Security
Headlines
HeadlinesLatestCVEs

Tag

#auth

How To Create a Complete GitHub Backup

The issue of GitHub data protection is increasingly discussed among developers on platforms like Reddit, X, and HackerNews.…

HackRead
Open in Source
#sql#vulnerability#web#ios#mac#google#microsoft#git#auth#ssh#bitbucket
GHSA-p3vf-v8qc-cwcr: DOMPurify vulnerable to tampering by prototype polution

dompurify was vulnerable to prototype pollution Fixed by https://github.com/cure53/DOMPurify/commit/d1dd0374caef2b4c56c3bd09fe1988c3479166dc

LottieFiles Issues Warning About Compromised "lottie-player" npm Package

LottieFiles has revealed that its npm package "lottie-player" was compromised as part of a supply chain attack, prompting it to release an updated version of the library. "On October 30th ~6:20 PM UTC - LottieFiles were notified that our popular open source npm package for the web player @lottiefiles/lottie-player had unauthorized new versions pushed with malicious code," the company said in a

Qualitor 8.24 Server-Side Request Forgery

Qualitor versions 8.24 and below suffer from an unauthenticated server-side request forgery vulnerability.

CyberPanel Command Injection

Proof of concept exploit for a command injection vulnerability in CyberPanel. This vulnerability enables unauthenticated attackers to inject and execute arbitrary commands on vulnerable servers by sending crafted OPTIONS HTTP requests to /dns/getresetstatus and /ftp/getresetstatus endpoints, potentially leading to full system compromise. Versions prior to 1c0c6cb appear to be affected.

Ubuntu Security Notice USN-7084-2

Ubuntu Security Notice 7084-2 - USN-7084-1 fixed vulnerability in urllib3. This update provides the corresponding update for the urllib3 module bundled into pip. It was discovered that urllib3 didn't strip HTTP Proxy-Authorization header on cross-origin redirects. A remote attacker could possibly use this issue to obtain sensitive information.

The Case Against Abandoning CrowdStrike Post-Outage

Knee-jerk reactions to major vendor outages could do more harm than good.

Threat actors use copyright infringement phishing lure to deploy infostealers

Cisco Talos has observed an unknown threat actor conducting a phishing campaign targeting Facebook business and advertising account users in Taiwan.  The decoy email and fake PDF filenames are designed to impersonate a company's legal department, attempting to lure the victim into downloading and executing malware.

China Says Seabed Sentinels Are Spying, After Trump Taps

On the heels of a Chinese APT eavesdropping on phone calls made by Trump and Harris campaign staffers, Beijing says foreign nations have mounted an extensive seafaring espionage effort.

GHSA-2qw8-ppr5-m96c: Apache Lucene.Net.Replicator Deserialization of Untrusted Data vulnerability

Deserialization of Untrusted Data vulnerability in Apache Lucene.Net.Replicator. This issue affects Apache Lucene.NET's Replicator library: from 4.8.0-beta00005 through 4.8.0-beta00016. An attacker that can intercept traffic between a replication client and server, or control the target replication node URL, can provide a specially-crafted JSON response that is deserialized as an attacker-provided exception type. This can result in remote code execution or other potential unauthorized access. Users are recommended to upgrade to version 4.8.0-beta00017, which fixes the issue.