Security
Headlines
HeadlinesLatestCVEs

Tag

#web

Google Pixel Devices Shipped with Vulnerable App, Leaving Millions at Risk

A large percentage of Google's own Pixel devices shipped globally since September 2017 included dormant software that could be used to stage nefarious attacks and deliver various kinds of malware. The issue manifests in the form of a pre-installed Android app called "Showcase.apk" that comes with excessive system privileges, including the ability to remotely execute code and install arbitrary

The Hacker News
Open in Source
#vulnerability#web#android#google#aws#auth#The Hacker News
NationalPublicData.com Hack Exposes a Nation’s Data

A great many readers this month reported receiving alerts that their Social Security Number, name, address and other personal information were exposed in a breach at a little-known but aptly-named consumer data broker called NationalPublicData.com. This post examines what we know about a breach that has exposed hundreds of millions of consumer records. We'll also take a closer look at the data broker that got hacked -- a background check company founded by an actor and retired sheriff's deputy from Florida.

Dozens of Google products targeted by scammers via malicious search ads

In a clever scheme designed to abuse Google in more than one way, scammers are redirecting users to browser locks.

GHSA-vwhg-jwr4-vxgg: gettext.js has a Cross-site Scripting injection

### Impact Possible vulnerability to XSS injection if .po dictionary definition files is corrupted ### Patches Update gettext.js to 2.0.3 ### Workarounds Make sure you control the origin of the definition catalog to prevent the use of this flaw in the definition of plural forms.

AI, election security headline discussions at Black Hat and DEF CON

Voting Village co-founder Harri Hursti told Politico the list of vulnerabilities ran “multiple pages.”

LG Simple Editor 3.21.0 Command Injection

LG Simple Editor versions 3.21.0 and below suffer from an unauthenticated command injection vulnerability. The vulnerability can be exploited by a remote attacker to inject arbitrary operating system commands which will get executed in the context of NT AUTHORITY\SYSTEM.

OpenMetadata 1.2.3 Authentication Bypass / SpEL Injection

This Metasploit module exploits OpenMetadata versions 1.2.3 and below by chaining an API authentication bypass using JWT tokens along with a SpEL injection vulnerability to achieve arbitrary command execution.

Apache HugeGraph Gremlin Remote Code Execution

This Metasploit module exploits CVE-2024-27348, a remote code execution vulnerability that exists in Apache HugeGraph Server in versions before 1.3.0. An attacker can bypass the sandbox restrictions and achieve remote code execution through Gremlin, resulting in complete control over the server.