#auth

View CSAF 1. EXECUTIVE SUMMARY CVSS v4 9.2 ATTENTION: Exploitable remotely/Low attack complexity Vendor: Dover Fueling Solutions Equipment: ProGauge MagLink LX consoles Vulnerability: Missing Authentication for Critical Function 2. RISK EVALUATION Successful exploitation of this vulnerability could result in an attacker gaining control of the monitoring device, manipulating fueling operations, deleting system configurations, or deploying malware. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following versions of ProGauge MagLink LX, a fuel and water tank monitor, are affected: ProGauge MagLink LX 4: Versions prior to 4.20.3 ProGauge MagLink LX Plus: Versions prior to 4.20.3 ProGauge MagLink LX Ultimate: Versions prior to 5.20.3 3.2 VULNERABILITY OVERVIEW 3.2.1 MISSING AUTHENTICATION FOR CRITICAL FUNCTION CWE-306 The device exposes an undocumented and unauthenticated Target Communication Framework (TCF) interface on a specific port. Files can be created, deleted, or modified, potentia...

Zoomcar confirms 2025 breach affecting 8.4M users, echoing its 2018 data leak. Personal info exposed, financial data safe, investigation ongoing.

Reddit has announced more AI-powered tools to help advertisers. But do users care for it?

Cybersecurity researchers have disclosed three security flaws in the popular Sitecore Experience Platform (XP) that could be chained to achieve pre-authenticated remote code execution. Sitecore Experience Platform is an enterprise-oriented software that provides users with tools for content management, digital marketing, and analytics and reports. The list of vulnerabilities, which are yet to be

A vulnerability classified as critical has been found in themanojdesai python-a2a up to 0.5.5. Affected is the function create_workflow of the file python_a2a/agent_flow/server/api.py. The manipulation leads to path traversal. Upgrading to version 0.5.6 is able to address this issue. It is recommended to upgrade the affected component.

The shooter allegedly researched several “people search” sites in an attempt to target his victims, highlighting the potential dangers of widely available personal data.

A Server-Side Request Forgery (SSRF) vulnerability was identified in the @opennextjs/cloudflare package. The vulnerability stems from an unimplemented feature in the Cloudflare adapter for Open Next, which allowed unauthenticated users to proxy arbitrary remote content via the `/_next/image` endpoint. This issue allowed attackers to load remote resources from arbitrary hosts under the victim site’s domain for any site deployed using the Cloudflare adapter for Open Next. For example: `https://victim-site.com/_next/image?url=https://attacker.com`. In this example, attacker-controlled content from attacker.com is served through the victim site’s domain (`victim-site.com`), violating the same-origin policy and potentially misleading users or other services. ### Impact - SSRF via unrestricted remote URL loading - Arbitrary remote content loading - Potential internal service exposure or phishing risks through domain abuse ### Mitigation The following mitigations have been put in...

### Impact A full technical disclosure and open-source patch will be published after the embargo period, ending on June 30th, to allow all users to upgrade. Teleport security engineers identified a critical security vulnerability that could allow remote authentication bypass of Teleport. Teleport Cloud Infrastructure and CI/CD build, test, and release infrastructure aren’t affected. For the full mitigation, upgrade both Proxy and Teleport agents. It is strongly recommend updating clients to the released patch versions as a precaution. Have questions? - OSS Community: [opensource@goteleport.com](mailto:opensource@goteleport.com) - Legal: [legal@goteleport.com](mailto:legal@goteleport.com) - Security: [security@goteleport.com](mailto:security@goteleport.com) - Customer Support: [goteleport.com/support](https://goteleport.com/support) - Media Inquiries: [teleport@babelpr.com](mailto:teleport@babelpr.com) ### Patches Fixed in versions: 17.5.2, 16.5.12, 15.5.3, 14.4.1, 13.4.27...

This week on the Lock and Code podcast, we revisit a 2024 interview with Dr. Jean Twenge about smartphones and the teen mental health crisis.

### Summary Any project that uses Protobuf pure-Python backend to parse untrusted Protocol Buffers data containing an arbitrary number of **recursive groups**, **recursive messages** or **a series of [`SGROUP`](https://protobuf.dev/programming-guides/encoding/#groups) tags** can be corrupted by exceeding the Python recursion limit. Reporter: Alexis Challande, Trail of Bits Ecosystem Security Team [ecosystem@trailofbits.com](mailto:ecosystem@trailofbits.com) Affected versions: This issue only affects the [pure-Python implementation](https://github.com/protocolbuffers/protobuf/tree/main/python#implementation-backends) of protobuf-python backend. This is the implementation when `PROTOCOL_BUFFERS_PYTHON_IMPLEMENTATION=python` environment variable is set or the default when protobuf is used from Bazel or pure-Python PyPi wheels. CPython PyPi wheels do not use pure-Python by default. This is a Python variant of a [previous issue affecting protobuf-java](https://github.com/protocolbuffers/...