Security
Headlines
HeadlinesLatestCVEs

Tag

#git

GHSA-j24h-xcpc-9jw8: Eclipse IDE XXE in eclipse.platform

### Impact xml files like ".project" are parsed vulnerable against all sorts of XXE attacks. The user just needs to open any evil project or update an open project with a vulnerable file (for example for review a foreign repository or patch). Vulnerablility was found by static code analysis (SonarLint). Example `.project` file: ``` <?xml version="1.0" encoding="utf-8"?> <!DOCTYPE price [ <!ENTITY xxe SYSTEM "http://127.0.0.1:49416/evil">]> <projectDescription> <name>p</name> <comment>&xxe;</comment> </projectDescription> ``` ### Patches Similar patches including junit test that shows the vulnerability have already applied to PDE (see https://github.com/eclipse-pde/eclipse.pde/pull/667). A solution to platform should be the same: just reject parsing any XML that contains any `DOCTYPE`. ### Workarounds No known workaround. User can only avoid to get/open any foreign files with eclipse. Firewall rules against loss of data (but not against XML bomb). ### References https://cwe.mit...

ghsa
Open in Source
#vulnerability#web#git#java#maven
GHSA-prr3-c3m5-p7q2: @adobe/css-tools Improper Input Validation and Inefficient Regular Expression Complexity

### Impact @adobe/css-tools version 4.3.1 and earlier are affected by an Improper Input Validation vulnerability that could result in a denial of service while attempting to parse CSS. ### Patches The issue has been resolved in 4.3.2. ### Workarounds None ### References N/A

Android Banking Malware FjordPhantom Steals Funds Via Virtualization

By Waqas Thus far, the FjordPhantom malware has defrauded victims of around $280,000 (£225,000). This is a post from HackRead.com Read the original post: Android Banking Malware FjordPhantom Steals Funds Via Virtualization

CVE-2023-6342: Courts & Justice | Courts & Public Safety

Tyler Technologies Court Case Management Plus allows a remote attacker to authenticate as any user by manipulating at least the 'CmWebSearchPfp/Login.aspx?xyzldk=' and 'payforprint_CM/Redirector.ashx?userid=' parameters. The vulnerable "pay for print" feature was removed on or around 2023-11-01.

Feds Seize 'Sinbad' Crypto Mixer Used by North Korea's Lazarus

The prolific threat actor has laundered hundreds of millions of dollars in stolen virtual currency through the service.

GHSA-pr4w-m4rp-gp87: PHPMemcachedAdmin vulnerable to cross-site scripting (XSS) via improper encoding

A critical flaw has been identified in elijaa/phpmemcachedadmin affecting version 1.3.0, specifically related to a stored XSS vulnerability. This vulnerability allows malicious actors to insert a carefully crafted JavaScript payload. The issue arises from improper encoding of user-controlled entries in the "/pmcadmin/configure.php" parameter.

GHSA-8qfm-h8rh-h3r7: PHPMemcachedAdmin Path Traversal vulnerability

A Path traversal vulnerability has been reported in elijaa/phpmemcachedadmin affecting version 1.3.0. This vulnerability allows an attacker to delete files stored on the server due to lack of proper verification of user-supplied input.

8 Tips on Leveraging AI Tools Without Compromising Security

AI tools can deliver quick and easy results and offer huge business benefits — but they also bring hidden risks.