Security
Headlines
HeadlinesLatestCVEs

Tag

#git

The API Security Crisis: Why Your Company Could Be Next

You're only as strong as your weakest security link.

DARKReading
Open in Source
#vulnerability#git#perl#auth
New Go-based Backdoor GoGra Targets South Asian Media Organization

An unnamed media organization in South Asia was targeted in November 20233 using a previously undocumented Go-based backdoor called GoGra. "GoGra is written in Go and uses the Microsoft Graph API to interact with a command-and-control (C&C) server hosted on Microsoft mail services," Symantec, part of Broadcom, said in a report shared with The Hacker News. It's currently not clear how it's

Apple’s New macOS Sequoia Tightens Gatekeeper Controls to Block Unauthorized Software

Apple on Tuesday announced an update to its next-generation macOS version that makes it a little more difficult for users to override Gatekeeper protections. Gatekeeper is a crucial line of defense built into macOS designed to ensure that only trusted apps run on the operating system. When an app is downloaded from outside of the App Store and opened for the first time, it verifies that the

GHSA-p3pf-mff8-3h47: Gorush uses deprecated TLS versions

An issue discovered in the RunHTTPServer function in Gorush v1.18.4 allows attackers to intercept and manipulate data due to use of deprecated TLS version.

Attackers Use Multiple Techniques to Bypass Reputation-Based Security

Protections like Windows Smart App Control are useful but susceptible to attacks that allow threat actors initial access to an environment without triggering any alerts.

GHSA-2rwj-7xq8-4gx4: Qwik has a potential mXSS vulnerability due to improper HTML escaping

### Summary A potential mXSS vulnerability exists in Qwik for versions up to 1.6.0. ### Details Qwik improperly escapes HTML on server-side rendering. It converts strings according to the following rules: https://github.com/QwikDev/qwik/blob/v1.5.5/packages/qwik/src/core/render/ssr/render-ssr.ts#L1182-L1208 - If the string is an attribute value: - `"` -> `&quot;` - `&` -> `&amp;` - Other characters -> No conversion - Otherwise: - `<` -> `&lt;` - `>` -> `&gt;` - `&` -> `&amp;` - Other characters -> No conversion It sometimes causes the situation that the final DOM tree rendered on browsers is different from what Qwik expects on server-side rendering. This may be leveraged to perform XSS attacks, and a type of the XSS is known as mXSS (mutation XSS). ## PoC A vulnerable component: ```javascript import { component$ } from "@builder.io/qwik"; import { useLocation } from "@builder.io/qwik-city"; export default component$(() => { // user input cons...

A New Plan to Break the Cycle of Destructive Critical Infrastructure Hacks

As digital threats against US water, food, health care, and other vital sectors loom large, a new project called UnDisruptable27 aims to help fix cybersecurity weaknesses where other efforts have failed.

Russia's Priorities in Prisoner Swap Suggest Cyber Focus

At least two Russian nationals serving prison sentences for cybercrime offenses, Vladislav Klyushin and Roman Seleznev, were released as part of the landmark prisoner swap.

Hunters International Disguises SharpRhino RAT as Legitimate Network Admin Tool

The RaaS group that distributes Hive ransomware delivers new malware impersonating as validly signed network-administration software to gain initial access and persistence on targeted networks