Security
Headlines
HeadlinesLatestCVEs

Tag

#web

The Impact of Cybersecurity on Game Development

The gaming industry has grown into a massive global market, with millions of players engaging in online multiplayer…

HackRead
#vulnerability#web#mac#ddos#dos#git#auth#ssl
GHSA-9x4v-xfq5-m8x5: Better Auth URL parameter HTML Injection (Reflected Cross-Site scripting)

### Summary The better-auth `/api/auth/error` page was vulnerable to HTML injection, resulting in a reflected cross-site scripting (XSS) vulnerability. ### Details The value of `error` URL parameter was reflected as HTML on the error page: https://github.com/better-auth/better-auth/blob/05ada0b79dbcac93cc04ceb79b23ca598d07830c/packages/better-auth/src/api/routes/error.ts#L81 ### PoC https://demo.better-auth.com/api/auth/error?error=%3Cscript%3Ealert(1)%3C/script%3E ![image](https://github.com/user-attachments/assets/35b1b95d-3dc9-45fd-89cd-20cd0361bb6c) ### Impact An attacker who exploited this vulnerability by coercing a user to visit a specially-crafted URL could execute arbitrary JavaScript in the context of the user's browser. Because better-auth is a dependency of web applications, the impact of such a vulnerability is unknowable; it depends on the functionality of the application/site using better-auth. I have calculated the CVSS score assuming the hypothetical victim is an...

GHSA-mj4v-hp69-27x5: Plenti - Code Injection - Denial of Services

### Summary While pushing a file via postLocal method if user add javascript code in file parameter that codes can exe in v8go context. ### Details While posting a file via postLocal, any attacker will add javascript codes to file parameter. That parameter content pass to componentSignature method after some validation. After that componentSignature parameter concat with ssrStr parameter. <img width="1145" alt="image" src="https://github.com/user-attachments/assets/a08a3fe5-2fbd-4a05-b93c-2ad127e6ee81" /> Last part of compileSvelte function ssrStr parameter executed in v8go engine. <img width="754" alt="image" src="https://github.com/user-attachments/assets/4e622761-3324-48d6-8264-6dd6e09055af" /> This cause to any one who can post a file also can push javascript code and run it. Thanks to v8go we can't use all javascript metod, if there is no any vulnerability in v8go we can't escape sandbox and can't run dangerous command like opening socket etc. But we can create infinite loop ...

GHSA-cxqq-w3x5-7ph3: MobSF Stored Cross-Site Scripting (XSS)

**Product:** MobSF **Version:** < 4.3.1 **CWE-ID:** CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') **CVSS vector v.4.0:** 8.5 (AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N) **CVSS vector v.3.1:** 8.1 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N) **Description:** Stored XSS in the iOS Dynamic Analyzer functionality. **Impact:** Leveraging this vulnerability would enable performing actions as users, including administrative users. **Vulnerable component:** `dynamic_analysis.html` https://github.com/MobSF/Mobile-Security-Framework-MobSF/blob/d1d3b7a9aeb1a8c8c7c229a3455b19ade9fa8fe0/mobsf/templates/dynamic_analysis/ios/dynamic_analysis.html#L406 **Exploitation conditions:** A malicious application was uploaded to the Correlium. **Mitigation:** Use `escapeHtml()` function on the `bundle` variable. **Researcher: Oleg Surnin (Positive Technologies)** ## Research Researcher discovered zero-day vulnerability Stored Cross-site Scripting (XSS) in ...

The Collapse of USAID Is Already Fueling Human Trafficking and Slavery at Scammer Compounds

The dismantling of USAID by Elon Musk's DOGE and a State Department funding freeze have severely disrupted efforts to help people escape forced labor camps run by criminal scammers.

Banking Malware Uses Live Numbers to Hijack OTPs, Targeting 50,000 Victims

A banking malware campaign using live phone numbers to redirect SMS messages has been identified by the zLabs research team, uncovering 1,000+ malicious apps and 2.5GB of exposed data.

Michael Trites Joins Aembit as Senior Vice President of Global Sales

Silver Spring, Maryland, 5th February 2025, CyberNewsWire

Cybercriminals Use Go Resty and Node Fetch in 13 Million Password Spraying Attempts

Cybercriminals are increasingly leveraging legitimate HTTP client tools to facilitate account takeover (ATO) attacks on Microsoft 365 environments. Enterprise security company Proofpoint said it observed campaigns using HTTP clients Axios and Node Fetch to send HTTP requests and receive HTTP responses from web servers with the goal of conducting ATO attacks. "Originally sourced from public

Despite Catastrophic Hacks, Ransomware Payments Dropped Dramatically Last Year

Ransomware gangs continued to wreak havoc in 2024, but new research shows that the amounts victims paid these cybercriminals fell by hundreds of millions of dollars.