Security
Headlines
HeadlinesLatestCVEs

Latest News

GHSA-vm77-mr48-27wj: nossrf Server-Side Request Forgery (SSRF)

Versions of the package nossrf before 1.0.4 are vulnerable to Server-Side Request Forgery (SSRF) where an attacker can provide a hostname that resolves to a local or reserved IP address space and bypass the SSRF protection mechanism.

ghsa
Open in Source
#vulnerability#web#ssrf#auth
Coinbase Initially Targeted in GitHub Actions Supply Chain Attack; 218 Repositories' CI/CD Secrets Exposed

The supply chain attack involving the GitHub Action "tj-actions/changed-files" started as a highly-targeted attack against one of Coinbase's open-source projects, before evolving into something more widespread in scope. "The payload was focused on exploiting the public CI/CD flow of one of their open source projects – agentkit, probably with the purpose of leveraging it for further compromises,"

How Cybercriminals Exploit Notification Channels

Cybercriminals are always looking for new ways to take advantage of people. One effective method they use is…

How Counterfeiters Use Technology to Fake Product Labels (and Strategies to Combat Fraud)

Counterfeit products are a growing problem in today’s market. With advancements in technology, counterfeiters have become more skilled…

Why AI Systems Need Red Teaming Now More Than Ever

AI systems are becoming a huge part of our lives, but they are not perfect. Red teaming helps…

How Cybercriminals Exploit Public Info for Attacks: Understanding Risks and Prevention

Cybercriminals are skilled at using public information to their advantage. Knowing how they gather this data can help…

GHSA-4m5h-5v4q-4xgq: aizuda snail-job Vulnerable to Deserialization via `nodeExpression` Argument

A vulnerability was found in aizuda snail-job 1.4.0. It has been classified as critical. Affected is the function getRuntime of the file /snail-job/workflow/check-node-expression of the component Workflow-Task Management Module. The manipulation of the argument nodeExpression leads to deserialization. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.

GHSA-fmxw-76xq-cmqq: Apache Oozie Cross-Site Scripting (XSS)

** UNSUPPORTED WHEN ASSIGNED ** Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Apache Oozie. This issue affects Apache Oozie: all versions. As this project is retired, we do not plan to release a version that fixes this issue. Users are recommended to find an alternative or restrict access to the instance to trusted users. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

Oracle Denies Breach Amid Hacker’s Claim of Access to 6 Million Records

Oracle denies breach claims as hacker alleges access to 6 million cloud records. CloudSEK reports a potential zero-day exploit affecting 140,000 tenants.

U.S. Treasury Lifts Tornado Cash Sanctions Amid North Korea Money Laundering Probe

The U.S. Treasury Department has announced that it's removing sanctions against Tornado Cash, a cryptocurrency mixer service that has been accused of aiding the North Korea-linked Lazarus Group to launder their ill-gotten proceeds. "Based on the Administration's review of the novel legal and policy issues raised by use of financial sanctions against financial and commercial activity occurring