CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!
Threat and Vulnerability Intelligence Database
Example Searches:
CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited
|
Description: Overview
The laravel-auth0 SDK contains a critical vulnerability due to insecure deserialization of cookie data. If exploited, since SDKs process cookie content without prior authentication, a threat actor could send a specially crafted cookie containing malicious serialized data.
Am I Affected?
You are affected by this vulnerability if you meet the following preconditions:
Applications using laravel-auth0 SDK, versions between 7.0.0-BETA1 to 7.2.1.
Laravel-auth0 SDK uses the Auth0-PHP SDK with version 8.0.0-BETA3 to 8.3.0.
Fix
Upgrade Auth0/laravel-auth0 to the latest version (v7.17.0).
Acknowledgement
Okta would like to thank Andreas Forsblom for discovering this vulnerability.
References
https://github.com/auth0/auth0-PHP/security/advisories/GHSA-v9m8-9xxp-q492
https://github.com/auth0/laravel-auth0/security/advisories/GHSA-c42h-56wx-h85q
https://github.com/auth0/symfony/security/advisories/GHSA-98j6-67v3-mw34
https://github.com/auth0/wordpress/security/advisories/GHSA-862m-5253-832r
https://nvd.nist.gov/vuln/detail/CVE-2025-48951
https://github.com/advisories/GHSA-c42h-56wx-h85q
CVSS: CRITICAL (9.3) EPSS Score: 0.07%
June 6th, 2025 (about 1 month ago)
|
|
|
Description: CWE ID: CWE-532 (Insertion of Sensitive Information into Log File)
CVSS: 6.2 (Medium)
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Affected Component: Facebook Authentication Logging
Version: Para v1.50.6
File Path: para-1.50.6/para-server/src/main/java/com/erudika/para/server/security/filters/FacebookAuthFilter.java
Vulnerable Line(s): Line 184 (logger.warn(...) with raw access token)
Technical Details:
The vulnerability is located in FacebookAuthFilter.java, where a failed request to Facebook’s user profile endpoint triggers the following log statement:
logger.warn("Facebook auth request failed: GET " + PROFILE_URL + accessToken, e);`
Here, PROFILE_URL is a constant:
private static final String PROFILE_URL = "https://graph.facebook.com/me?fields=name,email,picture.width(400).type(square).height(400)&access_token=";
This results in the full request URL being logged, including the user's access token in plain text. Since WARN-level logs are often retained in production and accessible to operators or log aggregation systems, this poses a risk of token exposure.
References
https://github.com/Erudika/para/security/advisories/GHSA-qx7g-fx8q-545g
https://nvd.nist.gov/vuln/detail/CVE-2025-49009
https://github.com/Erudika/para/commit/46a908d887da02037384193f70a69345f04887cf
https://github.com/advisories/GHSA-qx7g-fx8q-545g
CVSS: MEDIUM (6.2) EPSS Score: 0.02%
June 6th, 2025 (about 1 month ago)
|
|
Description: Charles Brooks knows that people will share and alter his work. He just wants credit for his photos when it happens.
June 6th, 2025 (about 1 month ago)
|
|
June 6th, 2025 (about 1 month ago)
|
CVE-2025-5779 |
Description: A vulnerability has been found in code-projects Patient Record Management System 1.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /birthing.php. The manipulation of the argument itr_no/comp_id leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. In code-projects Patient Record Management System 1.0 wurde eine Schwachstelle gefunden. Sie wurde als kritisch eingestuft. Dabei geht es um eine nicht genauer bekannte Funktion der Datei /birthing.php. Dank Manipulation des Arguments itr_no/comp_id mit unbekannten Daten kann eine sql injection-Schwachstelle ausgenutzt werden. Die Umsetzung des Angriffs kann dabei über das Netzwerk erfolgen. Der Exploit steht zur öffentlichen Verfügung.
CVSS: MEDIUM (6.3) EPSS Score: 0.03% SSVC Exploitation: poc
June 6th, 2025 (about 1 month ago)
|
|
CVE-2025-41646 |
Description: An unauthorized remote attacker can bypass the authentication of the affected software package by misusing an incorrect type conversion. This leads to full compromise of the device
CVSS: CRITICAL (9.8) EPSS Score: 0.55%
June 6th, 2025 (about 1 month ago)
|
|
CVE-2025-27531 |
Description: Deserialization of Untrusted Data vulnerability in Apache InLong.
This issue affects Apache InLong: from 1.13.0 before 2.1.0,
this issue would allow an authenticated attacker to read arbitrary files by double writing the param.
Users are recommended to upgrade to version 2.1.0, which fixes the issue.
CVSS: CRITICAL (9.8) EPSS Score: 0.18%
June 6th, 2025 (about 1 month ago)
|
|
Description: Healthcare giant Kettering Health, which manages 14 medical centers in Ohio, confirmed that the Interlock ransomware group breached its network and stole data in a May cyberattack. [...]
June 6th, 2025 (about 1 month ago)
|
|
Description: This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installatons of WOLFBOX Level 2 EV Charger devices. Authentication is required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 8.0. The following CVEs are assigned: CVE-2025-5747.
EPSS Score: 0.18%
June 6th, 2025 (about 1 month ago)
|
|
|
Description: This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of WOLFBOX Level 2 EV Charger. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The ZDI has assigned a CVSS rating of 8.0. The following CVEs are assigned: CVE-2025-5748.
EPSS Score: 0.17%
June 6th, 2025 (about 1 month ago)
|