Aggregator

A vulnerability classified as problematic was found in SolidInvoice up to 2.4.0. This issue affects some unknown processing of the file /invoice of the component Invoice Creation Module. The manipulation of the argument Client Name results in cross site scripting. This vulnerability is cataloged as CVE-2025-9168. The attack may be launched remotely. Furthermore, there is an exploit available. The vendor was contacted early about this disclosure but did not respond in any way.

A vulnerability classified as problematic has been found in Mozilla Firefox up to 140 on Android. Impacted is an unknown function of the component blob URL Handler. Performing manipulation results in improper restriction of rendered ui layers. This vulnerability is known as CVE-2025-8364. Remote exploitation of the attack is possible. No exploit is available. It is recommended to upgrade the affected component.

A vulnerability has been found in Mozilla Firefox up to 140 on Android and classified as problematic. This issue affects some unknown processing of the component Address Bar. The manipulation leads to clickjacking. This vulnerability is uniquely identified as CVE-2025-8041. The attack is possible to be carried out remotely. No exploit exists. The affected component should be upgraded.

A vulnerability was found in Mozilla Firefox up to 140 on Android and classified as critical. Impacted is an unknown function of the component iFrame Handler. The manipulation results in improper access controls. This vulnerability was named CVE-2025-8042. The attack may be performed from a remote location. There is no available exploit. It is suggested to upgrade the affected component.

Google Chrome 139 addressed a high-severity V8 flaw, tracked as CVE-2025-9132, found by Big Sleep AI Google Chrome 139 addressed a high-severity vulnerability, tracked as CVE-2025-9132, in its open source high-performance JavaScript and WebAssembly engine V8. The vulnerability is an out-of-bounds write issue in the V8 JavaScript engine that was discovered by Big Sleep AI. […]

A critical remote code execution (RCE) vulnerability in CodeRabbit’s production infrastructure that provided unauthorized access to over one million code repositories, including private ones.  The vulnerability, discovered in December 2024 and responsibly disclosed in January 2025, exploited the platform’s static analysis tool integration to leak sensitive API credentials and gain write access to GitHub repositories […]

The post CodeRabbit’s Production Servers RCE Vulnerability Enables Write Access on 1M Repositories appeared first on Cyber Security News.

The majority of events globally are caused by phishing, which continues to be the most common vector for cyberattacks in the constantly changing world of cyber threats. The proliferation of affordable Phishing-as-a-Service (PhaaS) platforms such as Tycoon2FA, EvilProxy, and Sneaky2FA has exacerbated this issue, enabling even novice attackers to deploy sophisticated campaigns. These services are […]

The post New Salty 2FA PhaaS Platform Targets Microsoft 365 Users to Steal Login Credentials appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.

A vulnerability was found in ThinkInAIXYZ deepchat up to 0.3.0. It has been classified as critical. This affects an unknown function of the component URL Handler. This manipulation causes code injection. This vulnerability is tracked as CVE-2025-55733. The attack is possible to be carried out remotely. No exploit exists. Upgrading the affected component is recommended.

A vulnerability was found in LogicData eCommerce Framework 5.0.9.7000. It has been rated as critical. Affected is an unknown function of the component Content Explorer Feature. Performing manipulation results in unrestricted upload. This vulnerability is cataloged as CVE-2025-52337. It is possible to initiate the attack remotely. There is no exploit available.

A vulnerability was found in Cicool 3.4.4 and classified as critical. This affects an unknown part of the file /administrator/auth/reset_password. Executing manipulation can lead to weak password recovery. The identification of this vulnerability is CVE-2025-51543. The attack may be launched remotely. Furthermore, there is an exploit available.

A vulnerability described as critical has been identified in Mozilla Firefox up to 140 on iOS. The impacted element is an unknown function of the component iFrame Handler. Executing manipulation can lead to improper access controls. This vulnerability appears as CVE-2025-54143. The attack may be performed from a remote location. There is no available exploit. Upgrading the affected component is recommended.

A vulnerability classified as critical was found in Mozilla Firefox up to 138. Affected by this issue is the function vpx_codec_enc_init_multi of the component WebRTC. Executing manipulation can lead to memory corruption. This vulnerability is handled as CVE-2025-5262. The attack can be executed remotely. There is not any exploit available. Upgrading the affected component is advised.

$22,8 млн превратились в ракетное топливо.

当前网络威胁态势快速演变，高度组织化的恶意攻击者持续发动更具破坏性和复杂性的攻击，而防御方往往准备不足。

Microsoft has resolved a known issue that caused Windows upgrades to fail with 0x8007007F errors on some Windows 11 and Windows Server systems. [...]

BloodHound Attack Research Kit BARK stands for BloodHound Attack Research Kit. It is a PowerShell script built to assist the BloodHound Enterprise team with researching and continuously validating abuse primitives. BARK currently focuses on...

The post BARK: BloodHound Attack Research Kit appeared first on Penetration Testing Tools.

Pharmaceutical firm Inotiv says a ransomware attack encrypted systems and data, disrupting operations, according to its SEC filing. U.S. pharmaceutical firm Inotiv reported a ransomware attack that encrypted some systems and data, disrupting business operations. Inotiv is a U.S.-based pharmaceutical research and contract research organization (CRO). It provides nonclinical and analytical drug discovery and development […]

Исследование показало неожиданные лазейки в «песочнице» Chrome.

A Chrome VPN extension with over 100,000 installations and verified badge status has been discovered operating as sophisticated spyware, continuously capturing user screenshots and exfiltrating sensitive data without consent. The extension, known as FreeVPN.One, masqueraded as a legitimate privacy tool while secretly implementing comprehensive surveillance capabilities that directly contradict its stated privacy promises. The malicious […]

The post Legitimate Chrome VPN With 100,000+ Installs Silently Captures Screenshots and Exfiltrate Sensitive Data appeared first on Cyber Security News.

Compromising an organization’s cloud infrastructure is like sitting on a gold mine for attackers. And sometimes, a simple misconfiguration or a vulnerability in web applications, is all an attacker needs to compromise the entire...

The post AWSGoat: Damn Vulnerable AWS Infrastructure appeared first on Penetration Testing Tools.