin for WordPress is vulnerable to Improper Authorization in versions 3.1 through 3.3.4. This is due to a lack of sufficient validation checks within the 'verify_guest_email' function to ensure the requesting user is the intended recipient of the purchase receipt. This makes it possible for unauthenticated attackers to bypass intended security restrictions and view the receipts of other users, which contains a link to download paid content. Successful exploitation requires knowledge of another customers email address as well as the file ID of the content they purchased. CVSS: LOW (3.7) EPSS Score: 0.05% Source: CVE December 18th, 2024 (6 months ago)
CVE-2024-9624	WP All Import Pro <= 4.9.3 - Authenticated (Administrator+) Server-Side Request Forgery via File Import Description: The WP All Import Pro plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 4.9.3 due to missing SSRF protection on the pmxi_curl_download function. This makes it possible for authenticated attackers, with Administrator-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. On cloud platforms, it might allow attackers to read the Instance metadata. CVSS: HIGH (7.6) EPSS Score: 0.05% Source: CVE December 18th, 2024 (6 months ago)
CVE-2024-8972	SQLi in Mobil365 Informatics' Saha365 App Description: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Mobil365 Informatics Saha365 App allows SQL Injection.This issue affects Saha365 App: before 30.09.2024. CVSS: CRITICAL (9.8) EPSS Score: 0.09% Source: CVE December 18th, 2024 (6 months ago)
CVE-2024-8475	Protection Mechanism Failure in Digital Operation Services' WiFiBurada Description: Authentication Bypass by Assumed-Immutable Data vulnerability in Digital Operation Services WiFiBurada allows Manipulating User-Controlled Variables.This issue affects WiFiBurada: before 1.0.5. CVSS: MEDIUM (6.5) EPSS Score: 0.05% Source: CVE December 18th, 2024 (6 months ago)
CVE-2024-8429	Improper Authentication in Digital Operation Services' WiFiBurada Description: Improper Restriction of Excessive Authentication Attempts vulnerability in Digital Operation Services WiFiBurada allows Use of Known Domain Credentials.This issue affects WiFiBurada: before 1.0.5. CVSS: MEDIUM (4.3) EPSS Score: 0.05% Source: CVE December 18th, 2024 (6 months ago)
CVE-2024-8326	s2Member – Excellent for All Kinds of Memberships, Content Restriction Paywalls & Member Access Subscriptions <= 241114 - Authenticated (Contributo... Description: The s2Member – Excellent for All Kinds of Memberships, Content Restriction Paywalls & Member Access Subscriptions plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 241114 via the 'sc_get_details' function. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive data including user data and database configuration information, which can lead to reading, updating, or dropping database tables. The vulnerability was partially patched in version 241114. CVSS: HIGH (8.8) EPSS Score: 0.07% Source: CVE December 18th, 2024 (6 months ago)