#auth

### Impact Any deployment of voilà dashboard allow local file inclusion, that is to say any file on a filesystem that is readable by the user that runs the voilà dashboard server can be downloaded by someone with network access to the server. Whether this still requires authentication depends on how voilà is deployed. ### Patches This is patched in 0.2.17+, 0.3.8+, 0.4.4+, 0.5.6+ ### Workarounds None. ### References CWE-73: External Control of File Name or Path ### Original report I have found a local file inclusion vulnerability in one of your subprojects, voila (https://github.com/voila-dashboards/voila). The vulnerability exists in the "/static" Route, and can be exploited by simply making a request such as this: ``` $ curl localhost:8866/static/etc/passwd ``` ...or by using a webbrowser to download the file. I dug into the source code, and I think the offending line is here: https://github.com/voila-dashboards/voila/blob/8419cc7d79c0bb1dabfbd9ec49cb957740609d4d/voi...

Working together and integrating cybersecurity as part of our corporate and individual thinking can make life harder for hackers and safer for ourselves.

The thwarted XZ Utils supply chain attack was years in the making. Now, clues suggest nation-state hackers were behind the persona that inserted the malicious code.

Roughly nine years ago, KrebsOnSecurity profiled a Pakistan-based cybercrime group called "The Manipulaters," a sprawling web hosting network of phishing and spam delivery platforms. In January 2024, The Manipulaters pleaded with this author to unpublish previous stories about their work, claiming the group had turned over a new leaf and gone legitimate. But new research suggests that while they have improved the quality of their products and services, these nitwits still fail spectacularly at hiding their illegal activities.

Google on Tuesday said it's piloting a new feature in Chrome called Device Bound Session Credentials (DBSC) to help protect users against session cookie theft by malware. The prototype – currently tested against "some" Google Account users running Chrome Beta – is built with an aim to make it an open web standard, the tech giant's Chromium team said. "By binding authentication sessions to the

What cybersecurity professionals around the world can do to defend against the scourge of online disinformation in this year's election cycle.

An economic success story in Asia, Vietnam is seeing more manufacturing and more business investment. But with that comes a significant uptick in cybercrime as well.

UNAPIMON works by meticulously disabling hooks in Windows APIs for detecting malicious processes.

By Waqas Hackers Find Easy Access to Rooms at Ibis Budget Hotels! This is a post from HackRead.com Read the original post: Vulnerability Exposed Ibis Budget Guest Room Codes to Hackers

Telecommunications giant AT&T has finally confirmed that 73 million current and former customers are caught up in a massive dark web data leak.