Security
Headlines
HeadlinesLatestCVEs

Tag

#vulnerability

Scammers Pose as Cl0p Ransomware to Send Fake Extortion Letters

Scammers are sending fake extortion and ransom demands while posing as ransomware gangs, including the notorious Cl0p ransomware.…

HackRead
Open in Source
#vulnerability#git#auth
A week in security (March 10 – March 16)

A list of topics we covered in the week of March 10 to March 16 of 2025

GHSA-89xp-c3mq-qj84: gurk (aka gurk-rs) mishandles ANSI escape sequences

gurk (aka gurk-rs) through 0.6.3 mishandles ANSI escape sequences.

Start-up Security 101: How to Protect Your Venture from Cybersecurity Risk

Did you know that 43% of cyberattacks target small businesses, yet only 14% are prepared to defend themselves?…

GHSA-pwf9-q62p-v7wc: Wire has Uncontrolled Recursion on Nested Groups

Square Wire before 5.2.0 does not enforce a recursion limit on nested groups in ByteArrayProtoReader32.kt and ProtoReader.kt.

GHSA-jrqj-6vq2-7r63: onos-lib-go allows an index out-of-range panic

Open Networking Foundation SD-RAN ONOS onos-lib-go 0.10.28 allows an index out-of-range panic in asn1/aper GetBitString via a zero value of numBits.

GHSA-mrrh-fwg8-r2c3: tj-actions changed-files through 45.0.7 allows remote attackers to discover secrets by reading actions logs.

tj-actions changed-files through 45.0.7 allows remote attackers to discover secrets by reading actions logs. (The tags v1 through v45.0.7 were not originally affected, but were modified by a threat actor to point at commit 0e58ed8, which contains the malicious updateFeatures code.)

GHSA-6m2c-76ff-6vrf: Qiskit allows arbitrary code execution decoding QPY format versions < 13

### Impact A maliciously crafted QPY file containing can potentially execute arbitrary-code embedded in the payload without privilege escalation when deserializing QPY formats < 13. A python process calling Qiskit's `qiskit.qpy.load()` function could potentially execute any arbitrary Python code embedded in the correct place in the binary file as part of specially constructed payload. ### Patches Fixed in Qiskit 1.4.2 and in Qiskit 2.0.0rc2

GHSA-q65w-fg65-79f4: Post-Quantum Secure Feldman's Verifiable Secret Sharing has Timing Side-Channels in Matrix Operations

**Description:** The `feldman_vss` library contains timing side-channel vulnerabilities in its matrix operations, specifically within the `_find_secure_pivot` function and potentially other parts of `_secure_matrix_solve`. These vulnerabilities are due to Python's execution model, which does not guarantee constant-time execution. An attacker with the ability to measure the execution time of these functions (e.g., through repeated calls with carefully crafted inputs) could potentially recover secret information used in the Verifiable Secret Sharing (VSS) scheme. The `_find_secure_pivot` function, used during Gaussian elimination in `_secure_matrix_solve`, attempts to find a non-zero pivot element. However, the conditional statement `if matrix[row][col] != 0 and row_random < min_value:` has execution time that depends on the value of `matrix[row][col]`. This timing difference can be exploited by an attacker. The `constant_time_compare` function in this file also does not provide a con...

GHSA-vhv4-fh94-jm5x: JS Html Sanitizer allows XSS when used with contentEditable

### Impact XSS vulnerability when the sanitizer is used with a `contentEditable` element to set the elements `innerHTML` to a sanitized string produced by the package. If the code is particularly crafted to abuse the code beautifier, that runs AFTER sanitation. ### Patches Patched in version 2.0.3