CyberAlerts

CVE-2024-56805

Description: A buffer overflow vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow remote attackers who have gained user access to modify memory or crash processes. We have already fixed the vulnerability in the following versions: QTS 5.2.4.3079 build 20250321 and later QuTS hero h5.2.4.3079 build 20250321 and later

CVSS: MEDIUM (5.3)

EPSS Score: 0.1%

Source: CVE

June 6th, 2025 (about 1 month ago)

CVE-2024-50406

License Center

Description: A cross-site scripting (XSS) vulnerability has been reported to affect License Center. If exploited, the vulnerability could allow remote attackers who have gained user access to bypass security mechanisms or read application data. We have already fixed the vulnerability in the following version: License Center 1.9.49 and later

CVSS: LOW (2.0)

EPSS Score: 0.1%

Source: CVE

June 6th, 2025 (about 1 month ago)

CVE-2024-4760

Voltage glitch during startup of the EEFC NVM controller can bypass the security bit

Description: A voltage glitch during the startup of EEFC NVM controllers on Microchip SAM E70/S70/V70/V71, SAM G55, SAM 4C/4S/4N/4E, and SAM 3S/3N/3U microcontrollers allows access to the memory bus via the debug interface even if the security bit is set.

CVSS: MEDIUM (6.3)

EPSS Score: 0.14%

SSVC Exploitation: none

Source: CVE

June 6th, 2025 (about 1 month ago)

CVE-2024-13088

QHora

Description: An improper authentication vulnerability has been reported to affect QHora. If an attacker gains local network access, they can then exploit the vulnerability to compromise the security of the system. We have already fixed the vulnerability in the following version: QuRouter 2.5.0.140 and later

CVSS: MEDIUM (5.2)

EPSS Score: 0.03%

Source: CVE

June 6th, 2025 (about 1 month ago)

CVE-2024-13087

QHora

Description: A command injection vulnerability has been reported to affect QHora. If an attacker gains local network access who have also gained an administrator account, they can then exploit the vulnerability to execute arbitrary commands. We have already fixed the vulnerability in the following version: QuRouter 2.4.6.028 and later

CVSS: LOW (2.4)

EPSS Score: 0.19%

Source: CVE

June 6th, 2025 (about 1 month ago)

Behind the Blog: Activism and Evangelism

Description: This week, we discuss the phrase "activist journalist," waiting in line for a Switch 2, and teledildonics.

Source: 404 Media

June 6th, 2025 (about 1 month ago)

Sound-Boosting Chrome Extensions Potential Ticking Bombs

Description: Security researchers at LayerX have uncovered a stealthy network of malicious Chrome extensions masquerading as in-browser sound enhancement tools. With over 700k installations globally, these add-ons appear to be laying dormant, awaiting remote instructions to execute malicious payloads. LayerX's report reveals that the extensions function as “sleeper agents,” capable of downloading and executing code from … The post Sound-Boosting Chrome Extensions Potential Ticking Bombs appeared first on CyberInsider.

Source: CyberInsider

June 6th, 2025 (about 1 month ago)

[Django] Django Improper Output Neutralization for Logs vulnerability

Description: An issue was discovered in Django 5.2 before 5.2.2, 5.1 before 5.1.10, and 4.2 before 4.2.22. Internal HTTP response logging does not escape request.path, which allows remote attackers to potentially manipulate log output via crafted URLs. This may lead to log injection or forgery when logs are viewed in terminals or processed by external systems. References https://nvd.nist.gov/vuln/detail/CVE-2025-48432 https://docs.djangoproject.com/en/dev/releases/security https://groups.google.com/g/django-announce https://www.djangoproject.com/weblog/2025/jun/04/security-releases http://www.openwall.com/lists/oss-security/2025/06/04/5 https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2025-47.yaml https://github.com/advisories/GHSA-7xr5-9hcq-chf9

CVSS: MEDIUM (4.0)

EPSS Score: 0.04%

Source: Github Advisory Database (PIP)

June 6th, 2025 (about 1 month ago)

[auth0/login] laravel-auth0 SDK Deserialization of Untrusted Data vulnerability

Description: Overview The laravel-auth0 SDK contains a critical vulnerability due to insecure deserialization of cookie data. If exploited, since SDKs process cookie content without prior authentication, a threat actor could send a specially crafted cookie containing malicious serialized data. Am I Affected? You are affected by this vulnerability if you meet the following preconditions: Applications using laravel-auth0 SDK, versions between 7.0.0-BETA1 to 7.2.1. Laravel-auth0 SDK uses the Auth0-PHP SDK with version 8.0.0-BETA3 to 8.3.0. Fix Upgrade Auth0/laravel-auth0 to the latest version (v7.17.0). Acknowledgement Okta would like to thank Andreas Forsblom for discovering this vulnerability. References https://github.com/auth0/auth0-PHP/security/advisories/GHSA-v9m8-9xxp-q492 https://github.com/auth0/laravel-auth0/security/advisories/GHSA-c42h-56wx-h85q https://github.com/auth0/symfony/security/advisories/GHSA-98j6-67v3-mw34 https://github.com/auth0/wordpress/security/advisories/GHSA-862m-5253-832r https://nvd.nist.gov/vuln/detail/CVE-2025-48951 https://github.com/advisories/GHSA-c42h-56wx-h85q

