Security
Headlines
HeadlinesLatestCVEs

Tag

#auth

Hackers Using Fake IT Support Calls to Breach Corporate Systems, Google

A financially motivated group of hackers known as UNC6040 is using a simple but effective tactic to breach…

HackRead
Open in Source
#vulnerability#google#microsoft#git#intel#auth
Malicious Browser Extensions Infect 722 Users Across Latin America Since Early 2025

Cybersecurity researchers have shed light on a new campaign targeting Brazilian users since the start of 2025 to infect users with a malicious extension for Chromium-based web browsers and siphon user authentication data. "Some of the phishing emails were sent from the servers of compromised companies, increasing the chances of a successful attack," Positive Technologies security researcher

Over 20 Malicious Apps on Google Play Target Users for Seed Phrases

Over 20 malicious apps on Google Play are stealing crypto seed phrases by posing as trusted wallets and exchanges, putting users' funds at risk.

GHSA-h92g-3xc3-ww2r: Skyvern has a Jinja runtime leak

Skyvern through 0.2.0 has a Jinja runtime leak in sdk/workflow/models/block.py.

GHSA-cwwm-hr97-qfxm: SpiceDB checks involving relations with caveats can result in no permission when permission is expected

### Impact On schemas involving arrows with caveats on the arrow’ed relation, when the path to resolve a CheckPermission request involves the evaluation of multiple caveated branches, requests may return a negative response when a positive response is expected. For example, given this schema: ``` definition user {} definition office { relation parent: office relation manager: user permission read = manager + parent->read } definition group { relation parent: office permission read = parent->read } definition document { relation owner: group with equals permission read = owner->read } caveat equals(actual string, required string) { actual == required } ``` and these relationships: ``` office:headoffice#manager@user:maria office:branch1#parent@office:headoffice group:admins#parent@office:branch1 group:managers#parent@office:headoffice document:budget#owner@group:admins[equals:{"required":"admin"}] document:budget#owner@group:managers[equals:{"required":"manager"}] ``` P...

GHSA-cvx7-x8pj-x2gw: CoreDNS Vulnerable to DoQ Memory Exhaustion via Stream Amplification

### Summary A **Denial of Service (DoS)** vulnerability was discovered in the CoreDNS DNS-over-QUIC (DoQ) server implementation. The server previously created a new goroutine for every incoming QUIC stream without imposing any limits on the number of concurrent streams or goroutines. A remote, unauthenticated attacker could open a large number of streams, leading to uncontrolled memory consumption and eventually causing an Out Of Memory (OOM) crash — especially in containerized or memory-constrained environments. ### Impact - **Component**: `server_quic.go` - **Attack Vector**: Remote, network-based - **Attack Complexity**: Low - **Privileges Required**: None - **User Interaction**: None - **Impact**: High availability loss (OOM kill or unresponsiveness) This issue affects deployments with `quic://` enabled in the Corefile. A single attacker can cause the CoreDNS instance to become unresponsive using minimal bandwidth and CPU. ### Patches The patch introduces two key mitigation m...

GHSA-qx7g-fx8q-545g: Para Inserts Sensitive Information into Log File for Facebook authentication

CWE ID: CWE-532 (Insertion of Sensitive Information into Log File) CVSS: 6.2 (Medium) Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N **Affected Component:** Facebook Authentication Logging **Version:** Para v1.50.6 **File Path:** para-1.50.6/para-server/src/main/java/com/erudika/para/server/security/filters/FacebookAuthFilter.java **Vulnerable Line(s):** Line 184 (logger.warn(...) with raw access token) Technical Details: The vulnerability is located in FacebookAuthFilter.java, where a failed request to Facebook’s user profile endpoint triggers the following log statement: ```java logger.warn("Facebook auth request failed: GET " + PROFILE_URL + accessToken, e);` ``` Here, `PROFILE_URL` is a constant: ```java private static final String PROFILE_URL = "https://graph.facebook.com/me?fields=name,email,picture.width(400).type(square).height(400)&access_token="; ``` This results in the full request URL being logged, including the user's access token in plain text. Since WARN-level ...

GHSA-jq8x-v7jw-v675: Duplicate Advisory: users may append `root` to group listings

### Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-m65q-v92h-cm7q. This link is maintained to preserve external references. ### Original Description A flaw was found in the user's crate for Rust. This vulnerability allows privilege escalation via incorrect group listing when a user or process has fewer than exactly 1024 groups, leading to the erroneous inclusion of the root group in the access list.

GHSA-62gc-8jr5-x9pm: Apache InLong Deserialization of Untrusted Data Vulnerability

Deserialization of Untrusted Data vulnerability in Apache InLong. This issue affects Apache InLong: from 1.13.0 before 2.1.0, this issue would allow an authenticated attacker to read arbitrary files by double writing the param. Users are recommended to upgrade to version 2.1.0, which fixes the issue.

GHSA-gw97-cqwg-xmh4: Jenkins Gatling Plugin Vulnerable to Cross-Site Scripting (XSS)

Jenkins Gatling Plugin 136.vb_9009b_3d33a_e serves Gatling reports in a manner that bypasses the Content-Security-Policy protection introduced in Jenkins 1.641 and 1.625, resulting in a cross-site scripting (XSS) vulnerability exploitable by users able to change report content.