#auth

Two critical N-able vulnerabilities enable local code execution and command injection; they require authentication to exploit, suggesting they wouldn't be seen at the beginning of an exploit chain.

A vulnerability in the Python-Future 1.0.0 module allows for arbitrary code execution via the unintended import of a file named test.py. When the module is loaded, it automatically imports test.py, if present in the same directory or in the sys.path. This behavior can be exploited by an attacker who has the ability to write files to the server, allowing the execution of arbitrary code.

Beware of fake Netflix job offers! A new phishing campaign is targeting job seekers, using fraudulent interviews to…

### Summary If `/proc` and `/sys` in the rootfs are symbolic links, they can potentially be exploited to gain access to the host root filesystem. ### Details For security reasons, container creation should be prohibited if `/proc` or `/sys` in the rootfs is a symbolic link. I verified this behavior with `youki`. When `/proc` or `/sys` is a symbolic link, `runc` fails to create the container, whereas `youki` successfully creates it. This is the fix related to this issue in `runc`. * https://github.com/opencontainers/runc/pull/3756 * https://github.com/opencontainers/runc/pull/3773 * https://github.com/opencontainers/runc/blob/main/libcontainer/rootfs_linux.go#L590 * https://github.com/opencontainers/runc/blob/main/tests/integration/mask.bats#L60 ### Impact The following advisory appears to be related to this vulnerability: * https://github.com/advisories/GHSA-vpvm-3wq2-2wvm * https://github.com/advisories/GHSA-fh74-hm69-rqjw

Four men from Ghana were extradited for their alleged role in stealing more than $100 million through romance scams and BEC.

When a guest user accesses a chart in Apache Superset, the API response from the /chart/data endpoint includes a query field in its payload. This field contains the underlying query, which improperly discloses database schema information, such as table names, to the low-privileged guest user. This issue affects Apache Superset: before 4.1.3. Users are recommended to upgrade to version 4.1.3, which fixes the issue.

Apache Superset contains an improper access control vulnerability in its /explore endpoint. A missing authorization check allows an authenticated user to discover metadata about datasources they do not have permission to access. By iterating through the datasource_id in the URL, an attacker can enumerate and confirm the existence and names of protected datasources, leading to sensitive information disclosure. This issue affects Apache Superset: before 5.0.0. Users are recommended to upgrade to version 5.0.0, which fixes the issue.

A stored Cross-Site Scripting (XSS) vulnerability exists in Apache Superset's chart visualization. An authenticated user with permissions to edit charts can inject a malicious payload into a column's label. The payload is not properly sanitized and gets executed in the victim's browser when they hover over the chart, potentially leading to session hijacking or the execution of arbitrary commands on behalf of the user. This issue affects Apache Superset: before 5.0.0. Users are recommended to upgrade to version 5.0.0, which fixes the issue.

Norway says pro-Russian hackers breached a dam in Bremanger in April, opening a water valve for 4 hours…

Fake Home Office emails target the UK Visa Sponsorship System, stealing logins to issue fraudulent visas and run…