Security
Headlines
HeadlinesLatestCVEs

Tag

#auth

Hackers Exploit Pandoc CVE-2025-51591 to Target AWS IMDS and Steal EC2 IAM Credentials

Cloud security company Wiz has revealed that it uncovered in-the-wild exploitation of a security flaw in a Linux utility called Pandoc as part of attacks designed to infiltrate Amazon Web Services (AWS) Instance Metadata Service (IMDS). The vulnerability in question is CVE-2025-51591 (CVSS score: 6.5), which refers to a case of Server-Side Request Forgery (SSRF) that allows attackers to

The Hacker News
Open in Source
#vulnerability#web#mac#google#amazon#linux#rce#ssrf#aws#auth#The Hacker News
CVE-2025-55322: OmniParser Remote Code Execution Vulnerability

Binding to an unrestricted ip address in GitHub allows an unauthorized attacker to execute code over a network.

GHSA-rpx3-f938-xj5q: Liferay Portal and DXP does not properly expire sessions

A Insufficient Session Expiration vulnerability in the Liferay Portal 7.4.3.121 through 7.3.3.131, and Liferay DXP 2024.Q4.0 through 2024.Q4.3, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, and 2024.Q1.1 through 2024.Q1.12 is allow an remote non-authenticated attacker to reuse old user session by SLO API.

Fake Malwarebytes, LastPass, and others on GitHub serve malware

Fake software—including Malwarebytes and LastPass—is currently circulating on GitHub pages, in a large-scale campaign targeting Mac users.

GitHub Aims to Secure Supply Chain as NPM Hacks Ramp Up

GitHub will address weak authentication and overly permissive tokens in the NPM ecosystem, following high-profile threat campaigns like those involving Shai-Hulud malware.

GHSA-r6f3-55wj-g9p3: WSO2 Identity Server Apps allows content spoofing in logs

A content spoofing vulnerability exists in multiple WSO2 products due to improper error message handling. Under certain conditions, error messages are passed through URL parameters without validation, allowing malicious actors to inject arbitrary content into the UI. By exploiting this vulnerability, attackers can manipulate browser-displayed error messages, enabling social engineering attacks through deceptive or misleading content.

GHSA-46v4-5mc8-q2cf: GP247 and S-Cart have a stored cross-site scripting (XSS) vulnerability

A stored cross-site scripting (XSS) vulnerability in the Admin Log Viewer of S-Cart <=10.0.3 allows a remote authenticated attacker to inject arbitrary web script or HTML via a crafted User-Agent header. The script is executed in an administrator's browser when they view the security log page, which could lead to session hijacking or other malicious actions.

How RainyDay, Turian and a new PlugX variant abuse DLL search order hijacking

Talos discovered that a new PlugX variant’s features overlap with both the RainyDay and Turian backdoors

Two New Supermicro BMC Bugs Allow Malicious Firmware to Evade Root of Trust Security

Cybersecurity researchers have disclosed details of two security vulnerabilities impacting Supermicro Baseboard Management Controller (BMC) firmware that could potentially allow attackers to bypass crucial verification steps and update the system with a specially crafted image. The medium-severity vulnerabilities, both of which stem from improper verification of a cryptographic signature, are

Eurojust Arrests 5 in €100M Cryptocurrency Investment Fraud Spanning 23 Countries

Law enforcement authorities in Europe have arrested five suspects in connection with an "elaborate" online investment fraud scheme that stole more than €100 million ($118 million) from over 100 victims in France, Germany, Italy, and Spain. According to Eurojust, the coordinated action saw searches in five places across Spain and Portugal, as well as in Italy, Romania and Bulgaria. Bank accounts