#git

Deserialization of Untrusted Data in GitHub repository huggingface/transformers prior to 4.36.0.

A vulnerability has been found in pedroetb tts-api up to 2.1.4 and classified as critical. This vulnerability affects the function onSpeechDone of the file app.js. The manipulation leads to os command injection. Upgrading to version 2.2.0 is able to address this issue. The patch is identified as 29d9c25415911ea2f8b6de247cb5c4607d13d434. It is recommended to upgrade the affected component. VDB-248278 is the identifier assigned to this vulnerability.

This improper authorization vulnerability allows an unauthenticated attacker to reset Confluence and create a Confluence instance administrator account. Using this account, an attacker can then perform all administrative actions that are available to the Confluence instance administrator. This Metasploit module uses the administrator account to install a malicious .jsp servlet plugin which the user can trigger to gain code execution on the target in the context of the of the user running the confluence server.

By Waqas But the gang may already be back with a new domain. This is a post from HackRead.com Read the original post: FBI Seizes Dark Web Domain of Blackcat – ALPHV Ransomware

By Owais Sultan Building a successful business is no small feat. You pour your heart and soul into it – serving… This is a post from HackRead.com Read the original post: 5 Fraud Prevention Strategies That Help Companies Ward Off Cyber Attacks

Threat actors are increasingly making use of GitHub for malicious purposes through novel methods, including abusing secret Gists and issuing malicious commands via git commit messages. "Malware authors occasionally place their samples in services like Dropbox, Google Drive, OneDrive, and Discord to host second stage malware and sidestep detection tools," ReversingLabs researcher Karlo Zanki

Relive Talos' top stories from the past year as we recap the top malware and other threats that came our way.

By Deeba Ahmed From WhatsApp to Telegram: New Twist on Old Scam Exploits Users for Money via YouTube Video Engagement. This is a post from HackRead.com Read the original post: “Get Paid to Like Videos”? This YouTube Scam Leads to Empty Wallets

An authenticated Gamma user has the ability to create a dashboard and add charts to it, this user would automatically become one of the owners of the charts allowing him to incorrectly have write permissions to these charts.This issue affects Apache Superset: before 2.1.3, from 3.0.0 before 3.0.2. Users are recommended to upgrade to version 3.0.2 or 2.1.3, which fixes the issue.

A where_in JINJA macro allows users to specify a quote, which combined with a carefully crafted statement would allow for SQL injection in Apache Superset.This issue affects Apache Superset: before 2.1.3, from 3.0.0 before 3.0.2. Users are recommended to upgrade to version 2.1.3 or 3.0.2, which fixes the issue.