Security
Headlines
HeadlinesLatestCVEs

Tag

#java

48 Malicious npm Packages Found Deploying Reverse Shells on Developer Systems

A new set of 48 malicious npm packages have been discovered in the npm repository with capabilities to deploy a reverse shell on compromised systems. "These packages, deceptively named to appear legitimate, contained obfuscated JavaScript designed to initiate a reverse shell on package install," software supply chain security firm Phylum said. All the counterfeit packages have been published by

The Hacker News
Open in Source
#mac#nodejs#js#git#java#auth#The Hacker News
CVE-2023-41350: 中華電信 NOKIA G-040W-Q Excessive Authentication Attempts

Chunghwa Telecom NOKIA G-040W-Q has a vulnerability of insufficient measures to prevent multiple failed authentication attempts. An unauthenticated remote attacker can execute a crafted Javascript to expose captcha in page, making it very easy for bots to bypass the captcha check and more susceptible to brute force attacks.

CVE-2023-41343: 立即科技 Ragic 企業雲端資料庫 - Stored XSS

Rogic No-Code Database Builder's file uploading function has insufficient filtering for special characters. A remote attacker with regular user privilege can inject JavaScript to perform XSS (Stored Cross-Site Scripting) attack.

CVE-2023-42029: Security Bulletin: "Cross Site Scripting" affects IBM CICS TX Standard and IBM CICS TX Advanced

IBM CICS TX Standard 11.1, Advanced 10.1, 11.1, and TXSeries for Multiplatforms 8.1, 8.2, 9.1 are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 266059.

CVE-2023-39053: 服部屋

An information leak in Hattoriya v13.6.1 allows attackers to obtain the channel access token and send crafted messages.

CVE-2023-39050: ダイキョーバリュー福江店

An information leak in Daiky-value.Fukueten v13.6.1 allows attackers to obtain the channel access token and send crafted messages.

CVE-2023-39047: shouzu sweets oz

An information leak in shouzu sweets oz v13.6.1 allows attackers to obtain the channel access token and send crafted messages.

Iran’s MuddyWater Group Targets Israelis with Fake Memo Spear-Phishing

By Deeba Ahmed MuddyWater (aka Mango Sandstorm and Static Kitten) is a cyberespionage group that's believed to be active since 2017. This is a post from HackRead.com Read the original post: Iran’s MuddyWater Group Targets Israelis with Fake Memo Spear-Phishing

CVE-2023-5035: PT-G503 Series Multiple Vulnerabilities

A vulnerability has been identified in PT-G503 Series firmware versions prior to v5.2, where the Secure attribute for sensitive cookies in HTTPS sessions is not set, which could cause the cookie to be transmitted in plaintext over an HTTP session. The vulnerability may lead to security risks, potentially exposing user session data to unauthorized access and manipulation.