Security
Headlines
HeadlinesLatestCVEs

Tag

#git

“Sad announcement” email leads to tech support scam

People are receiving disturbing emails that appear to imply something has happened to their friend or family member.

Malwarebytes
Open in Source
#web#ios#windows#microsoft#js#git#backdoor
How Bitcoin’s digital signature feature facilitates Web3 adoption 

Bitcoin is a pioneer in technological advancement and decentralization. As its creator states in the white paper, peer-to-peer…

Malicious QR Codes: How big of a problem is it, really?

QR codes are disproportionately effective at bypassing most anti-spam filters. Talos discovered two effective methods for defanging malicious QR codes, a necessary step to make them safe for consumption.

African Reliance on Foreign Suppliers Boosts Insecurity Concerns

Recent backdoor implants and cyber-espionage attacks on their supply chains have African organizations looking to diversify beyond Chinese, American tech vendors.

Anyone Can Buy Data Tracking US Soldiers and Spies to Nuclear Vaults and Brothels in Germany

More than 3 billion phone coordinates collected by a US data broker expose the detailed movements of US military and intelligence workers in Germany—and the Pentagon is powerless to stop it.

Fintech Giant Finastra Investigating Data Breach

The financial technology firm Finastra is investigating the alleged large-scale theft of information from its internal file transfer platform, KrebsOnSecurity has learned. Finastra, which provides software and services to 45 of the world's top 50 banks, notified customers of a potential breach after a cybercriminal began selling more than 400 gigabytes of data purportedly stolen from the company.

Linux Variant of Helldown Ransomware Targets VMware ESXi Systems

Since surfacing in August, the likely LockBit variant has claimed more than two dozen victims and appears poised to strike many more.

GHSA-5jfw-gq64-q45f: HTML Cleaner allows crafted scripts in special contexts like svg or math to pass through

### Impact The HTML Parser in lxml does not properly handle context-switching for special HTML tags such as `<svg>`, `<math>` and `<noscript>`. This behavior deviates from how web browsers parse and interpret such tags. Specifically, content in CSS comments is ignored by lxml_html_clean but may be interpreted differently by web browsers, enabling malicious scripts to bypass the cleaning process. This vulnerability could lead to Cross-Site Scripting (XSS) attacks, compromising the security of users relying on lxml_html_clean in default configuration for sanitizing untrusted HTML content. ### Patches Users employing the HTML cleaner in a security-sensitive context should upgrade to lxml 0.4.0, which addresses this issue. ### Workarounds As a temporary mitigation, users can configure lxml_html_clean with the following settings to prevent the exploitation of this vulnerability: * `remove_tags`: Specify tags to remove - their content is moved to their parents' tags. * `kill_tags`: Spec...

GHSA-p7f6-8mcm-fwv3: Statamic CMS has a Path Traversal in Asset Upload

Assets uploaded with appropriately crafted filenames may result in them being placed in a location different than what was configured. ### Impact - Affects front-end forms with `assets` fields. - Affects other places where assets can be uploaded, although users would need upload permissions anyway. - Files can be uploaded so they would be located on the server in a different location, and potentially override existing files. - Traversal _outside_ an asset container was not possible. ### Patches This has been fixed in 5.17.0.

Free AI editor lures in victims, installs information stealer instead on Windows and Mac

A widespread social media campaign for EditProAI turns out to spread information stealers for both Windows and MacOS users.