CISA Partners With OpenSSF Securing Software Repositories Working Group to Release Principles for Package Repository Security

Today, CISA partnered with the Open Source Security Foundation OpenSSF Securing Software Repositories Working Group to publish the Principles for Package Repository Securitylink is external framework. Recognizing the critical role package repositories play in securing open source software...

Announcing TotalCloud™ 2.0 with TruRisk™ Insights: The Future of Cloud and SaaS Security

Rapid cloud and SaaS adoption is driving digital transformation thats reshaping business agility and scalability, making cloud and SaaS security more critical than ever. Recognizing this shift, in November 2022, Qualys launched TotalCloud – an AI-powered cloud-native application protection platfo...

Security Bulletin: IBM Cognos Analytics is affected but not classified as vulnerable to vulnerabilities in multiple Open Source Software (OSS) components

Summary IBM Cognos Analytics is affected but not classified as vulnerable, based on current information, to vulnerabilities in multiple Open-Source Software OSS packages. These vulnerabilities have been addressed by upgrading to a non-vulnerable version of the OSS package or removing the OSS...

CVE-2024-23054

An issue in Plone Docker Official Image 5.2.13 5221 open-source software that could allow for remote code execution due to a package listed in ++plone++static/components not existing in the public package index npm...

CVE-2024-23054

Summary: CVE-2024-23054 affects the Plone Docker Official Image 5.2.13 (5221) where a package listed in ++plone++static/components is not present in the public npm index, enabling remote code execution. Affected software: Plone Docker Official Image 5.2.13 (5221). Root cause: Missing package in t...

EyouCms Security Vulnerability

Zanzan Network Technology EyouCms Eyou CMS is an open source content management system CMS based on ThinkPHP by China Zanzan Network Technology. A security vulnerability exists in EyouCms v.1.6.5, which stems from the presence of a cross-site scripting vulnerability that allows remote attackers t...

GLPI Cross-Site Scripting Vulnerability

GLPI is an open source IT and asset management software for individual developers. The software provides a full-featured IT resource management interface that you can use to build databases to fully manage IT computers, monitors, servers, printers, network devices, phones, and even toner cartridg...

PYSEC-2024-127

Label Studio is a popular open source data labeling tool. The vulnerability affects all versions of Label Studio prior to 1.11.0 and was tested on version 1.8.2. Label Studio's SSRF protections that can be enabled by setting the SSRFPROTECTIONENABLED environment variable can be bypassed to access...

Kap security breach

Kap is an open source screen recorder from Wulkano Open Source. Kap 3.6.0 version of the previous security vulnerability , the vulnerability stems from the RunAsNode and enableNodeClilnspectArguments settings can execute arbitrary code...

CVE-2024-23055

An issue in Plone Docker Official Image 5.2.13 5221 open-source software allows for remote code execution via improper validation of input by the HOST headers...

Npm Trojan Bypasses UAC, Installs AnyDesk with "Oscompatible" Package

A malicious package uploaded to the npm registry has been found deploying a sophisticated remote access trojan on compromised Windows machines. The package, named "oscompatible," was published on January 9, 2024, attracting a total of 380 downloads before it was taken down. oscompatible included ...

Fedora: Security Advisory (FEDORA-2024-73d5220ed3)

The remote host is missing an update for the SPDX-FileCopyrightText: 2024 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

CISA, FBI, NSA, and Treasury Release Guidance on OSS in OT/ICS Environments

Today, CISA, the Federal Bureau of Investigation, the National Security Agency, and the U.S. Department of the Treasury released guidance on improving the security of open source software OSS in operational technology OT and industrial control systems ICS. In alignment with CISA’s recently releas...

The vulnerability of open-source software for managing external resources like Terraform arises from incorrect restrictions on the path to the restricted directory. This allows attackers to load arbitrary files.

The vulnerability of open-source software for managing external resources like Terraform is related to incorrect restrictions on the path name to the restricted directory. Exploiting this vulnerability could allow an attacker to load arbitrary files...

Pleasanter Security Vulnerability

Pleasanter is a free OSS no-code/low-code development tool from Pleasanter. A security vulnerability exists in Pleasanter. An attacker can exploit the vulnerability to perform cross-site scripting attacks...

CISA, NSA, and Partners Release New Guidance on Securing the Software Supply Chain

Today, CISA, the National Security Agency NSA, and partners released Securing the Software Supply Chain: Recommended Practices for Software Bill of Materials Consumption. Developed through the Enduring Security Framework ESF, this guidance provides software developers and suppliers with industry...

CVE-2023-46725

CVE-2023-46725 affects FoodCoopShop open‑source software. Versions 3.2.0 up to 3.6.0 are vulnerable to server‑side request forgery via the Network module: an attacker with a manufacturer account can abuse the /api/updateProducts.json endpoint to cause the server to proxy requests to an arbitrary ...

Cody, security breach.

Cody is a free open source AI coding assistant open sourced by Sourcegraph. It can write and fix code, provide AI-generated auto-completion, and answer coding questions. A security vulnerability exists in Cody versions 0.10.0 through 0.14.0 that stems from vulnerability to remote code execution...

More helpful resources for users of all skill levels to help you Take a Security Action

Welcome to this weeks edition of the Threat Source newsletter. I continue to be saddened by all the conflict in Israel and Gaza thats still ongoing. Ill be back with a "normal" newsletter next week, as unfortunately, there doesnt seem to be a peaceful solution coming any time soon. In the meantim...

GLPISQL Injection Vulnerability

GLPI is an open source IT and asset management software for individual developers. The software provides a full-featured IT resource management interface that you can use to build databases to fully manage IT computers, monitors, servers, printers, network devices, phones, and even toner cartridg...