Security
Headlines
HeadlinesLatestCVEs

Latest News

Grip Security Releases 2025 SaaS Security Risks Report

DARKReading
#vulnerability#microsoft
Microsoft: Healthcare Sees 300% Surge in Ransomware Attacks

Even after the ransom is paid, such attacks lead to spikes in strokes and heart attacks and increased wait times for patients.

Critical Bug Exploited in Fortinet's Management Console

An attacker compromised one of Fortinet's most sensitive products and mopped up all kinds of reconnaissance data helpful for future mass device attacks.

GHSA-c479-wq8g-57hr: Pterodactyl Panel has plain-text logging of user passwords when two-factor authentication is disabled

### Impact When a user disables two-factor authentication via the Panel, a `DELETE` request with their current password in a query parameter will be sent. While query parameters are encrypted when using TLS, many webservers (including ones officially documented for use with Pterodactyl) will log query parameters in plain-text, storing a user's password in plain text. If a malicious user obtains access to these logs they could *potentially* authenticate against a user's account; assuming they are able to discover the account's email address or username **separately**. ### Patches This problem has been patched by <https://github.com/pterodactyl/panel/commit/8be2b892c3940bdc0157ccdab16685a72d105dd1> on the `1.0-develop` branch and released under `v1.11.8` as a single commit on top of `v1.11.7` <https://github.com/pterodactyl/panel/commit/75b59080e2812ced677dab516222b2a3bb34e3a4> Patch file: <https://github.com/pterodactyl/panel/commit/8be2b892c3940bdc0157ccdab16685a72d105dd1.patch> ...

GHSA-rjfv-pjvx-mjgv: AWS Load Balancer Controller automatically detaches externally associated web ACL from Application Load Balancers

### Summary  The AWS Load Balancer Controller includes an optional, default-enabled feature that manages WAF WebACLs on Application Load Balancers (ALBs) on your behalf. In versions 2.8.1 and earlier, if the WebACL annotation [1] [alb.ingress.kubernetes.io/wafv2-acl-arn](http://alb.ingress.kubernetes.io/wafv2-acl-arn) or [alb.ingress.kubernetes.io/waf-acl-id](http://alb.ingress.kubernetes.io/waf-acl-id) was absent on Ingresses, the controller would automatically disassociate any existing WebACL from the ALBs, including those associated by AWS Firewall Manager (FMS). Customers on impacted versions should upgrade to prevent this issue from occurring. ### Impact  WebACLs attached to ALBs managed by the AWS Load Balancer Controller through methods other than Ingress annotations may be automatically removed, leaving the ALBs unprotected by WebACL.  Impacted versions: [>=2.0.0;<2.8.2]  ### Patches  We addressed this issue in version 2.8.2 [2] and recommend customers upgrade. Now, if t...

'Shift Left' Gets Pushback, Triggers Security Soul Searching

A government report's criticism of the 100x metric often used to justify fixing software earlier in development fuels a growing debate over pushing responsibility for secure code onto developers.

GHSA-qfwq-6jh6-8xx4: OpenRefine has a path traversal in LoadLanguageCommand

The load-language command expects a `lang` parameter from which it constructs the path of the localization file to load, of the form `translations-$LANG.json`. When doing so, it does not check that the resulting path is in the expected directory, which means that this command could be exploited to read other JSON files on the file system. The command should be patched by checking that the normalized path is in the expected directory.

GHSA-g8v9-c8m3-942v: Remote code execution in php-heic-to-jpg

php-heic-to-jpg <= 1.0.5 is vulnerable to remote code execution. An attacker who can upload heic images is able to execute code on the remote server via the file name. As a result, the CIA is no longer guaranteed. This affects php-heic-to-jpg 1.0.5 and below.