Security
Headlines
HeadlinesLatestCVEs

Tag

#web

GHSA-79m9-55jc-p6mw: scanner has a Public API without sufficient bounds checking

`Match::get()` and `Match::ptr()` lack sufficient bounds checks, leading to potential out of bounds reads.

ghsa
Open in Source
#vulnerability#web#auth
FBI issues warning as scammers target victims of crime

The FBI has warned scammers are impersonating the IC3, tricking victims by claiming to be able to recover funds.

Europol, Poland Bust Major DDoS-for-Hire Operation, Arrest 4

Polish authorities arrest 4 behind major DDoS-for-hire sites used in global attacks. Europol, US, Germany, and Dutch forces…

Fake SSA Emails Trick Users into Installing ScreenConnect RAT

Cybercriminals are using fake Social Security Administration emails to distribute the ScreenConnect RAT (Remote Access Trojan) and compromise…

Tulsi Gabbard Reused the Same Weak Password on Multiple Accounts for Years

Now the US director of national intelligence, Gabbard failed to follow basic cybersecurity practices on several of her personal accounts, leaked records reviewed by WIRED reveal.

GHSA-f7jh-m6wp-jm7f: HAL Cross Site Scripting (XSS) vulnerability of user input when storing it in a data store

A flaw was found in the JBoss EAP Management Console, where a stored Cross-site scripting vulnerability occurs when an application improperly sanitizes user input before storing it in a data store. When this stored data is later included in web pages without adequate sanitization, malicious scripts can execute in the context of users who view these pages, leading to potential data theft, session hijacking, or other malicious activities. ### Impact Cross-site scripting (XSS) vulnerability in the management console. ### Patches Fixed in [HAL 3.7.11.Final](https://github.com/hal/console/releases/tag/v3.7.11) ### Workarounds No workaround available

ClickFix Scam: How to Protect Your Business Against This Evolving Threat

Cybercriminals aren’t always loud and obvious. Sometimes, they play it quiet and smart. One of the tricks of…

GHSA-p2f8-vq4r-gqg3: Liferay Portal Reflected XSS in marketplace-app-manager-web

A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.0 through 7.4.3.131, and Liferay DXP 2024.Q4.0 through 2024.Q4.5, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.12, 7.4 GA through update 92 allows an remote non-authenticated attacker to inject JavaScript into the modules/apps/marketplace/marketplace-app-manager-web.

GHSA-rwj2-w85g-5cmm: goshs route not protected, allows command execution

### Summary It seems that when running **goshs** without arguments it is possible for anyone to execute commands on the server. This was tested on version **1.0.4** of **goshs**. The command function was introduced in version **0.3.4**. ### Details It seems that the function ```dispatchReadPump``` does not checks the option cli ```-c```, thus allowing anyone to execute arbitrary command through the use of websockets. ### PoC Used **websocat** for the POC: ```bash echo -e '{"type": "command", "content": "id"}' |./websocat 'ws://192.168.1.11:8000/?ws' -t ``` ### Impact The vulnerability will only impacts goshs server on vulnerable versions.