Security
Headlines
HeadlinesLatestCVEs

Tag

#auth

How attackers use real IT tools to take over your computer

We’ve seen a new wave of attacks exploiting legitimate Remote Monitoring and Management (RMM) tools to remotely control victims’ systems.

Malwarebytes
Open in Source
#web#mac#windows#microsoft#git#auth#ssl
GHSA-424m-fj2q-g7vg: Aimeos GrapesJS CMS extension has possible stored XSS that's exploitable by authenticated editors

### Impact Javascript code can be injected by malicious editors for a stored XSS attack if the standard Content Security Policy is disabled. ### Workaround If the standard CSP rules are active (default in production mode), an exploit isn't possible. ### Credits Lwin Min Oo <lwinminoo2244@gmail.com>

Fileless protection explained: Blocking the invisible threat others miss

Your antivirus scans files. But what about attacks that never create files? Here's how we catch the threats hiding on your family's computers.

Chopping AI Down to Size: Turning Disruptive Technology into a Strategic Advantage

Most people know the story of Paul Bunyan. A giant lumberjack, a trusted axe, and a challenge from a machine that promised to outpace him. Paul doubled down on his old way of working, swung harder, and still lost by a quarter inch. His mistake was not losing the contest. His mistake was assuming that effort alone could outmatch a new kind of tool. Security professionals are facing a similar

GHSA-fxp5-37mh-vff5: BlazeMeter Jenkins Plugin is Missing Authorization for Available Resources

A fix was made in BlazeMeter Jenkins Plugin version 4.27 to allow users only with certain permissions to see the list of available resources like credential IDs, bzm workspaces and bzm project Ids. Prior to this fix, anyone could see this list as a dropdown on the Jenkins UI.

Malicious Rust Crate Delivers OS-Specific Malware to Web3 Developer Systems

Cybersecurity researchers have discovered a malicious Rust package that's capable of targeting Windows, macOS, and Linux systems, and features malicious functionality to stealthily execute on developer machines by masquerading as an Ethereum Virtual Machine (EVM) unit helper tool. The Rust crate, named "evm-units," was uploaded to crates.io in mid-April 2025 by a user named "ablerust,"

GHSA-mcxq-54f4-mmx5: FeehiCMS Has a Remote Code Execution via Unrestricted File Upload in Ad Management

FeehiCMS version 2.1.1 has a Remote Code Execution via Unrestricted File Upload in Ad Management. FeehiCMS version 2.1.1 allows authenticated remote attackers to upload files that the server later executes (or stores in an executable location) without sufficient validation, sanitization, or execution restrictions. An authenticated remote attacker can upload a crafted PHP file and cause the application or web server to execute it, resulting in remote code execution (RCE).

GHSA-5xw2-57jx-pgjp: GrapesJsBuilder File Upload allows all file uploads

### Summary Arbitrary files can be uploaded via the GrapesJS Builder, as the types of files that can be uploaded are not restricted. ### Impact If the media folder is not restricted from running files this can lead to a remote code execution.

GHSA-3fq7-c5m8-g86x: Mautic user without privileged access to the Marketplace can install and uninstall composer packages

### Summary A non privileged user can install and remove arbitrary packages via composer for a composer based installed, even if the flag in update settings for enable composer based update is unticked. ### Impact A low-privileged user of the platform can install malicious code to obtain higher privileges.

GHSA-cchq-397m-q2qm: Grav CMS is vulnerable to Cross Site Scripting (XSS) in the page editor

Grav CMS 1.7.49 is vulnerable to Cross Site Scripting (XSS). The page editor allows authenticated users to edit page content via a Markdown editor. The editor fails to properly sanitize <script> tags, allowing stored XSS payloads to execute when pages are viewed in the admin interface.