Tag
#auth
### Impact Duplicate logging of the input values in the `fetch:template` action in the Scaffolder meant that some of the secrets were not properly redacted. If you're not passing through `${{ secrets.x }}` to `fetch:template` there is no impact. ### Patches This issue has been resolved in `2.1.1` of the `scaffolder-backend` plugin. ### Workarounds Template Authors can remove the use of `${{ secrets }}` being used as an argument to `fetch:template`. ### References If you have any questions or comments about this advisory: Open an issue in the [Backstage repository](https://github.com/backstage/backstage) Visit our Discord, linked to in [Backstage README](https://github.com/backstage/backstage)
Cybercriminal groups peddling sophisticated phishing kits that convert stolen card data into mobile wallets have recently shifted their focus to targeting customers of brokerage services, new research shows. Undeterred by security controls at these trading platforms that block users from wiring funds directly out of accounts, the phishers have pivoted to using multiple compromised brokerage accounts in unison to manipulate the prices of foreign stocks.
A cybercriminal was found selling scanned IDs that were stolen from guests at Italian hotels on underground forums, warned CERT-AGID.
### Summary Following https://github.com/withastro/astro/security/advisories/GHSA-cq8c-xv66-36gw, there's still an Open Redirect vulnerability in a subset of Astro deployment scenarios. ### Details Astro 5.12.8 fixed a case where `https://example.com//astro.build/press` would redirect to the external origin `//astro.build/press`. However, with the Node deployment adapter in standalone mode and `trailingSlash` set to `"always"` in the Astro configuration, `https://example.com//astro.build/press` still redirects to `//astro.build/press`. ### Proof of Concept 1. Create a new minimal Astro project (`astro@5.12.8`) 2. Configure it to use the Node adapter (`@astrojs/node@9.4.0`) and force trailing slashes: ```js // astro.config.mjs import { defineConfig } from 'astro/config'; import node from '@astrojs/node'; export default defineConfig({ trailingSlash: 'always', adapter: node({ mode: 'standalone' }), }); ``` 3. Build the site by running `astro build`....
National Public Data has changed ownership. Does this mean your personal information has changed hands too?
Thai police arrest SMS Blaster operator in smishing scam and bust crypto laundering gang moving $30M monthly through…
Cisco Talos discovered UAT-7237, a Chinese-speaking advanced persistent threat (APT) group active since at least 2022, which has significant overlaps with UAT-5918.
Cisco has released security updates to address a maximum-severity security flaw in Secure Firewall Management Center (FMC) Software that could allow an attacker to execute arbitrary code on affected systems. The vulnerability, assigned the CVE identifier CVE-2025-20265 (CVSS score: 10.0), affects the RADIUS subsystem implementation that could permit an unauthenticated, remote attacker to inject
For customers who want to step up their defenses against the next cyberattack wave or set of vulnerabilities, Red Hat is pleased to extend Technical Account Management (TAM) services by adding Technical Account Management Service for Product Security.Many Red Hat customers are familiar with TAM services. TAMs offer deep technical knowledge in their areas of specialty and act as trusted customer technical advisors. They develop personal relationships with customers to proactively drive the best possible product experience. Red Hat TAMs also advocate for customers with Red Hat product managers
You probably can't break FIDO authentication. Still, researchers have shown that there are ways to get around it.