Security
Headlines
HeadlinesLatestCVEs

Tag

#git

GHSA-wppf-gqj5-fc4f: REDAXO allows Arbitrary File Upload in the mediapool page

### Summary An arbitrary file upload vulnerability was identified in the redaxo. This flaw permits users to upload malicious files, which can lead to JavaScript code execution and distribute malware. ### Details On the latest version of Redaxo, v5.18.2, the mediapool/media page is vulnerable to arbitrary file upload. ### PoC 1. Log in to the portal then navigate to `Mediapool`. 2. Upload a png file (ex: poc.png) ![1](https://github.com/user-attachments/assets/e9165434-d2cd-437b-87a3-f9527d4f3070) 3. Intercept the upload HTTP request on burp suite and change `filename: poc.1html`, `Content-Type:image/html` and insert the malicious html code. (ex: `<IFRAME SRC="javascript:alert(1);"></IFRAME>`) ![2](https://github.com/user-attachments/assets/f8da0e6b-e807-46be-a867-dc31b1e13e57) 4. Forward the request. 5. Navigate to the file. ![3](https://github.com/user-attachments/assets/4c44c5cf-8467-452d-b249-cf2d72e0d328) ![4](https://github.com/user-attachments/assets/29db80e3-a5b9-43...

ghsa
Open in Source
#vulnerability#git#java
US Charges 12 Alleged Spies in China’s Freewheeling Hacker-for-Hire Ecosystem

The Justice Department claims 10 alleged hackers and two Chinese government officials took part in a wave of cyberattacks around the globe that included breaching the US Treasury Department and more.

I spoke to a task scammer. Here&#8217;s how it went

Task scams are increasing in volume. We followed up on an invitation by a task scammer to get a first hand look on how they work.

LinkedIn Phishing Scam: Fake InMail Messages Spreading ConnectWise Trojan

Cofense uncovers new LinkedIn phishing scam delivering ConnectWise RAT. Learn how attackers bypass security with fake InMail emails…

Seven Malicious Go Packages Found Deploying Malware on Linux and macOS Systems

Cybersecurity researchers are alerting of an ongoing malicious campaign targeting the Go ecosystem with typosquatted modules that are designed to deploy loader malware on Linux and Apple macOS systems. "The threat actor has published at least seven packages impersonating widely used Go libraries, including one (github[.]com/shallowmulti/hypert) that appears to target financial-sector developers

PayPal scam abuses Docusign API to spread phishy emails

Phishers are once again using the Docusign API to send out fake documents, this time looking as if they come from PayPal.

Scammers Mailing Ransom Letters While Posing as BianLian Ransomware

Scammers are impersonating BianLian ransomware, and mailing fake ransom letters to businesses. Learn the red flags and how…

GHSA-fr62-mg2q-7wqv: In-memory stored Cross-site scripting (XSS) vulnerability in pineconesim

### Impact The Pinecone Simulator (pineconesim) included in Pinecone up to commit https://github.com/matrix-org/pinecone/commit/ea4c33717fd74ef7d6f49490625a0fa10e3f5bbc is vulnerable to stored cross-site scripting. The payload storage is not permanent and will be wiped when restarting pineconsim. ### Patches Commit https://github.com/matrix-org/pinecone/commit/218b2801995b174085cb1c8fafe2d3aa661f85bd contains the fixes. ### Workarounds N/A ### For more information If you have any questions or comments about this advisory, please email us at [security at matrix.org](mailto:security@matrix.org).

JavaGhost Uses Amazon IAM Permissions to Phish Organizations

Unit 42 uncovers JavaGhost’s evolving AWS attacks. Learn how this threat actor uses phishing, IAM abuse, and advanced…