Security
Headlines
HeadlinesLatestCVEs

Tag

#git

100+ Fake Chrome Extensions Found Hijacking Sessions, Stealing Credentials, Injecting Ads

An unknown threat actor has been attributed to creating several malicious Chrome Browser extensions since February 2024 that masquerade as seemingly benign utilities but incorporate covert functionality to exfiltrate data, receive commands, and execute arbitrary code. "The actor creates websites that masquerade as legitimate services, productivity tools, ad and media creation or analysis

The Hacker News
#web#git#chrome#The Hacker News
23andMe and its customers’ genetic data bought by a pharmaceutical org

The bankrupt 23andMe, along with all of its genetic data, has been bought by US drugmaker Regeneron Pharmaceuticals.

Mitsubishi Electric Iconics Digital Solutions and Mitsubishi Electric Products

View CSAF 1. EXECUTIVE SUMMARY CVSS v4 8.3 ATTENTION: Low attack complexity Vendor: Mitsubishi Electric Iconics Digital Solutions, Mitsubishi Electric Equipment: ICONICS Product Suite and Mitsubishi Electric MC Works64 Vulnerability: Execution with Unnecessary Privileges 2. RISK EVALUATION Successful exploitation of this vulnerability could result in information tampering on the target workstation. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS Mitsubishi Electric Iconics Digital Solutions reports that the following versions of ICONICS Product Suite and Mitsubishi Electric MC Works64 are affected: GENESIS64 AlarmWorX Multimedia (AlarmWorX64 MMX): All Versions Mitsubishi Electric MC Works64 AlarmWorX Multimedia (AlarmWorX64 MMX): All versions 3.2 VULNERABILITY OVERVIEW 3.2.1 EXECUTION WITH UNNECESSARY PRIVILEGES CWE-250 An execution with unnecessary privileges vulnerability in the AlarmWorX64 MMX Pager agent can provide the potential for information tampering. An attacker could make an unau...

ABUP IoT Cloud Platform

View CSAF 1. EXECUTIVE SUMMARY CVSS v4 5.9 ATTENTION: Exploitable remotely/Low attack complexity Vendor: ABUP Equipment: ABUP Internet of Things (IoT) Cloud Platform Vulnerability: Incorrect Privilege Assignment 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker to access device profiles for which they are not authorized. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following ABUP products are affected: ABUP IoT Cloud Platform: All Versions 3.2 VULNERABILITY OVERVIEW 3.2.1 INCORRECT PRIVILEGE ASSIGNMENT CWE-266 Actors can use a maliciously crafted JavaScript Object Notation (JSON) Web Token (JWT) to perform privilege escalation by submitting the malicious JWT to a vulnerable method exposed on the cloud platform. If the exploit is successful, the user can escalate privileges to access any device managed by the Cloud Update Platform. CVE-2025-4692 has been assigned to this vulnerability. A CVSS v3 base score of 6.8 has been calculated; the CVSS vec...

Compromised RVTools Installer Spreading Bumblebee Malware

RVTools installer on its official site was found delivering malware. Research shows it spread Bumblebee loader. Users urged to verify downloads.

New Nitrogen Ransomware Targets Financial Firms in the US, UK and Canada

Nitrogen, a ransomware strain, has emerged as a major threat to organizations worldwide, with a particular focus on…

Go-Based Malware Deploys XMRig Miner on Linux Hosts via Redis Configuration Abuse

Cybersecurity researchers are calling attention to a new Linux cryptojacking campaign that's targeting publicly accessible Redis servers. The malicious activity has been codenamed RedisRaider by Datadog Security Labs. "RedisRaider aggressively scans randomized portions of the IPv4 space and uses legitimate Redis configuration commands to execute malicious cron jobs on vulnerable systems,"

GHSA-5j3w-5pcr-f8hg: Symfony UX allows unsanitized HTML attribute injection via ComponentAttributes

### Impact Rendering `{{ attributes }}` or using any method that returns a `ComponentAttributes` instance (e.g. `only()`, `defaults()`, `without()`) ouputs attribute values directly without escaping. If these values are unsafe (e.g. contain user input), this can lead to HTML attribute injection and XSS vulnerabilities. ### Patches The issue is fixed in version `2.25.1` of `symfony/ux-twig-component` by using Twig's `EscaperRuntime` to properly escape HTML attributes in `ComponentAttributes`. If you use `symfony/ux-live-component`, you must also update it to `2.25.1` to benefit from the fix, as it reuses the `ComponentAttributes` class internally. ### Workarounds Until you can upgrade, avoid rendering `{{ attributes }}` or derived objects directly if it may contain untrusted values. Instead, use `{{ attributes.render('name') }}` for safe output of individual attributes. ### References GitHub repository: [symfony/ux](https://github.com/symfony/ux)

GHSA-4pg4-qvpc-4q3h: Multer vulnerable to Denial of Service from maliciously crafted requests

### Impact A vulnerability in Multer versions >=1.4.4-lts.1 allows an attacker to trigger a Denial of Service (DoS) by sending a malformed multi-part upload request. This request causes an unhandled exception, leading to a crash of the process. ### Patches Users should upgrade to `2.0.0` ### Workarounds None ### References - https://github.com/expressjs/multer/issues/1176 - https://github.com/expressjs/multer/commit/2c8505f207d923dd8de13a9f93a4563e59933665

GHSA-44fp-w29j-9vj5: Multer vulnerable to Denial of Service via memory leaks from unclosed streams

### Impact Multer <2.0.0 is vulnerable to a resource exhaustion and memory leak issue due to improper stream handling. When the HTTP request stream emits an error, the internal `busboy` stream is not closed, violating Node.js stream safety guidance. This leads to unclosed streams accumulating over time, consuming memory and file descriptors. Under sustained or repeated failure conditions, this can result in denial of service, requiring manual server restarts to recover. All users of Multer handling file uploads are potentially impacted. ### Patches Users should upgrade to `2.0.0` ### Workarounds None ### References - https://github.com/expressjs/multer/pull/1120 - https://github.com/expressjs/multer/commit/2c8505f207d923dd8de13a9f93a4563e59933665