#auth

### Impact XSS vulnerability. All versions under 0.3.7 are impacted ### Patches Please upgrade to 0.3.7

An issue was discovered in the codec. A hash collision vulnerability (in the hash map used to manage connections) allows remote attackers to cause a considerable CPU load on the server (a Hash DoS attack) by initiating connections with colliding Source Connection IDs (SCIDs). See https://github.com/ncc-pbottine/QUIC-Hash-Dos-Advisory

Xiaofeng Wang, a longtime computer science professor at Indiana University, has disappeared along with his wife, and their profiles on the school's website were wiped ahead of recent FBI raids.

The `Drop` implementation will get run twice when using the cursor. This issue does not affect you, if you are using only using the crate with types that are `Copy` such as `u8`. This issue also does not affect you, if you are only depending on it through the crate `planus`.

The Ksenia home automation and burglar alarm system has a security flaw where the PIN required to disable the alarm is exposed in the 'basisInfo' XML file after initial authentication, allowing attackers who gain access to this file to bypass security measures. This design flaw enables unauthorized individuals to both disable the alarm system and manipulate smart home devices by simply retrieving the PIN from the server response, effectively rendering the security system useless since the supposedly secret PIN is easily obtainable once an attacker reaches the authenticated state. The system should never expose sensitive codes in API responses and should implement proper multi-factor authentication for critical functions like alarm deactivation.

The device provides access to an unprotected endpoint, enabling the upload of MPFS File System binary images. Authenticated attackers can exploit this vulnerability to overwrite the flash program memory containing the web server's main interfaces, potentially leading to arbitrary code execution.

Input passed via the 'redirectPage' GET parameter in 'cmdOk.xml' script is not properly verified before being used to redirect users. This can be exploited to redirect an authenticating user to an arbitrary website e.g. when a user clicks a specially crafted link to the affected script hosted on a trusted domain.

In this podcast, Joe, Hazel, Bill and Dave break down Talos' Year in Review 2024 and discuss how and why cybercriminals have been leaning so heavily on attacks that are routed in stealth in simplicity.

Download Talos' 2024 Year in Review now, and access key insights on the top targeted vulnerabilities of the year, network-based attacks, email threats, adversary toolsets, identity attacks, multi-factor authentication (MFA) abuse, ransomware and AI-based attacks.

The internet is filled with falsehoods.  We’re forever investigating new scams here at Malwarebytes, and it’s so hard to know what—or...