Security
Headlines
HeadlinesLatestCVEs

Tag

#web

GHSA-xpxp-r8hf-wgf6: WSO2 products vulnerable to Cross-site Scripting

A reflected cross-site scripting (XSS) vulnerability exists in multiple WSO2 products due to insufficient output encoding in error messages generated by the JDBC user store connection validation request. A malicious actor can inject a specially crafted payload into the request, causing the browser to execute arbitrary JavaScript in the context of the vulnerable page. This vulnerability may allow UI manipulation, redirection to malicious websites, or data exfiltration from the browser. However, since all session-related sensitive cookies are protected with the httpOnly flag, session hijacking is not possible.

ghsa
Open in Source
#xss#vulnerability#web#java#auth
Cryptojacking Campaign Exploits DevOps APIs Using Off-the-Shelf Tools from GitHub

Cybersecurity researchers have discovered a new cryptojacking campaign that's targeting publicly accessible DevOps web servers such as those associated with Docker, Gitea, and HashiCorp Consul and Nomad to illicitly mine cryptocurrencies. Cloud security firm Wiz, which is tracking the activity under the name JINX-0132, said the attackers are exploiting a wide range of known misconfigurations and

US Sanctions Philippines’ Funnull Technology Over $200M Crypto Scam

The US Department of the Treasury has taken action against Funnull Technology Inc. for enabling massive pig butchering…

Victims risk AsyncRAT infection after being redirected to fake Booking.com sites

We found that cybercriminals are preparing for the impending holiday season with a redirect campaign leading to AsyncRAT.

A week in security (May 26 – June 1)

A list of topics we covered in the week of May 26 to June 1 of 2025

GHSA-8j8w-wwqc-x596: Roundcube Webmail Vulnerable to Authenticated RCE via PHP Object Deserialization

Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows remote code execution by authenticated users because the _from parameter in a URL is not validated in program/actions/settings/upload.php, leading to PHP Object Deserialization.

What does Facebook know about me? (Lock and Code S06E11)

This week on the Lock and Code podcast, host David Ruiz digs into his own Facebook data to see what the social media giant knows about him.

Flowable’s Smart Automation Tools Are Reshaping How Enterprises Operate in 2025

As more businesses face pressure to do more with fewer resources, automation platforms like Flowable are becoming central…

Interlock Ransomware Deploys New NodeSnake RAT in UK Attacks

Quorum Cyber identifies two new NodeSnake RAT variants, strongly attributed to Interlock ransomware, impacting UK higher education and local government.

GHSA-wv8j-m3hx-924j: Arrow2 allows out of bounds access in public safe API

`Rows::row_unchecked()` allows out of bounds access to the underlying buffer without sufficient checks. The arrow2 crate is no longer maintained, so there are no plans to fix this issue. Users are advised to migrate to the arrow crate, instead.