Security
Headlines
HeadlinesLatestCVEs

Tag

#web

Multi-Stage Phishing Campaign Targets Russia with Amnesia RAT and Ransomware

A new multi-stage phishing campaign has been observed targeting users in Russia with ransomware and a remote access trojan called Amnesia RAT. "The attack begins with social engineering lures delivered via business-themed documents crafted to appear routine and benign," Fortinet FortiGuard Labs researcher Cara Lin said in a technical breakdown published this week. "These documents and

The Hacker News
Open in Source
#vulnerability#web#windows#google#microsoft#git#intel#backdoor#pdf#auth#The Hacker News
GHSA-wm8h-26fv-mg7g: phpMyFAQ: /api/setup/backup accessible to any authenticated user (authz missing)

### Summary Authenticated non‑admin users can call /api/setup/backup and trigger a configuration backup. The endpoint only checks authentication, not authorization, and returns a link to the generated ZIP. ### Details SetupController.php uses userIsAuthenticated() but does not verify that the requester has configuration/admin permissions. This allows any logged‑in user to create a sensitive backup and retrieve its path. ### PoC Precondition: API enabled, any authenticated non‑admin user. - Log in as a non‑admin user. - Call backup endpoint. ``` curl -c /tmp/pmf_api_cookies.txt \ -H 'Content-Type: application/json' \ -d '{"username":"tester","password":"Test1234!"}' \ http://192.168.40.16/phpmyfaq/api/v3.0/login curl -i -b /tmp/pmf_api_cookies.txt \ -X POST --data '4.0.16' \ http://192.168.40.16/phpmyfaq/api/setup/backup ``` ### Impact Low‑privileged users can generate sensitive backups. If the ZIP is web‑accessible (server misconfiguration), this can lead to secret exposu...

GHSA-w7rq-fgx4-4xcm: LavaLite CMS affected by a stored cross-site scripting vulnerability

LavaLite CMS versions up to and including 10.1.0 contain a stored cross-site scripting vulnerability in the package creation and search functionality. Authenticated users can supply crafted HTML or JavaScript in the package Name or Description fields that is stored and later rendered without proper output encoding in package search results. When other users view search results that include the malicious package, the injected script executes in their browsers, potentially enabling session hijacking, credential theft, and unauthorized actions in the context of the victim.

GHSA-mxc8-4jqf-368q: miniserve affected by a TOCTOU and symlink race vulnerability

A TOCTOU and symlink race in svenstaro/miniserve 0.32.0 upload finalization (when uploads are enabled) can allow an attacker to overwrite arbitrary files outside the intended upload/document root in deployments where the attacker can create/replace filesystem entries in the upload destination directory (e.g., shared writable directory/volume).

CBP Wants AI-Powered ‘Quantum Sensors’ for Finding Fentanyl in Cars

US Customs and Border Protection is paying General Dynamics to create prototype “quantum sensors,” to be used with an AI database to detect fentanyl and other narcotics.

GHSA-wvqx-m5px-6cmp: XWiki Affected by Reflected Cross-Site Scripting (XSS) in Error Messages

### Impact A reflected cross site scripting (XSS) vulnerability in XWiki allows an attacker to execute arbitrary actions in XWiki with the rights of the victim if the attacker manages to trick a victim into visiting a crafted URL. If the victim has administrative or programming rights, those rights can be exploited to gain full access to the XWiki installation. ### Patches This vulnerability has been patched in XWiki 17.8.0RC1, 17.4.5 and 16.10.12. ### Workarounds The [patch](https://github.com/xwiki/xwiki-platform/commit/8337ac8c3b19c37f306723b638b2cae8b0a57dbf#diff-8f16efedd19baae025db602d8736a105bfd8f72676af2c935b8195a0c356ee71) can be applied manually, only a single line in `templates/logging_macros.vm` needs to be changed, no restart is required. ### References * https://github.com/xwiki/xwiki-platform/commit/8337ac8c3b19c37f306723b638b2cae8b0a57dbf * https://jira.xwiki.org/browse/XWIKI-23462 ### Attribution We thank Mike Cole @mikecole-mg for discovering and reporting this v...

GHSA-7gcm-g887-7qv7: protobuf affected by a JSON recursion depth bypass

A denial-of-service (DoS) vulnerability exists in google.protobuf.json_format.ParseDict() in Python, where the max_recursion_depth limit can be bypassed when parsing nested google.protobuf.Any messages. Due to missing recursion depth accounting inside the internal Any-handling logic, an attacker can supply deeply nested Any structures that bypass the intended recursion limit, eventually exhausting Python’s recursion stack and causing a RecursionError.

CISA Updates KEV Catalog with Four Actively Exploited Software Vulnerabilities

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added four security flaws to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation in the wild. The list of vulnerabilities is as follows - CVE-2025-68645 (CVSS score: 8.8) - A PHP remote file inclusion vulnerability in Synacor Zimbra Collaboration Suite (ZCS) that could allow a