Security
Headlines
HeadlinesLatestCVEs

Latest News

GHSA-5pxh-89cx-4668: Magento LTS vulnerable to stored XSS in theme config fields

As reported by [Aakash Adhikari](https://hackerone.com/dark_haxor), Github: @justlife4x4, the Design > Themes > Skin (Images / CSS) config field allows a Stored XSS when it contains an end script tag. ### Impact A malicious user with access to this configuration field could use a Stored XSS to affect other authenticated admin users in the admin panel. The attack requires an admin user with configuration access, so in practice, it is not very likely to be used for gaining elevated privileges, although it could theoretically be used to impersonate other users. ![image](https://github.com/user-attachments/assets/fd5b8f31-bf0c-4e87-8b50-03c6c8428bed)

ghsa
#xss#vulnerability#git#auth
Fake IT Support Calls Trick Microsoft Teams Users into Installing Ransomware

Cybercriminals pose as IT support, using fake calls and Microsoft Teams messages to trick users into installing ransomware through email floods and remote access.

GHSA-3mv9-4h5g-vhg3: tsup DOM Clobbering vulnerability

A DOM Clobbering vulnerability in tsup v8.3.4 allows attackers to execute arbitrary code via a crafted script in the import.meta.url to document.currentScript in cjs_shims.js components

GHSA-pfr4-4397-3hg8: seajs Cross-site Scripting vulnerability

Cross Site Scripting vulnerability in seajs v.2.2.3 allows a remote attacker to execute arbitrary code via the seajs package

GHSA-3mf5-r4hg-hfx9: mavo DOM Clobbering vulnerability

A DOM Clobbering vulnerability in mavo v0.3.2 allows attackers to execute arbitrary code via supplying a crafted HTML element.

GHSA-2h4w-p9fh-9rmv: Apache Ranger Improper Neutralization of Formula Elements vulnerability

Improper Neutralization of Formula Elements in Export CSV feature of Apache Ranger in Apache Ranger Version < 2.6.0. Users are recommended to upgrade to version 2.6.0, which fixes this issue.

GHSA-vr75-hjh9-7fr6: Duplicate Advisory: Remote Code Execution via Malicious Pickle File Bypassing Static Analysis

## Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-655q-fx9r-782v. This link is maintained to preserve external references. ## Original Description picklescan before 0.0.21 does not treat 'pip' as an unsafe global. An attacker could craft a malicious model that uses Pickle to pull in a malicious PyPI package (hosted, for example, on pypi.org or GitHub) via `pip.main()`. Because pip is not a restricted global, the model, when scanned with picklescan, would pass security checks and appear to be safe, when it could instead prove to be problematic.

Hackers Exploit AWS Misconfigurations to Launch Phishing Attacks via SES and WorkMail

Threat actors are targeting Amazon Web Services (AWS) environments to push out phishing campaigns to unsuspecting targets, according to findings from Palo Alto Networks Unit 42. The cybersecurity company is tracking the activity cluster under the name TGR-UNK-0011 (short for a threat group with unknown motivation), which it said overlaps with a group known as JavaGhost. TGR-UNK-0011 is known to

GHSA-vh64-54px-qgf8: Goroutine Leak in Abacus SSE Implementation

## Goroutine Leak in Abacus SSE Implementation ### Summary A critical goroutine leak vulnerability has been identified in the Abacus server's Server-Sent Events (SSE) implementation. The issue occurs when clients disconnect from the `/stream` endpoint, as the server fails to properly clean up resources and terminate associated goroutines. This leads to resource exhaustion where the server continues running but eventually stops accepting new SSE connections while maintaining high memory usage. The vulnerability specifically involves improper channel cleanup in the event handling mechanism, causing goroutines to remain blocked indefinitely. ### [POC](https://github.com/JasonLovesDoggo/abacus/blob/main/docs/bugs/GHSA-vh64-54px-qgf8/test.py) ### Impact This vulnerability affects all versions of Abacus prior to v1.4.0. The issue causes: - Permanent unresponsiveness of the `/stream` endpoint after prolonged use - Memory growth that stabilizes at a high level but prevents proper functio...

How to Automate Security Questionnaires and Reduce Response Time

Security questionnaires take a lot of time and repetitively answering the same questions manually chews up business time…