Tag: open-source
-
SessionReaper Vulnerability Puts Magento Adobe Commerce Sites in Hacker Crosshairs
Adobe has broken its regular patch schedule to address CVE-2025-54236, a critical vulnerability in Magento Commerce and open-source Magento installations. Dubbed “SessionReaper,” this vulnerability allows attackers to bypass input validation in the Magento Web API, enabling automated account takeover, data theft, and fraudulent orders without requiring valid session tokens. Adobe will release an emergency fix…
-
SessionReaper Vulnerability Puts Magento Adobe Commerce Sites in Hacker Crosshairs
Adobe has broken its regular patch schedule to address CVE-2025-54236, a critical vulnerability in Magento Commerce and open-source Magento installations. Dubbed “SessionReaper,” this vulnerability allows attackers to bypass input validation in the Magento Web API, enabling automated account takeover, data theft, and fraudulent orders without requiring valid session tokens. Adobe will release an emergency fix…
-
71% of CISOs hit with third-party security incident this year
Tags: access, ai, application-security, attack, backdoor, breach, ceo, cisa, ciso, cloud, compliance, control, credentials, cyber, cybersecurity, data, defense, exploit, incident response, intelligence, malicious, malware, open-source, penetration-testing, phishing, programming, pypi, resilience, risk, risk-management, sbom, security-incident, service, software, startup, supply-chain, threat, toolSoftware supply chain threats: The software supply chain is heavily reliant on code developed by third-party developers, something only likely to increase with the advent of AI.Brian Fox, co-founder and CTO of open-source software security vendor Sonatype, says that “enormously complex” software supply chains pose a growing threat.”Too many organizations have no idea what open-source…
-
71% of CISOs hit with third-party security incident this year
Tags: access, ai, application-security, attack, backdoor, breach, ceo, cisa, ciso, cloud, compliance, control, credentials, cyber, cybersecurity, data, defense, exploit, incident response, intelligence, malicious, malware, open-source, penetration-testing, phishing, programming, pypi, resilience, risk, risk-management, sbom, security-incident, service, software, startup, supply-chain, threat, toolSoftware supply chain threats: The software supply chain is heavily reliant on code developed by third-party developers, something only likely to increase with the advent of AI.Brian Fox, co-founder and CTO of open-source software security vendor Sonatype, says that “enormously complex” software supply chains pose a growing threat.”Too many organizations have no idea what open-source…
-
71% of CISOs hit with third-party security incident this year
Tags: access, ai, application-security, attack, backdoor, breach, ceo, cisa, ciso, cloud, compliance, control, credentials, cyber, cybersecurity, data, defense, exploit, incident response, intelligence, malicious, malware, open-source, penetration-testing, phishing, programming, pypi, resilience, risk, risk-management, sbom, security-incident, service, software, startup, supply-chain, threat, toolSoftware supply chain threats: The software supply chain is heavily reliant on code developed by third-party developers, something only likely to increase with the advent of AI.Brian Fox, co-founder and CTO of open-source software security vendor Sonatype, says that “enormously complex” software supply chains pose a growing threat.”Too many organizations have no idea what open-source…
-
privacyIDEA im Einsatz – So funktioniert MFA mit Open Source
First seen on security-insider.de Jump to article: www.security-insider.de/workshop-reihe-zweifaktor-authentifizierung-privacyidea-a-8ba2b7f4b61ba004ae6ee4517f620457/
-
Argo CD Security Flaw Rated 9.8 Leaves GitOps Repositories Exposed
Tags: api, cloud, credentials, cve, cvss, data-breach, flaw, kubernetes, open-source, password, tool, vulnerabilityA security flaw in Argo CD, the popular open-source GitOps tool for Kubernetes, has been targeted at the DevOps and cloud-native communities. Tracked as CVE-2025-55190, the vulnerability has been rated critical with a CVSS score of 9.8 out of 10, as it allows attackers to retrieve sensitive repository credentials, including usernames and passwords, through a…
-
InterceptSuite: Open-source network traffic interception tool
InterceptSuite is an open-source, cross-platform network traffic interception tool designed for TLS/SSL inspection, analysis, and manipulation at the network level. … First seen on helpnetsecurity.com Jump to article: www.helpnetsecurity.com/2025/09/08/interceptsuite-open-source-network-traffic-interception-tool/
-
Critical Argo CD API Flaw Exposes Repository Credentials to Attackers
