#git

### Impact _What kind of vulnerability is it? Who is impacted?_ This is a disclosure for a security vulnerability in the `SparseMatrix` class. The vulnerability is a deserialization issue that can lead to a wide range of privilege escalations depending on the circumstances. The problematic area is the `read` method of the `SparseMatrix` class. This method takes in an `InputStream` and returns a `SparseMatrix` object. We consider this to be a method that can be exposed to untrusted input in at least two use cases: - A user can adopt this method in an application where users can submit an `InputStream` and the application parses it into a `SparseMatrix`. This can be a multi-tenant application that hosts many different users perhaps with different privilege levels. - A user adopts the method for a local tool but receives the `InputStream` from external sources. #### Am I impacted? You are vulnerable if you import non-controlled serialized `SparseMatrix` objects. ### Patches com.powsyb...

Cybercriminals are injecting fake support phone numbers onto official sites like Bank of America and Netflix. Learn how 'search parameter injection' scams work and protect yourself now.

### Impact _What kind of vulnerability is it? Who is impacted?_ In certain places, powsybl-core XML parsing is vulnerable to an XXE attack and in on place also to an SSRF attack. This allows an attacker to elevate their privileges to read files that they do not have permissions to, including sensitive files on the system. The vulnerable class is `com.powsybl.commons.xml.XmlReader` which is considered to be untrusted in use cases where untrusted users can submit their XML to the vulnerable methods. This can be a multi-tenant application that hosts many different users perhaps with different privilege levels. #### Am I impacted? You are vulnerable if you allow untrusted users to import untrusted CGMES or XIIDM network files. ### Patches com.powsybl:powsybl-commons:6.7.2 and higher ### References [powsybl-core v6.7.2](https://github.com/powsybl/powsybl-core/releases/tag/v6.7.2)

Researchers have uncovered 30 exposed data sets containing over 16 billion login credentials which were likely harvested by infostealers.

Toy company Mattel has announced a deal with OpenAI to create AI-powered toys, but digital rights advocates have urged caution.

In a new wrinkle on the tech support scam front, these search parameter injection attacks dupe victims into believing they are receiving technical help when they are actually speaking to fraudsters.

North Korean hackers deploy PylangGhost malware through fake crypto job interviews targeting blockchain professionals with phishing and remote access tools.

Zimperium zLabs reveals GodFather malware’s advanced virtualization that hijacks mobile banking and crypto apps. Learn how it steals data on your phone.

The Android malware is targeting Turkish financial institutions, completely taking over legitimate banking and crypto apps by creating an isolated virtualized environment on a device.

Iran is limiting internet connectivity for citizens amid Israeli airstrikes—pushing people towards domestic apps, which may not be secure, and limiting their ability to access vital information.