Security
Headlines
HeadlinesLatestCVEs

Tag

#web

The dark side of sports betting: How mirror sites help gambling scams thrive 

Sports betting is a multi-billion-dollar industry, but behind the flashing lights and promises of easy money lies a hidden underworld of deception.

Malwarebytes
#web#ios#mac#git#auth#sap
The Rising Threat of API Attacks: How to Secure Your APIs in 2025

API attacks are constantly on the rise, with a recent alarming study showing that 59% of organizations give…

March 2025 Patch Tuesday: Microsoft Fixes 57 Vulnerabilities, 7 Zero-Days

Microsoft's March 2025 Patch Tuesday fixes six actively exploited zero-day vulnerabilities, including critical RCE and privilege escalation flaws. Learn how these vulnerabilities impact Windows systems and why immediate patching is essential.

Android devices track you before you even sign in

Google spies on Android device users, starting from even before they have logged in to their Google account.

March Microsoft Patch Tuesday

March Microsoft Patch Tuesday. 77 CVEs, 20 of which were added during the month. 7 vulnerabilities with signs of exploitation in the wild: 🔻 RCE – Windows Fast FAT File System Driver (CVE-2025-24985)🔻 RCE – Windows NTFS (CVE-2025-24993)🔻 SFB – Microsoft Management Console (CVE-2025-26633)🔻 EoP – Windows Win32 Kernel Subsystem (CVE-2025-24983)🔻 InfDisc – Windows NTFS […]

Apple Releases Patch for WebKit Zero-Day Vulnerability Exploited in Targeted Attacks

Apple on Tuesday released a security update to address a zero-day flaw that it said has been exploited in "extremely sophisticated" attacks. The vulnerability has been assigned the CVE identifier CVE-2025-24201 and is rooted in the WebKit web browser engine component. It has been described as an out-of-bounds write issue that could allow an attacker to craft malicious web content such that it

Microsoft Patch Tuesday for March 2025 — Snort rules and prominent vulnerabilities

Microsoft has released its monthly security update for March of 2025 which includes 57 vulnerabilities affecting a range of products, including 6 that Microsoft marked as “critical”.

GHSA-33cr-m232-xqch: cheqd-node affected by Non-deterministic JSON Unmarshalling of IBC Acknowledgement

# Description [An issue was discovered in IBC-Go's deserialization of acknowledgements](https://github.com/cosmos/ibc-go/security/advisories/GHSA-jg6f-48ff-5xrw) that results in non-deterministic behavior which can halt a chain. Any user that can open an IBC channel can introduce this state to the chain. This an upstream dependency used in cheqd-node, rather than a custom module. ## Impact Could result in a chain halt. ## Patches Validators, full nodes, and IBC relayers should upgrade to **[cheqd-node v3.1.7](https://github.com/cheqd/cheqd-node/releases/tag/v3.1.7)**. This upgrade does not require a software upgrade proposal on-chain and is meant to be non state-breaking. ## References See [ASA-2025-004: Non-deterministic JSON Unmarshalling of IBC Acknowledgement can result in a chain halt](https://github.com/cosmos/ibc-go/security/advisories/GHSA-jg6f-48ff-5xrw) upstream on IBC-Go.

GHSA-qjpx-5m2p-5pgh: Pimcore Vulnerable to SQL Injection in getRelationFilterCondition

### Summary Authenticated users can craft a filter string used to cause a SQL injection. ### Details _Give all details on the vulnerability. Pointing to the incriminated source code is very helpful for the maintainer._ This code does not look to sanitize inputs: https://github.com/pimcore/pimcore/blob/c721a42c23efffd4ca916511ddb969598d302396/models/DataObject/ClassDefinition/Data/Extension/RelationFilterConditionParser.php#L29-L47 c.f. with https://github.com/pimcore/pimcore/blob/c721a42c23efffd4ca916511ddb969598d302396/models/DataObject/ClassDefinition/Data/Multiselect.php#L332-L347 ### PoC _Complete instructions, including specific configuration details, to reproduce the vulnerability._ ### Impact _What kind of vulnerability is it? Who is impacted?_

GHSA-59qh-fmm7-3g9q: Rembg CORS misconfiguration

Rembg is a tool to remove images background. In Rembg 2.0.57 and earlier, the CORS middleware is setup incorrectly. All origins are reflected, which allows any website to send cross site requests to the rembg server and thus query any API. Even if authentication were to be enabled, allow_credentials is set to True, which would allow any website to send authenticated cross site requests.