Security
Headlines
HeadlinesLatestCVEs

Tag

#web

GHSA-4qrm-9h4r-v2fx: Tina search token leak via lock file in TinaCMS

### Impact Tina search token leaked via lock file (tina-lock.json) in TinaCMS. Sites building with @tinacms/cli < 1.6.2 that use a search token are impacted. If your Tina-enabled website has search setup, you should rotate that key immediately. ### Patches This issue has been patched in @tinacms/[email protected] ### Workarounds Upgrading, and rotating search token is required for the proper fix. ### References https://github.com/tinacms/tinacms/pull/4758

ghsa
Open in Source
#vulnerability#web#nodejs#js#git
GHSA-gprj-6m2f-j9hx: DOM clobbering could escalate to Cross-site Scripting (XSS)

Pagefind initializes its dynamic JavaScript and WebAssembly files relative to the location of the first script you load. This information is gathered by looking up the value of `document.currentScript.src`. It is possible to "clobber" this lookup with otherwise benign HTML on the page, for example: ```html <img name="currentScript" src="blob:https://xxx.xxx.xxx/ui.js"></img> ``` This will cause `document.currentScript.src` to resolve as an external domain, which will then be used by Pagefind to load dependencies. This exploit would only work in the case that an attacker could inject HTML to your live, hosted, website. In these cases, this would act as a way to escalate the privilege available to an attacker. This assumes they have the ability to add some elements to the page (for example, `img` tags with a `name` attribute), but not others, as adding a `script` to the page would itself be the XSS vector. Pagefind has tightened this resolution by ensuring the source is loaded from a...

London’s city transport hit by cybersecurity incident

Transport for London (TfL) is apparently fighting a cybersecurity incident but is rather sparing in providing details

Sextortion Scams Now Include Photos of Your Home

An old but persistent email scam known as "sextortion" has a new personalized touch: The missives, which claim that malware has captured webcam footage of recipients pleasuring themselves, now include a photo of the target's home in a bid to make threats about publishing the videos more frightening and convincing.

City of Columbus tries to silence security researcher

The City of Columbus filed a lawsuit against a researcher for trying to inform the public about the nature data stolen by a ransomware group

Vivavis HIGH-LEIT 4 / 5 Privilege Escalation

Vivavis HIGH-LEIT versions 4 and 5 allow attackers to execute arbitrary code as local system on systems where the "HL-InstallService-hlxw" or "HL-InstallService-hlnt" Windows service is running. Authentication is necessary for successful exploitation. The execution of the exploit is trivial and might affect other systems if the applications folder is shared between multiple systems in which case the vulnerability can be used for lateral movement.

No cON Name 2024 Call For Papers

The No cON Name 2024 call for papers has been announced. It will be held in Barcelona, Spain, from November 18th through the 20th, 2024.

Webpay E-Commerce 1.0 SQL Injection

Webpay E-Commerce version 1.0 suffers from a remote SQL injection vulnerability.