Security
Headlines
HeadlinesLatestCVEs

Tag

#auth

Court Dismisses Criminal Charges Against VPN Executive, Affirms No-Log Policy

Toronto, Canada, 28th April 2025, CyberNewsWire

HackRead
Open in Source
#auth
Employee monitoring app exposes users, leaks 21+ million screenshots

WorkComposer, an employee monitoring app, has leaked millions of screenshots through an unprotected AWS S3 bucket.

JokerOTP Dismantled After 28,000 Phishing Attacks, 2 Arrested

JokerOTP dismantled after 28,000 phishing attacks across 13 countries; UK and Dutch police arrest two suspects linked to £7.5M cyber fraud.

Car Subscription Features Raise Your Risk of Government Surveillance, Police Records Show

Records reviewed by WIRED show law enforcement agencies are eager to take advantage of the data trails generated by a flood of new internet-connected vehicle features.

IR Trends Q1 2025: Phishing soars as identity-based attacks persist

This quarter, phishing attacks surged as the primary method for initial access. Learn how you can detect and prevent pre-ransomware attacks.

Hackers Exploit Critical Craft CMS Flaws; Hundreds of Servers Likely Compromised

Threat actors have been observed exploiting two newly disclosed critical security flaws in Craft CMS in zero-day attacks to breach servers and gain unauthorized access. The attacks, first observed by Orange Cyberdefense SensePost on February 14, 2025, involve chaining the below vulnerabilities - CVE-2024-58136 (CVSS score: 9.0) - An improper protection of alternate path flaw in the Yii PHP

GHSA-mvwq-hcrj-f5x9: Apereo CAS has inefficient regular expression complexity

A vulnerability was found in Apereo CAS 5.2.6. It has been declared as problematic. This vulnerability affects unknown code of the file cas-5.2.6\core\cas-server-core-configuration-metadata-repository\src\main\java\org\apereo\cas\metadata\rest\CasConfigurationMetadataServerController.java. The manipulation of the argument Name leads to inefficient regular expression complexity. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

GHSA-37pq-893f-g7q5: Apereo CAS code injection vulnerability

A vulnerability was found in Apereo CAS 5.2.6 and classified as critical. Affected by this issue is the function saveService of the file cas-5.2.6\webapp-mgmt\cas-management-webapp-support\src\main\java\org\apereo\cas\mgmt\services\web\RegisteredServiceSimpleFormController.java of the component Groovy Code Handler. The manipulation leads to code injection. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

GHSA-7mpr-5m44-h73r: markdownify allows large headline prefixes such as <h9999999>, which causes memory consumption

python-markdownify (aka markdownify) before 0.14.1 allows large headline prefixes such as <h9999999> in addition to <h1> through <h6>. This causes memory consumption.

GHSA-75v8-2h7p-7m2m: Formidable relies on hexoid to prevent guessing of filenames for untrusted executable content

Formidable (aka node-formidable) 2.1.0 through 3.x before 3.5.3 relies on hexoid to prevent guessing of filenames for untrusted executable content; however, hexoid is documented as not "cryptographically secure." (Also, there is a scenario in which only the last two characters of a hexoid string need to be guessed, but this is not often relevant.) NOTE: this does not imply that, in a typical use case, attackers will be able to exploit any hexoid behavior to upload and execute their own content.