CVSS: CRITICAL (9.3)

EPSS Score: 0.07%

Source: Github Advisory Database (Composer)

June 6th, 2025 (about 1 month ago)

[com.erudika:para-server] Para Inserts Sensitive Information into Log File for Facebook authentication

Description: CWE ID: CWE-532 (Insertion of Sensitive Information into Log File) CVSS: 6.2 (Medium) Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Affected Component: Facebook Authentication Logging Version: Para v1.50.6 File Path: para-1.50.6/para-server/src/main/java/com/erudika/para/server/security/filters/FacebookAuthFilter.java Vulnerable Line(s): Line 184 (logger.warn(...) with raw access token) Technical Details: The vulnerability is located in FacebookAuthFilter.java, where a failed request to Facebook’s user profile endpoint triggers the following log statement: logger.warn("Facebook auth request failed: GET " + PROFILE_URL + accessToken, e);` Here, PROFILE_URL is a constant: private static final String PROFILE_URL = "https://graph.facebook.com/me?fields=name,email,picture.width(400).type(square).height(400)&access_token="; This results in the full request URL being logged, including the user's access token in plain text. Since WARN-level logs are often retained in production and accessible to operators or log aggregation systems, this poses a risk of token exposure. References https://github.com/Erudika/para/security/advisories/GHSA-qx7g-fx8q-545g https://nvd.nist.gov/vuln/detail/CVE-2025-49009 https://github.com/Erudika/para/commit/46a908d887da02037384193f70a69345f04887cf https://github.com/advisories/GHSA-qx7g-fx8q-545g

CVSS: MEDIUM (6.2)

EPSS Score: 0.02%

Source: Github Advisory Database (Maven)

June 6th, 2025 (about 1 month ago)

Threat and Vulnerability Intelligence Database

Example Searches:

CVE-2024-56805	QTS, QuTS hero Description: A buffer overflow vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow remote attackers who have gained user access to modify memory or crash processes. We have already fixed the vulnerability in the following versions: QTS 5.2.4.3079 build 20250321 and later QuTS hero h5.2.4.3079 build 20250321 and later CVSS: MEDIUM (5.3) EPSS Score: 0.1% Source: CVE June 6th, 2025 (about 1 month ago)
CVE-2024-50406	License Center Description: A cross-site scripting (XSS) vulnerability has been reported to affect License Center. If exploited, the vulnerability could allow remote attackers who have gained user access to bypass security mechanisms or read application data. We have already fixed the vulnerability in the following version: License Center 1.9.49 and later CVSS: LOW (2.0) EPSS Score: 0.1% Source: CVE June 6th, 2025 (about 1 month ago)
CVE-2024-4760	Voltage glitch during startup of the EEFC NVM controller can bypass the security bit Description: A voltage glitch during the startup of EEFC NVM controllers on Microchip SAM E70/S70/V70/V71, SAM G55, SAM 4C/4S/4N/4E, and SAM 3S/3N/3U microcontrollers allows access to the memory bus via the debug interface even if the security bit is set. CVSS: MEDIUM (6.3) EPSS Score: 0.14% SSVC Exploitation: none Source: CVE June 6th, 2025 (about 1 month ago)
CVE-2024-13088	QHora Description: An improper authentication vulnerability has been reported to affect QHora. If an attacker gains local network access, they can then exploit the vulnerability to compromise the security of the system. We have already fixed the vulnerability in the following version: QuRouter 2.5.0.140 and later CVSS: MEDIUM (5.2) EPSS Score: 0.03% Source: CVE June 6th, 2025 (about 1 month ago)
CVE-2024-13087	QHora Description: A command injection vulnerability has been reported to affect QHora. If an attacker gains local network access who have also gained an administrator account, they can then exploit the vulnerability to execute arbitrary commands. We have already fixed the vulnerability in the following version: QuRouter 2.4.6.028 and later CVSS: LOW (2.4) EPSS Score: 0.19% Source: CVE June 6th, 2025 (about 1 month ago)
	Behind the Blog: Activism and Evangelism Description: This week, we discuss the phrase "activist journalist," waiting in line for a Switch 2, and teledildonics. Source: 404 Media June 6th, 2025 (about 1 month ago)
	Sound-Boosting Chrome Extensions Potential Ticking Bombs Description: Security researchers at LayerX have uncovered a stealthy network of malicious Chrome extensions masquerading as in-browser sound enhancement tools. With over 700k installations globally, these add-ons appear to be laying dormant, awaiting remote instructions to execute malicious payloads. LayerX's report reveals that the extensions function as “sleeper agents,” capable of downloading and executing code from … The post Sound-Boosting Chrome Extensions Potential Ticking Bombs appeared first on CyberInsider. Source: CyberInsider June 6th, 2025 (about 1 month ago)
	[Django] Django Improper Output Neutralization for Logs vulnerability Description: An issue was discovered in Django 5.2 before 5.2.2, 5.1 before 5.1.10, and 4.2 before 4.2.22. Internal HTTP response logging does not escape request.path, which allows remote attackers to potentially manipulate log output via crafted URLs. This may lead to log injection or forgery when logs are viewed in terminals or processed by external systems. References https://nvd.nist.gov/vuln/detail/CVE-2025-48432 https://docs.djangoproject.com/en/dev/releases/security https://groups.google.com/g/django-announce https://www.djangoproject.com/weblog/2025/jun/04/security-releases http://www.openwall.com/lists/oss-security/2025/06/04/5 https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2025-47.yaml https://github.com/advisories/GHSA-7xr5-9hcq-chf9 CVSS: MEDIUM (4.0) EPSS Score: 0.04% Source: Github Advisory Database (PIP) June 6th, 2025 (about 1 month ago)
	[auth0/login] laravel-auth0 SDK Deserialization of Untrusted Data vulnerability Description: Overview The laravel-auth0 SDK contains a critical vulnerability due to insecure deserialization of cookie data. If exploited, since SDKs process cookie content without prior authentication, a threat actor could send a specially crafted cookie containing malicious serialized data. Am I Affected? You are affected by this vulnerability if you meet the following preconditions: Applications using laravel-auth0 SDK, versions between 7.0.0-BETA1 to 7.2.1. Laravel-auth0 SDK uses the Auth0-PHP SDK with version 8.0.0-BETA3 to 8.3.0. Fix Upgrade Auth0/laravel-auth0 to the latest version (v7.17.0). Acknowledgement Okta would like to thank Andreas Forsblom for discovering this vulnerability. References https://github.com/auth0/auth0-PHP/security/advisories/GHSA-v9m8-9xxp-q492 https://github.com/auth0/laravel-auth0/security/advisories/GHSA-c42h-56wx-h85q https://github.com/auth0/symfony/security/advisories/GHSA-98j6-67v3-mw34 https://github.com/auth0/wordpress/security/advisories/GHSA-862m-5253-832r https://nvd.nist.gov/vuln/detail/CVE-2025-48951 https://github.com/advisories/GHSA-c42h-56wx-h85q CVSS: CRITICAL (9.3) EPSS Score: 0.07% Source: Github Advisory Database (Composer) June 6th, 2025 (about 1 month ago)
	[com.erudika:para-server] Para Inserts Sensitive Information into Log File for Facebook authentication Description: CWE ID: CWE-532 (Insertion of Sensitive Information into Log File) CVSS: 6.2 (Medium) Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Affected Component: Facebook Authentication Logging Version: Para v1.50.6 File Path: para-1.50.6/para-server/src/main/java/com/erudika/para/server/security/filters/FacebookAuthFilter.java Vulnerable Line(s): Line 184 (logger.warn(...) with raw access token) Technical Details: The vulnerability is located in FacebookAuthFilter.java, where a failed request to Facebook’s user profile endpoint triggers the following log statement: logger.warn("Facebook auth request failed: GET " + PROFILE_URL + accessToken, e);` Here, PROFILE_URL is a constant: private static final String PROFILE_URL = "https://graph.facebook.com/me?fields=name,email,picture.width(400).type(square).height(400)&access_token="; This results in the full request URL being logged, including the user's access token in plain text. Since WARN-level logs are often retained in production and accessible to operators or log aggregation systems, this poses a risk of token exposure. References https://github.com/Erudika/para/security/advisories/GHSA-qx7g-fx8q-545g https://nvd.nist.gov/vuln/detail/CVE-2025-49009 https://github.com/Erudika/para/commit/46a908d887da02037384193f70a69345f04887cf https://github.com/advisories/GHSA-qx7g-fx8q-545g CVSS: MEDIUM (6.2) EPSS Score: 0.02% Source: Github Advisory Database (Maven) June 6th, 2025 (about 1 month ago)