A major security flaw has been discovered in Argo CD, a popular open-source tool used for Kubernetes GitOps deployments. The vulnerability allows project-level API tokens to expose sensitive repository credentials, such as usernames and passwords, to attackers. The issue has been classified as critical with a CVSS score of 9.8/10 and is tracked asCVE-2025-55190. The…
-
6 Open-Source Vulnerability Scanners That Actually Work
Open-source vulnerability scanners identify security vulnerabilities in apps, networks, and systems. Compare features and functionalities with our guide. First seen on esecurityplanet.com Jump to article: www.esecurityplanet.com/networks/open-source-vulnerability-scanners/
-
Microsoft open-sources the 6502 BASIC coded by Bill Gates himself
GOTO 1976 First seen on theregister.com Jump to article: www.theregister.com/2025/09/04/microsoft_open_sources_6502_basic/
-
Sicherheitslücke bei Tesla Open Source-App TeslaMate kann Benutzerdaten offen legen
Ein Sicherheitsforscher aus der Türkei mit dem Alias @Sword_Sec hat sich die Open-Source-App TeslaMate genauer angeschaut (die App hat mit Tesla selbst nichts zu tun, wird aber von Tesla-Fans zum Logging verwendet). Laut Kılıç’s Untersuchung werden die sensiblen Daten von … First seen on borncity.com Jump to article: www.borncity.com/blog/2025/09/03/sicherheitsluecke-bei-tesla-open-source-appteslamate-kann-benutzerdaten-offen-legen/
-
Malicious npm packages use Ethereum blockchain for malware delivery
Tags: attack, blockchain, crypto, github, infrastructure, malicious, malware, open-source, software, supply-chaincolortoolsv2 and mimelib2 that used Ethereum smart contracts for malware delivery in July. But not much effort was put into making those packages look legitimate and attractive for developers to include in their projects, which is usually the goal of supply chain attacks with rogue npm packages.The colortoolsv2 package, and the mimelib2 one that later…
-
Sicherheitslücke bei Tesla Open Source-AppTeslaMate kann Benutzerdaten offen legen
Ein Sicherheitsforscher aus der Türkei mit dem Alias @Sword_Sec hat sich die Open-Source-App TeslaMate genauer angeschaut (die App hat mit Tesla selbst nichts zu tun, wird aber von Tesla-Fans zum Logging verwendet). Laut Kılıç’s Untersuchung werden die sensiblen Daten von … First seen on borncity.com Jump to article: www.borncity.com/blog/2025/09/03/sicherheitsluecke-bei-tesla-open-source-appteslamate-kann-benutzerdaten-offen-legen/
-
Namespace Reuse Vulnerability Exposes AI Platforms to Remote Code Execution
A newly discovered vulnerability in the AI supply chain”, termed Model Namespace Reuse”, permits attackers to achieve Remote Code Execution (RCE) across major AI platforms, including Microsoft Azure AI Foundry, Google Vertex AI, and thousands of open-source projects. By re-registering abandoned or deleted model namespaces on Hugging Face, malicious actors can trick pipelines that fetch…
-
Apache DolphinScheduler Vulnerability Patched, Update Immediately
A low-severity security issue in Apache DolphinScheduler has been addressed in the latest release. Identified as CVE-2024-43166 and classified under CWE-276: Incorrect Default Permissions, this vulnerability affects all DolphinScheduler versions prior to 3.2.2. Users are strongly advised to upgrade to version 3.3.1 as soon as possible to mitigate potential risks. Apache DolphinScheduler is an open-source,…
-
Apache DolphinScheduler Vulnerability Patched, Update Immediately
A low-severity security issue in Apache DolphinScheduler has been addressed in the latest release. Identified as CVE-2024-43166 and classified under CWE-276: Incorrect Default Permissions, this vulnerability affects all DolphinScheduler versions prior to 3.2.2. Users are strongly advised to upgrade to version 3.3.1 as soon as possible to mitigate potential risks. Apache DolphinScheduler is an open-source,…
-
Sicherheitslücke in der Open-Source-Shopsoftware <>
In der beliebten Open-Source-Shopsoftware (bis einschließlich Version 4.60.4) ist eine kritische Sicherheitslücke entdeckt worden, mit der ein Angreifer, eine Geschenkkarte mithilfe einer Technik namens ‘Single-Packet-Attack” mehrfach einlösen kann. Richtig durchgeführt, können Angreifer so Artikel kostenlos erhalten. Die Schwachstelle wurde von Sicherheitsforschern von Outpost24 identifiziert und betrifft die parallele Verarbeitung von Anfragen auf Webseiten, die […]…
-
MobSF Vulnerability Allows Attackers to Upload Malicious Files
Tags: application-security, cyber, exploit, flaw, framework, malicious, mobile, open-source, vulnerabilityCritical security flaws discovered in Mobile Security Framework (MobSF) version 4.4.0 enable authenticated attackers to exploit path traversal and arbitrary file write vulnerabilities, potentially compromising system integrity and exposing sensitive data. Two significant vulnerabilities have been identified in the popular Mobile Security Framework (MobSF), a widely-used open-source mobile application security testing platform. The flaws, tracked…
-
Agentic AI: A CISO’s security nightmare in the making?
