Latest News

A session fixation vulnerability in Moodle 3.x through 3.11.18 allows unauthenticated attackers to hijack user sessions via the sesskey parameter. The sesskey can be obtained without authentication and reused within the OAuth2 login flow, resulting in the victim's session being linked to the attacker's. Successful exploitation results in full account takeover. According to the Moodle Releases page, "Bug fixes for security issues in 3.11.x ended 11 December 2023." NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

What happens in the privacy of your own home stays there. Or does it?

The campaign infected devices in the US and Southeast Asia to build an operational relay box (ORB) network for use as an extensive cyber-espionage infrastructure.

Kaspersky uncovers SparkKitty, new spyware in Apple App Store & Google Play. Steals photos, targets crypto info, active since early 2024 via malicious apps.

### Impact Via a request to an anonymously authenticated endpoint it's possible to retrieve information about the configured password requirements. The information available is limited but would perhaps give some additional detail useful for someone attempting to brute force derive a user's password. The vulnerability can be found in the supported Umbraco versions 10 and 13. It was not exposed in Umbraco 7 or 8, nor in 14 or higher versions. ### Patches Patched in 10.8.11 and 13.9.2

### Summary Due to the insufficient patch for the CVE-2024-39931, it's still possible to delete files under the `.git` directory and achieve remote command execution. ### Details In the patch for CVE-2024-39931, the following check is added: https://github.com/gogs/gogs/commit/77a4a945ae9a87f77e392e9066b560edb71b5de9 ```diff + // 🚨 SECURITY: Prevent uploading files into the ".git" directory + if isRepositoryGitPath(opts.TreePath) { + return errors.Errorf("bad tree path %q", opts.TreePath) + } ``` While the above code snippet checks if the specified path is a `.git` directory, there are no checks for symbolic links in the later steps. So, by creating a symbolic link that points to the `.git` directory, an attacker can still delete arbitrary files in the `.git` directory and achieve remote command execution. ### Impact Unprivileged user accounts can execute arbitrary commands on the Gogs instance with the privileges of the account specified by `RUN_USER` in the configuration. It a...

The United States Embassy in India has announced that applicants for F, M, and J nonimmigrant visas should make their social media accounts public. The new guideline seeks to help officials verify the identity and eligibility of applicants under U.S. law. The U.S. Embassy said every visa application review is a "national security decision." "Effective immediately, all individuals applying for an

New CloudSEK findings show Androxgh0st botnet evolving. Academic institutions, including UC San Diego, hit. Discover how this sophisticated…

Kali Linux 2025.1c includes a new signing key to fix update errors, adds new tools, a redesigned menu with MITRE ATT&CK, and major system upgrades.

America's largest steel producer initially disclosed the breach in May and took potentially affected systems offline to investigation the intrusion and contain any malicious activity.