Security
Headlines
HeadlinesLatestCVEs

Tag

#git

Active Nitrogen campaign delivered via malicious ads for PuTTY, FileZilla

Threat actors once again target system administrators via their favorite tools. Learn more about their TTPs and use the IOCs provide to investigate.

Malwarebytes
Open in Source
#web#google#git
GHSA-j55w-hjpj-825g: Contao: Insufficient BBCode sanitizer

### Impact If BBCode is enabled for comments, users can inject CSS styles. ### Patches Update to Contao 4.13.40 or 5.3.4. ### Workarounds Disable BBCode for comments. ### References https://contao.org/en/security-advisories/insufficient-bbcode-sanitization ### For more information If you have any questions or comments about this advisory, open an issue in [contao/contao](https://github.com/contao/contao/issues/new/choose).

GHSA-747v-52c4-8vj8: Contao: Unencoded insert tags in the frontend

### Impact It is possible to inject insert tags via the form generator if the submitted form data is output on the page in a specific way. ### Patches Update to Contao 4.13.40 or 5.3.4. ### Workarounds Do not output the submitted form data on the website. ### References https://contao.org/en/security-advisories/insert-tag-injection-via-the-form-generator ### For more information If you have any questions or comments about this advisory, open an issue in [contao/contao](https://github.com/contao/contao/issues/new/choose).

GHSA-v24p-7p4j-qvvf: Contao: Cross site scripting in the file manager

### Impact Users can insert malicious code into file names when uploading files, which is then executed in tooltips and popups in the backend. ### Patches Update to Contao 4.13.40 or Contao 5.3.4. ### Workarounds Disable uploads for untrusted users. ### References https://contao.org/en/security-advisories/cross-site-scripting-in-the-file-manager ### For more information If you have any questions or comments about this advisory, open an issue in [contao/contao](https://github.com/contao/contao/issues/new/choose). ### Credits Thanks to Alexander Wuttke for reporting this vulnerability.

EV Charging Stations Still Riddled With Cybersecurity Vulnerabilities

As more electric vehicles are sold, the risk to compromised charging stations looms large alongside the potential for major cybersecurity exploits.

GHSA-qmr3-52xf-wmhx: Apache Zeppelin: LDAP search filter query Injection Vulnerability

Improper Input Validation vulnerability in Apache Zeppelin. The attackers can execute malicious queries by setting improper configuration properties to LDAP search filter. This issue affects Apache Zeppelin: from 0.8.2 before 0.11.1. Users are recommended to upgrade to version 0.11.1, which fixes the issue.

GHSA-66j8-c83m-gj5f: Apache Zeppelin remote code execution by adding malicious JDBC connection string

Improper Control of Generation of Code ('Code Injection') vulnerability in Apache Zeppelin. The attacker can inject sensitive configuration or malicious code when connecting MySQL database via JDBC driver. This issue affects Apache Zeppelin: before 0.11.1. Users are recommended to upgrade to version 0.11.1, which fixes the issue.

GHSA-rrvf-5w4r-3x7v: Apache Zeppelin vulnerable to cross-site scripting in the helium module

Improper Encoding or Escaping of Output vulnerability in Apache Zeppelin. Attackers can modify `helium.json` and perform cross-site scripting attacks on normal users. This issue affects Apache Zeppelin: from 0.8.2 before 0.11.1. Users are recommended to upgrade to version 0.11.1, which fixes the issue.

GHSA-g44m-x5h7-fr5q: Apache Zeppelin: Cron arbitrary user impersonation with improper privileges

Improper Input Validation vulnerability in Apache Zeppelin. The attackers can call updating cron API with invalid or improper privileges so that the notebook can run with the privileges. This issue affects Apache Zeppelin: from 0.8.2 before 0.11.1. Users are recommended to upgrade to version 0.11.1, which fixes the issue.