Tags: access, ai, antivirus, api, attack, automation, ciso, compliance, cybersecurity, data, defense, detection, email, endpoint, exploit, framework, governance, law, leak, malicious, malware, open-source, privacy, risk, service, strategy, supply-chain, tool, vulnerabilityFree agents: Autonomy breeds increased risks: Agentic AI introduces the ability to make independent decisions and act without human oversight. This capability presents its own cybersecurity risk by potentially leaving organizations vulnerable.”Agentic AI systems are goal-driven and capable of making decisions without direct human approval,” Joyce says. “When objectives are poorly scoped or ambiguous, agents…
-
8 bösartige Open-Source-Pakete, die auf WindowsBenutzerdaten abzielen
JFrog, das Liquid-Software-Unternehmen gibt die Entdeckung von acht bösartigen Paketen bekannt, die auf npm, einem der weltweit größten Repositorys für Open-Source-Javascript-Komponenten, veröffentlicht wurden. Die Pakete, darunter react-sxt (Version 2.4.1), react-typex (Version 0.1.0) und react-native-control (Version 2.4.1), wurden von böswilligen npm-Benutzern hochgeladen. Sie enthielten eine hochentwickelte multi-layer Verschleierung mit über 70 Layers versteckten Codes, die es Angreifern ermöglichte,…
-
Critical ImageMagick Vulnerability Allows Remote Code Execution
Acritical security vulnerabilityhas been discovered in ImageMagick, the widely used open-source image processing software, that could allow attackers to execute arbitrary code remotely. The vulnerability, tracked as CVE-2025-57803 with a severity score of 9.8 out of 10, affects 32-bit builds of ImageMagick versions before 7.1.2-2 and 6.9.13-28. The Vulnerability Details The security flaw stems from a 32-bit…
-
Attackers Abuse Velociraptor Forensic Tool to Deploy Visual Studio Code for C2 Tunneling
Tags: attack, cyber, cybersecurity, endpoint, malicious, monitoring, open-source, software, threat, toolCybersecurity researchers have called attention to a cyber attack in which unknown threat actors deployed an open-source endpoint monitoring and digital forensic tool called Velociraptor, illustrating ongoing abuse of legitimate software for malicious purposes.”In this incident, the threat actor used the tool to download and execute Visual Studio Code with the likely intention of creating…
-
Experts warn of actively exploited FreePBX zero-day
Sangoma warns of an actively exploited FreePBX zero-day affecting systems with publicly exposed admin control panels. The Sangoma FreePBX Security Team addressed an actively exploited FreePBX zero-day vulnerability, tracked as CVE-2025-57819 (CVSS score of 10.0), impacting systems with an internet-facing administrator control panel (ACP). FreePBXis an open-source telephony software platform that provides a web-based graphical…
-
FreePBX Servers Targeted by Zero-Day Flaw, Emergency Patch Now Available
Tags: advisory, control, data-breach, exploit, flaw, open-source, service, update, vulnerability, zero-dayThe Sangoma FreePBX Security Team has issued an advisory warning about an actively exploited FreePBX zero-day vulnerability that impacts systems with an administrator control panel (ACP) exposed to the public internet.FreePBX is an open-source private branch exchange (PBX) platform widely used by businesses, call centers, and service providers to manage voice communications. It’s built on…
-
Forensik-Tool Velociraptor für Ransomware-Angriff missbraucht
Kriminelle haben das Open-Source-Forensik-Tool Velociraptor für einen Ransomware-Angriff missbraucht. Das Counter Threat Unit (CTU) Team von Sophos konnte nach eigenen Angaben die Attacke jedoch rechtzeitig stoppen, bevor größerer Schaden entstand. First seen on it-daily.net Jump to article: www.it-daily.net/it-sicherheit/cybercrime/velociraptor-ransomware-angriff
-
Angreifer missbrauchen Forensik-Tool für Ransomware-Versuch
Das Counter-Threat-Unit CTU) -Team von Sophos hat einen Cyberangriff vereitelt, bei dem Kriminelle ein eigentlich seriöses Open-Source-Programm für digitale Forensik, Velociraptor, missbrauchten. Statt es wie vorgesehen für Sicherheitsanalysen einzusetzen, nutzten die Täter das Tool, um sich verdeckt Zugang zu einem Unternehmensnetzwerk zu verschaffen und weitere Schadsoftware nachzuladen. Ziel war offenbar ein Ransomware-Angriff. So gingen…