Security
Headlines
HeadlinesLatestCVEs

Tag

#ios

GHSA-5vrp-638w-p8m2: Magento LTS vulnerable to stored Cross-site Scripting (XSS) in admin system configs

### Impact This XSS vulnerability is about the system configs * design/header/welcome * design/header/logo_src * design/header/logo_src_small * design/header/logo_alt They are intended to enable admins to set a text in the two cases, and to define an image url for the other two cases. But because of previously missing escaping allowed to input arbitrary html and as a consequence also arbitrary JavaScript. While this is in most usage scenarios not a relevant issue, some people work with more restrictive roles in the backend. Here the ability to inject JavaScript with these settings would be an unintended and unwanted privilege. ### Patches _Has the problem been patched? What versions should users upgrade to?_ The problem is patched with Version 20.10.1 or higher. ### Workarounds _Is there a way for users to fix or remediate the vulnerability without upgrading?_ Possible mitigations are * Restricting access to the System Configs * checking templates where these settings are u...

ghsa
Open in Source
#xss#vulnerability#ios#java
OAuth+XSS Attack Threatens Millions of Web Users With Account Takeover

An attack flow that combines API flaws within "log in with" implementations and Web injection bugs could affect millions of websites.

China-Backed Phishing Attack Targets India Postal System Users

A large text-message phishing attack campaign attributed to the China-based Smishing Triad employs malicious iMessages.

Stop X’s Grok AI From Training on Your Tweets

Plus: More Pegasus spyware controversy, a major BIOS controversy, and more of the week’s top security news.

This AI-Powered Cybercrime Service Bundles Phishing Kits with Malicious Android Apps

A Spanish-speaking cybercrime group named GXC Team has been observed bundling phishing kits with malicious Android applications, taking malware-as-a-service (MaaS) offerings to the next level. Singaporean cybersecurity company Group-IB, which has been tracking the e-crime actor since January 2023, described the crimeware solution as a "sophisticated AI-powered phishing-as-a-service platform"

Mimecast Joins Human Risk Management Fray With Code42 Deal

Mimecast's acquisition of Code42 helps the company move into insider risk management, joining key rival Proofpoint and others in the space.

Is Our Water Safe to Drink? Securing Our Critical Infrastructure

Our critical systems can be protected from looming threats by embracing a proactive approach, investing in education, and fostering collaboration between IT and OT professionals.

6 Types of Applications Security Testing You Must Know About

While the specifics for security testing vary for applications, web applications, and APIs, a holistic and proactive applications security strategy is essential for all three types. There are six core types of testing that every security professional should know about to secure their applications, regardless of what phase they are in in development or deployment. In this article, we will

IR Trends: Ransomware on the rise, while technology becomes most targeted sector

Although there was a decrease in BEC engagements from last quarter, it was still a major threat for the second quarter in a row.