Security
Headlines
HeadlinesLatestCVEs

Tag

#git

What’s new in the MSRC Report Abuse Portal and API

The Microsoft Security Response Center (MSRC) has always been at the forefront of addressing cyber threats, privacy issues, and abuse arising from Microsoft Online Services. Building on our commitment, we have introduced several key updates to the Report Abuse Portal and API, which will significantly improve the way we handle and respond to abuse reports.

msrc-blog
#vulnerability#web#microsoft#ddos#dos#js#git#oauth#auth
Israeli Entities Targeted by Cyberattack Using Donut and Sliver Frameworks

Cybersecurity researchers have discovered an attack campaign that targets various Israeli entities with publicly-available frameworks like Donut and Sliver. The campaign, believed to be highly targeted in nature, "leverage target-specific infrastructure and custom WordPress websites as a payload delivery mechanism, but affect a variety of entities across unrelated verticals, and rely on

South Korean ERP Vendor's Server Hacked to Spread Xctdoor Malware

An unnamed South Korean enterprise resource planning (ERP) vendor's product update server has been found to be compromised to deliver a Go-based backdoor dubbed Xctdoor. The AhnLab Security Intelligence Center (ASEC), which identified the attack in May 2024, did not attribute it to a known threat actor or group, but noted that the tactics overlap with that of Andariel, a sub-cluster within the

GHSA-8fj2-587w-5whr: aimeos/ai-admin-jsonadm improper access control vulnerability allows editors to remove required records

### Impact Improper access control allows editors to remove admin group and locale configuration in Aimeos backend

GHSA-jj68-cp4v-98qf: aimeos/ai-admin-graphql improper access control vulnerability allows editors to manage own services

aimeos/ai-admin-graphql is the Aimeos GraphQL API admin interface. Starting in version 2022.04.1 and prior to versions 2022.10.10, 2023.10.6, and 2024.4.2, improper access control allows a editors to manage own services via GraphQL API which isn't allowed in the JQAdm front end. Versions 2022.10.10, 2023.10.6, and 2024.4.2 contain a patch for the issue.

GHSA-vc7j-99jw-jrqm: aimeos/ai-admin-graphql improper access control vulnerability allows an editor to modify admin account

aimeos/ai-admin-graphql is the Aimeos GraphQL API admin interface. Starting in version 2022.04.01 and prior to versions 2022.10.10, 2023.10.6, and 2024.04.6, an improper access control vulnerability allows an editor to modify and take over an admin account in the back end. Versions 2022.10.10, 2023.10.6, and 2024.04.6 fix this issue.

GHSA-cvw4-c69g-7v7m: Inclusion of Untrusted polyfill.io Code Vulnerability in fides.js

### Note On Thursday, June 27, 2024, Cloudflare and Namecheap intervened at a domain level to ensure `polyfill.io` and its subdomains could not resolve to the compromised service, rendering this vulnerability **unexploitable**. The following sections describe this vulnerability prior to the domain level intervention, when it was still exploitable. ### Impact `fides.js`, a client-side script used to interact with the consent management features of Fides, used the `polyfill.io` domain in a very limited edge case, when it detected a legacy browser such as IE11 that did not support the fetch standard. On June 25th, 2024, Sansec published the following regarding the `polyfill.io` domain. > The polyfill.js is a popular open source library to support older browsers. 100K+ sites embed it using the cdn.polyfill.io domain... However, in February this year, a Chinese company bought the domain and the Github account. Since then, this domain was caught injecting malware on mobile devices via ...

GHSA-79w7-vh3h-8g4j: yt-dlp File system modification and RCE through improper file-extension sanitization

### Summary `yt-dlp` does not limit the extensions of downloaded files, which could lead to arbitrary filenames being created in the download folder (and path traversal on Windows). Since `yt-dlp` also reads config from the working directory (and on Windows executables will be executed from the yt-dlp directory) this could lead to arbitrary code being executed. ### Patches `yt-dlp` version 2024.07.01 fixes this issue by whitelisting the allowed extensions. This means some very uncommon extensions might not get downloaded; however, it will also limit the possible exploitation surface. ### Workarounds It is recommended to upgrade yt-dlp to version 2024.07.01 as soon as possible, **always** have `.%(ext)s` at the end of the output template, and make sure you trust the websites that you are downloading from. Also, make sure to never download to a directory within PATH or other sensitive locations like your user directory, `system32`, or other binaries locations. For users not able to up...

Prudential Financial data breach impacts 2.5 million people, not 36,000 as first thought

It turns out that a breach at the Prudential impacted a lot more people than was initially thought. The company is now offering identity monitoring to affected customers.

How MFA Failures are Fueling a 500% Surge in Ransomware Losses

The cybersecurity threat landscape has witnessed a dramatic and alarming rise in the average ransomware payment, an increase exceeding 500%. Sophos, a global leader in cybersecurity, revealed in its annual "State of Ransomware 2024" report that the average ransom payment has increased 500% in the last year with organizations that paid a ransom reporting an average payment of $2 million, up from