Security
Headlines
HeadlinesLatestCVEs

Tag

#git

Free Sniper Dz Phishing Tools Fuel 140,000+ Cyber Attacks Targeting User Credentials

More than 140,000 phishing websites have been found linked to a phishing-as-a-service (PhaaS) platform named Sniper Dz over the past year, indicating that it's being used by a large number of cybercriminals to conduct credential theft. "For prospective phishers, Sniper Dz offers an online admin panel with a catalog of phishing pages," Palo Alto Networks Unit 42 researchers Shehroze Farooqi,

The Hacker News
#web#windows#google#microsoft#cisco#git#The Hacker News
GHSA-qwrq-vxvw-537r: git-shallow-clone OS Command Injection vulnerability

All versions of the package git-shallow-clone are vulnerable to Command injection due to missing sanitization or mitigation flags in the process variable of the gitShallowClone function.

New Cryptojacking Attack Targets Docker API to Create Malicious Swarm Botnet

Cybersecurity researchers have uncovered a new cryptojacking campaign targeting the Docker Engine API with the goal of co-opting the instances to join a malicious Docker Swarm controlled by the threat actor. This enabled the attackers to "use Docker Swarm's orchestration features for command-and-control (C2) purposes," Datadog researchers Matt Muir and Andy Giron said in an analysis. The attacks

UAE, Saudi Arabia Become Plum Cyberattack Targets

Hacktivism-related DDoS attacks have risen 70% in the region, most often targeting the public sector, while stolen data and access offers dominate the Dark Web.

Reachability Analysis Pares Down Static Security-Testing Overload

For development teams awash in vulnerability reports, reachability analysis can help tame the chaos and offer another path to prioritize exploitable issues.

Mozilla Faces GDPR Complaint Over New Firefox Tracking Feature

NOYB, a European privacy group has filed a complaint with Austrian authorities, alleging that Mozilla breached GDPR by…

GHSA-62r2-gcxr-426x: starcitizentools/citizen-skin vulnerable to stored, self-XSS in the "real name" field

### Summary A user with the `editmyprivateinfo` right or who can otherwise change their name can XSS themselves by setting their "real name" to an XSS payload. ### Details Here's the offending line: https://github.com/StarCitizenTools/mediawiki-skins-Citizen/blob/d45c3d69f30863f622f16eb40dd41d3ca943454a/includes/Components/CitizenComponentUserInfo.php#L137 This was introduced in 717d16af35b10dab04d434aefddbf991fc8c168c ### PoC 1. Login 2. Go to Special:Preferences 3. Set the real name field to a string like `<script>alert("Admin with a propensity for self-XSSes")</script>` 4. Save your settings and use Citizen if it's not being used already ![](https://github.com/user-attachments/assets/22adbb70-fcd7-4f81-8e53-1f5f3a730270) ### Impact Any user who can change their name (whether it's through the editmyprivateinfo right or through other means) can add XSS payloads that trigger for themselves only.

GHSA-5rfv-66g4-jr8h: RestrictedPython information leakage via `AttributeError.obj` and the `string` module

### Impact A user can gain access to protected (and potentially sensible) information indirectly via `AttributeError.obj` and the `string` module. ### Patches The problem will be fixed in version 7.3. ### Workarounds If the application does not require access to the module `string`, it can remove it from `RestrictedPython.Utilities.utility_builtins` or otherwise do not make it available in the restricted execution environment.

Treat Your Enterprise Data Like a Digital Nomad

By combining agility with compliance, and security with accessibility, businesses will treat their data as a well-prepared traveler, ready for any adventure.

THN Cybersecurity Recap: Last Week's Top Threats and Trends (September 23-29)

Hold onto your hats, folks, because the cybersecurity world is anything but quiet! Last week, we dodged a bullet when we discovered vulnerabilities in CUPS that could've opened the door to remote attacks. Google's switch to Rust is paying off big time, slashing memory-related vulnerabilities in Android. But it wasn't all good news – Kaspersky's forced exit from the US market left users with more