#git

The cascading supply chain attack that initially targeted Coinbase before becoming more widespread to single out users of the "tj-actions/changed-files" GitHub Action has been traced further back to the theft of a personal access token (PAT) related to SpotBugs. "The attackers obtained initial access by taking advantage of the GitHub Actions workflow of SpotBugs, a popular open-source tool for

The Computer Emergency Response Team of Ukraine (CERT-UA) has revealed that no less than three cyber attacks were recorded against state administration bodies and critical infrastructure facilities in the country with an aim to steal sensitive data. The campaign, the agency said, involved the use of compromised email accounts to send phishing messages containing links pointing to legitimate

Microsoft is warning of several phishing campaigns that are leveraging tax-related themes to deploy malware and steal credentials. "These campaigns notably use redirection methods such as URL shorteners and QR codes contained in malicious attachments and abuse legitimate services like file-hosting services and business profile pages to avoid detection," Microsoft said in a report shared with The

Cybersecurity researchers at Jscamblers have uncovered a sophisticated web-skimming campaign targeting online retailers. The campaign utilizes a legacy…

Phishers are putting QR codes as images in attachments because it helps them bypass email filters.

Remote Code Execution security vulnerability in pgAdmin 4 (Query Tool and Cloud Deployment modules). The vulnerability is associated with the 2 POST endpoints; /sqleditor/query_tool/download, where the query_commited parameter and /cloud/deploy endpoint, where the high_availability parameter is unsafely passed to the Python eval() function, allowing arbitrary code execution. This issue affects pgAdmin 4: before 9.2.

Jacksonville, United States, 3rd April 2025, CyberNewsWire

The first-of-its-kind solution integrates with company codebases, enabling AI agents to work in-context and generate production-grade, front-end code in minutes.

### Summary Exception messages, that are not HTTP exceptions, are visible in the JSON error response. ### Details While we wanted to make our errors compatible with the [JSON Problem](https://datatracker.ietf.org/doc/html/rfc7807) specification, we ended up handling more exceptions then we did previously (introduced at https://github.com/api-platform/core/pull/5823). Instead of leaving that to Symfony, we ended up serializing errors with our normalizers which lead to not hiding the exception details. Note that the trace is hidden in production but the message is not, and the message can contain sensitive information. ### PoC At https://github.com/ili101/api-platform/tree/test3.2 it triggers an authentication exception as LDAP is not reachable. You can find the message available as a JSON response when trying to reach an endpoint. ### Impact Version 3.2 until 3.2.4 is impacted.

View CSAF 1. EXECUTIVE SUMMARY CVSS v4 9.2 ATTENTION: Exploitable remotely/low attack complexity Vendor: B&R Equipment: APROL Vulnerabilities: Inclusion of Functionality from Untrusted Control Sphere, Incomplete Filtering of Special Elements, Improper Control of Generation of Code ('Code Injection'), Improper Handling of Insufficient Permissions or Privileges , Allocation of Resources Without Limits or Throttling, Missing Authentication for Critical Function, Exposure of Sensitive System Information to an Unauthorized Control Sphere, Exposure of Data Element to Wrong Session, Server-Side Request Forgery (SSRF), Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'), External Control of File Name or Path, Incorrect Permission Assignment for Critical Resource 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow an attacker to execute commands, elevate privileges, gather sensitive information, or alter the product. 3. TECHNICAL DETA...