Security
Headlines
HeadlinesLatestCVEs

Tag

#git

GHSA-q765-wm9j-66qj: @blakeembrey/template vulnerable to code injection when attacker controls template input

### Impact It is possible to inject and run code within the template if the attacker has access to write the template name. ```js const { template } = require('@blakeembrey/template'); template("Hello {{name}}!", "exploit() {} && ((()=>{ console.log('success'); })()) && function pwned"); ``` ### Patches Upgrade to 1.2.0. ### Workarounds Don't pass untrusted input as the template display name, or don't use the display name feature. ### References Fixed by removing in https://github.com/blakeembrey/js-template/commit/b8d9aa999e464816c6cfb14acd1ad0f5d1e335aa.

ghsa
Open in Source
#nodejs#js#git
GHSA-4qrm-9h4r-v2fx: Tina search token leak via lock file in TinaCMS

### Impact Tina search token leaked via lock file (tina-lock.json) in TinaCMS. Sites building with @tinacms/cli < 1.6.2 that use a search token are impacted. If your Tina-enabled website has search setup, you should rotate that key immediately. ### Patches This issue has been patched in @tinacms/[email protected] ### Workarounds Upgrading, and rotating search token is required for the proper fix. ### References https://github.com/tinacms/tinacms/pull/4758

GHSA-gprj-6m2f-j9hx: DOM clobbering could escalate to Cross-site Scripting (XSS)

Pagefind initializes its dynamic JavaScript and WebAssembly files relative to the location of the first script you load. This information is gathered by looking up the value of `document.currentScript.src`. It is possible to "clobber" this lookup with otherwise benign HTML on the page, for example: ```html <img name="currentScript" src="blob:https://xxx.xxx.xxx/ui.js"></img> ``` This will cause `document.currentScript.src` to resolve as an external domain, which will then be used by Pagefind to load dependencies. This exploit would only work in the case that an attacker could inject HTML to your live, hosted, website. In these cases, this would act as a way to escalate the privilege available to an attacker. This assumes they have the ability to add some elements to the page (for example, `img` tags with a `name` attribute), but not others, as adding a `script` to the page would itself be the XSS vector. Pagefind has tightened this resolution by ensuring the source is loaded from a...

City of Columbus tries to silence security researcher

The City of Columbus filed a lawsuit against a researcher for trying to inform the public about the nature data stolen by a ransomware group

Texas Instruments Fusion Digital Power Designer 7.10.1 Credential Disclosure

Texas Instruments Fusion Digital Power Designer version 7.10.1 allows a local attacker to obtain sensitive information via the plaintext storage of credentials.

Hacktivists Exploits WinRAR Vulnerability in Attacks Against Russia and Belarus

A hacktivist group known as Head Mare has been linked to cyber attacks that exclusively target organizations located in Russia and Belarus. "Head Mare uses more up-to-date methods for obtaining initial access," Kaspersky said in a Monday analysis of the group's tactics and tools. "For instance, the attackers took advantage of the relatively recent CVE-2023-38831 vulnerability in WinRAR, which

New Rust-Based Ransomware Cicada3301 Targets Windows and Linux Systems

Cybersecurity researchers have unpacked the inner workings of a new ransomware variant called Cicada3301 that shares similarities with the now-defunct BlackCat (aka ALPHV) operation. "It appears that Cicada3301 ransomware primarily targets small to medium-sized businesses (SMBs), likely through opportunistic attacks that exploit vulnerabilities as the initial access vector," cybersecurity

Threat actors using MacroPack to deploy Brute Ratel, Havoc and PhantomCore payloads

The threat of VBA macros has diminished since Microsoft prevented the execution of macros in Microsoft Office documents downloaded from the internet, but not all users are using the latest up-to-date Office versions and can still be vulnerable.

Rocinante Trojan Poses as Banking Apps to Steal Sensitive Data from Brazilian Android Users

Mobile users in Brazil are the target of a new malware campaign that delivers a new Android banking trojan named Rocinante. "This malware family is capable of performing keylogging using the Accessibility Service, and is also able to steal PII from its victims using phishing screens posing as different banks," Dutch security company ThreatFabric said. "Finally, it can use all this exfiltrated

Secrets Exposed: Why Your CISO Should Worry About Slack

In the digital realm, secrets (API keys, private keys, username and password combos, etc.) are the keys to the kingdom. But what if those keys were accidentally left out in the open in the very tools we use to collaborate every day? A Single Secret Can Wreak Havoc Imagine this: It's a typical Tuesday in June 2024. Your dev team is knee-deep in sprints, Jira tickets are flying, and Slack is