CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!
Threat and Vulnerability Intelligence Database
Example Searches:
CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited
|
Description: [AI generated] Ticketmaster Entertainment, Inc. is an American ticket sales and distribution company headquartered in Beverly Hills, California. It operates in more than 20 countries, delivering over 100 million tickets annually. They provide services for worldwide events including concerts, sports events, theatre performances, and family shows. Apart from ticket distribution, Ticketmaster offers marketing and support for event organizers.
June 7th, 2025 (about 1 month ago)
|
|
|
Description: InTech Industries, Inc. specializes in full-service manufacturing, offering services such as 3D printing, design, tooling, injection molding, and precision CNC machining. They serve a wide range of industries, including life sciences, medical devices, dental, and personal safety. Their clients include businesses in a variety of sectors, such as pharmaceuticals, home care devices, and the optical industry.
June 7th, 2025 (about 1 month ago)
|
|
|
Description: Data of 1,000 registered distributors and sellers – employee and customer information – admin login passwords – email addresses, phone numbers, full names – and more...
June 6th, 2025 (about 1 month ago)
|
CVE-2025-49128 |
Description: Jackson-core contains core low-level incremental ("streaming") parser and generator abstractions used by Jackson Data Processor. Starting in version 2.0.0 and prior to version 2.13.0, a flaw in jackson-core's `JsonLocation._appendSourceDesc` method allows up to 500 bytes of unintended memory content to be included in exception messages. When parsing JSON from a byte array with an offset and length, the exception message incorrectly reads from the beginning of the array instead of the logical payload start. This results in possible information disclosure in systems using pooled or reused buffers, like Netty or Vert.x. This issue was silently fixed in jackson-core version 2.13.0, released on September 30, 2021, via PR #652. All users should upgrade to version 2.13.0 or later. If upgrading is not immediately possible, applications can mitigate the issue by disabling exception message exposure to clients to avoid returning parsing exception messages in HTTP responses and/or disabling source inclusion in exceptions to prevent Jackson from embedding any source content in exception messages, avoiding leakage.
CVSS: MEDIUM (4.0) EPSS Score: 0.01%
June 6th, 2025 (about 1 month ago)
|
|
Description: Summary
A Denial of Service (DoS) vulnerability was discovered in the CoreDNS DNS-over-QUIC (DoQ) server implementation. The server previously created a new goroutine for every incoming QUIC stream without imposing any limits on the number of concurrent streams or goroutines. A remote, unauthenticated attacker could open a large number of streams, leading to uncontrolled memory consumption and eventually causing an Out Of Memory (OOM) crash — especially in containerized or memory-constrained environments.
Impact
Component: server_quic.go
Attack Vector: Remote, network-based
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Impact: High availability loss (OOM kill or unresponsiveness)
This issue affects deployments with quic:// enabled in the Corefile. A single attacker can cause the CoreDNS instance to become unresponsive using minimal bandwidth and CPU.
Patches
The patch introduces two key mitigation mechanisms:
max_streams: Caps the number of concurrent QUIC streams per connection. Default: 256.
worker_pool_size: Introduces a server-wide, bounded worker pool to process incoming streams. Default: 1024.
This eliminates the 1:1 stream-to-goroutine model and ensures that CoreDNS remains resilient under high concurrency. The new configuration options are exposed through the quic Corefile block:
quic {
max_streams 256
worker_pool_size 1024
}
These defaults are generous and aligned with typical DNS-over-QUIC client behavior.
Workarounds
If you...
CVSS: HIGH (7.5) EPSS Score: 0.08%
June 6th, 2025 (about 1 month ago)
|
|
|
Description: Impact
On schemas involving arrows with caveats on the arrow’ed relation, when the path to resolve a CheckPermission request involves the evaluation of multiple caveated branches, requests may return a negative response when a positive response is expected.
For example, given this schema:
definition user {}
definition office {
relation parent: office
relation manager: user
permission read = manager + parent->read
}
definition group {
relation parent: office
permission read = parent->read
}
definition document {
relation owner: group with equals
permission read = owner->read
}
caveat equals(actual string, required string) {
actual == required
}
and these relationships:
office:headoffice#manager@user:maria
office:branch1#parent@office:headoffice
group:admins#parent@office:branch1
group:managers#parent@office:headoffice
document:budget#owner@group:admins[equals:{"required":"admin"}]
document:budget#owner@group:managers[equals:{"required":"manager"}]
Permission for 'document:budget#read@user:maria with {"actual" : "admin"}' is returned as NO_PERMISSION when HAS_PERMISSION is the correct answer.
Patches
Upgrade to v1.44.2.
Workarounds
Do not use caveats in your schema over an arrow’ed relation.
References
https://github.com/authzed/spicedb/security/advisories/GHSA-cwwm-hr97-qfxm
https://nvd.nist.gov/vuln/detail/CVE-2025-49011
https://github.com/authzed/spicedb/commit/fe8dd9f491f6975b3408c401e413a530eb181a67
https://github.com/authzed/spice...
CVSS: LOW (3.7) EPSS Score: 0.03%
June 6th, 2025 (about 1 month ago)
|
|
CVE-2025-49127 |
Description: Kafbat UI is a web user interface for managing Apache Kafka clusters. An unsafe deserialization vulnerability in version 1.0.0 allows any unauthenticated user to execute arbitrary code on the server. Version 1.1.0 fixes the issue.
CVSS: HIGH (8.9) EPSS Score: 0.12%
June 6th, 2025 (about 1 month ago)
|
|
CVE-2024-24262 |
Description: media-server v1.0.0 was discovered to contain a Use-After-Free (UAF) vulnerability via the sip_uac_stop_timer function at /uac/sip-uac-transaction.c.
EPSS Score: 0.14% SSVC Exploitation: poc
June 6th, 2025 (about 1 month ago)
|
|
CVE-2024-22900 |
Description: Vinchin Backup & Recovery v7.2 was discovered to contain an authenticated remote code execution (RCE) vulnerability via the setNetworkCardInfo function.
EPSS Score: 2.02% SSVC Exploitation: none
June 6th, 2025 (about 1 month ago)
|
|
CVE-2024-20906 |
Description: Vulnerability in the Integrated Lights Out Manager (ILOM) product of Oracle Systems (component: System Management). Supported versions that are affected are 3, 4 and 5. Easily exploitable vulnerability allows high privileged attacker with network access via ICMP to compromise Integrated Lights Out Manager (ILOM). Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Integrated Lights Out Manager (ILOM), attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Integrated Lights Out Manager (ILOM) accessible data as well as unauthorized read access to a subset of Integrated Lights Out Manager (ILOM) accessible data. CVSS 3.1 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N).
CVSS: MEDIUM (4.8) EPSS Score: 0.23% SSVC Exploitation: none
June 6th, 2025 (about 1 month ago)
|