Security
Headlines
HeadlinesLatestCVEs

Tag

#git

GHSA-9f46-w24h-69w4: new-api is vulnerable to SSRF Bypass

### Summary A recently patched SSRF vulnerability contains a bypass method that can bypass the existing security fix and still allow SSRF to occur. Because the existing fix only applies security restrictions to the first URL request, a 302 redirect can bypass existing security measures and successfully access the intranet. ### Details Use the following script to deploy on the attacker's server. Since ports 80, 443, and 8080 are default ports within the security range set by the administrator and will not be blocked, the service is deployed on port 8080. ``` from flask import Flask, redirect app = Flask(__name__) @app.route('/redirect') def ssrf_redirect(): return redirect('http://127.0.0.1:8003/uid.txt', code=302) if __name__ == '__main__': app.run(host='0.0.0.0', port=8080) ``` Then, a request is made to the malicious service opened by the attacker, and it can be found that the resources on the intranet are successfully accessed. <img width="663" height="...

ghsa
#vulnerability#git#ssrf
GHSA-xh5w-g8gq-r3v9: Keylime allows users to register new agents by recycling existing UUIDs when using different TPM devices

A vulnerability has been identified in keylime where an attacker can exploit this flaw by registering a new agent using a different Trusted Platform Module (TPM) device but claiming an existing agent's unique identifier (UUID). This action overwrites the legitimate agent's identity, enabling the attacker to impersonate the compromised agent and potentially bypass security controls.

Black Friday scammers offer fake gifts from big-name brands to empty bank accounts

Inside a massive malicious ad campaign that mimics brands like LEGO, Lululemon, and Louis Vuitton to trick shoppers into handing over bank details.

Matrix Push C2 abuses browser notifications to deliver phishing and malware

Attackers can send highly realistic push notifications through your browser, including fake alerts that can lead to malware or phishing pages.

Shai Hulud npm Worm Impacts 26,000+ Repos in Supply Chain Attack

The Shai Hulud worm's "Second Coming" has compromised over 26,000 public repositories. We detail the attacker's mistake, the target packages, and mandatory security tips.

Amazon Is Using Specialized AI Agents for Deep Bug Hunting

Born out of an internal hackathon, Amazon’s Autonomous Threat Analysis system uses a variety of specialized AI agents to detect weaknesses and propose fixes to the company’s platforms.

Second Sha1-Hulud Wave Affects 25,000+ Repositories via npm Preinstall Credential Theft

Multiple security vendors are sounding the alarm about a second wave of attacks targeting the npm registry in a manner that's reminiscent of the Shai-Hulud attack. The new supply chain campaign, dubbed Sha1-Hulud, has compromised hundreds of npm packages, according to reports from Aikido, HelixGuard, Koi Security, Socket, Step Security, and Wiz. The trojanized npm packages were uploaded to

Fake Prettier Extension on VSCode Marketplace Dropped Anivia Stealer

Cybersecurity firm Checkmarx Zero, in collaboration with Microsoft, removed a malicious 'prettier-vscode-plus' extension from the VSCode Marketplace. The fake coding tool was a Brandjacking attempt designed to deploy Anivia Stealer malware and steal Windows user credentials and data.

⚡ Weekly Recap: Fortinet Exploit, Chrome 0-Day, BadIIS Malware, Record DDoS, SaaS Breach & More

This week saw a lot of new cyber trouble. Hackers hit Fortinet and Chrome with new 0-day bugs. They also broke into supply chains and SaaS tools. Many hid inside trusted apps, browser alerts, and software updates. Big firms like Microsoft, Salesforce, and Google had to react fast — stopping DDoS attacks, blocking bad links, and fixing live flaws. Reports also showed how fast fake news, AI

New RadzaRat Spyware Poses as File Manager to Hijack Android Devices

Certo Software found RadzaRat, an Android RAT disguised as a file manager that has a 0/66 detection rate on VirusTotal. It keylogs passwords and steals files.