Security
Headlines
HeadlinesLatestCVEs

Tag

#git

Fake Minecraft Installer Spreads NjRat Spyware to Steal Data

Fake Minecraft clone Eaglercraft 1.12 Offline spreads NjRat spyware stealing passwords, spying via webcam and microphone, warns Point…

HackRead
Open in Source
#web#windows#amazon#git#intel#backdoor#auth
GHSA-22wq-q86m-83fh: svg-sanitizer Bypasses Attribute Sanitization

#### Problem The sanitization logic at https://github.com/darylldoyle/svg-sanitizer/blob/0.21.0/src/Sanitizer.php#L454-L481 only searches for lower-case attribute names (e.g. `xlink:href` instead of `xlink:HrEf`), which allows to by-pass the `isHrefSafeValue` check. As a result this allows cross-site scripting or linking to external domains. #### Proof-of-concept _provided by azizk_ ``` <?xml version="1.0" encoding="UTF-8"?> <svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="100" height="100"> <a xlink:hReF="javascript:alert(document.domain)"> <rect width="100" height="50" fill="red"></rect> <text x="50" y="30" text-anchor="middle" fill="white">Click me</text> </a> </svg> ``` #### Credits The mentioned findings and proof-of-concept example were reported to the TYPO3 Security Team by the external security researcher `azizk <medazizknani@gmail.com>`.

Malvertising campaign leads to PS1Bot, a multi-stage malware framework

Cisco Talos has observed an ongoing malware campaign that seeks to infect victims with a multi-stage malware framework, implemented in PowerShell and C#, which we are referring to as “PS1Bot.”

GHSA-c9rc-mg46-23w3: Keras vulnerable to CVE-2025-1550 bypass via reuse of internal functionality

### Summary It is possible to bypass the mitigation introduced in response to [CVE-2025-1550](https://github.com/keras-team/keras/security/advisories/GHSA-48g7-3x6r-xfhp), when an untrusted Keras v3 model is loaded, even when “safe_mode” is enabled, by crafting malicious arguments to built-in Keras modules. The vulnerability is exploitable on the default configuration and does not depend on user input (just requires an untrusted model to be loaded). ### Impact | Type | Vector |Impact| | -------- | ------- | ------- | |Unsafe deserialization |Client-Side (when loading untrusted model)|Arbitrary file overwrite. Can lead to Arbitrary code execution in many cases.| ### Details Keras’ [safe_mode](https://www.tensorflow.org/api_docs/python/tf/keras/models/load_model) flag is designed to disallow unsafe lambda deserialization - specifically by rejecting any arbitrary embedded Python code, marked by the “__lambda__” class name. https://github.com/keras-team/keras/blob/v3.8.0/keras/sr...

GHSA-8mq8-c243-2335: Magento Cross-site Scripting vulnerability

Adobe Commerce versions 2.4.9-alpha1, 2.4.8-p1, 2.4.7-p6, 2.4.6-p11, 2.4.5-p13, 2.4.4-p14 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be exploited by a low-privileged attacker to inject malicious scripts into vulnerable form fields. These scripts may be used to escalate privileges within the application or compromise sensitive user data. Exploitation of this issue requires user interaction in that a victim must browse to the page containing the vulnerable field. Scope is changed.

GHSA-w2cq-g8g3-gm83: content-security-policy-parser Prototype Pollution Vulnerability May Lead to RCE

### Impact A prototype pollution vulnerability exists in versions 0.5.0 and earlier, wherein if you provide a policy name called `__proto__` you can override the Object prototype. For example: ``` const parse = require('content-security-policy-parser'); const x = parse("default-src 'self'; __proto__ foobar"); console.log('raw print:', x); console.log('toString:', x.toString()); ``` Outputs: ``` raw print: Array { 'default-src': [ "'self'" ] } toString: foobar ``` Whilst no gadget exists in this library, it is possible via other libraries expose functionality that enable RCE. It is customary to label prototype pollution vulnerabilities in this way. The most common effect of this is denial of service, as you can trivially overwrite properties. As the content security policy is provided in HTTP queries, it is incredibly likely that network exploitation is possible. ### Patches There has been a patch implemented a year ago (11 Feb 2024), but low uptake of patched versions has not b...

WinRAR vulnerability exploited by two different groups

Two different groups were found to have abused a now patched vulneraability in popular archive software WinRAR. Who's next?

Scam hunter scammed by tax office impersonators

Scam hunter Julie-Anne Kearns, who helps scam victims online, opened up about a tax scam she fell for herself.

That &#8220;Amazon Safety Recall&#8221; message may well be a scam

Scammers are using the age old tactic of scaring victims into clicking by sending out fake product recall messages from Amazon.

Data Brokers Are Hiding Their Opt-Out Pages From Google Search

Dozens of companies are hiding how you can delete your personal data, The Markup and CalMatters found.