Security
Headlines
HeadlinesLatestCVEs

Tag

#ios

QuickJob 6.1 Insecure Settings

QuickJob version 6.1 suffers from an ignored default credential vulnerability.

Packet Storm
Open in Source
#sql#xss#csrf#vulnerability#web#ios#mac#windows#apple#google#ubuntu#linux#debian#cisco#git#java#php#perl#auth#ruby#firefox
GHSA-5vrp-638w-p8m2: Magento LTS vulnerable to stored Cross-site Scripting (XSS) in admin system configs

### Impact This XSS vulnerability is about the system configs * design/header/welcome * design/header/logo_src * design/header/logo_src_small * design/header/logo_alt They are intended to enable admins to set a text in the two cases, and to define an image url for the other two cases. But because of previously missing escaping allowed to input arbitrary html and as a consequence also arbitrary JavaScript. While this is in most usage scenarios not a relevant issue, some people work with more restrictive roles in the backend. Here the ability to inject JavaScript with these settings would be an unintended and unwanted privilege. ### Patches _Has the problem been patched? What versions should users upgrade to?_ The problem is patched with Version 20.10.1 or higher. ### Workarounds _Is there a way for users to fix or remediate the vulnerability without upgrading?_ Possible mitigations are * Restricting access to the System Configs * checking templates where these settings are u...

OAuth+XSS Attack Threatens Millions of Web Users With Account Takeover

An attack flow that combines API flaws within "log in with" implementations and Web injection bugs could affect millions of websites.

China-Backed Phishing Attack Targets India Postal System Users

A large text-message phishing attack campaign attributed to the China-based Smishing Triad employs malicious iMessages.

Stop X’s Grok AI From Training on Your Tweets

Plus: More Pegasus spyware controversy, a major BIOS controversy, and more of the week’s top security news.

This AI-Powered Cybercrime Service Bundles Phishing Kits with Malicious Android Apps

A Spanish-speaking cybercrime group named GXC Team has been observed bundling phishing kits with malicious Android applications, taking malware-as-a-service (MaaS) offerings to the next level. Singaporean cybersecurity company Group-IB, which has been tracking the e-crime actor since January 2023, described the crimeware solution as a "sophisticated AI-powered phishing-as-a-service platform"