Security
Headlines
HeadlinesLatestCVEs

Tag

#git

GHSA-vj7w-3m8c-6vpx: SFTPGo has insufficient sanitization of user provided rsync command

### Impact SFTPGo supports execution of a defined set of commands via SSH. Besides a set of default commands some optional commands can be activated, one of them being `rsync`: it is disabled in the default configuration and it is limited to the local filesystem, it does not work with cloud/remote storage backends. Due to missing sanitization of the client provided `rsync` command, an authenticated remote user can use some options of the rsync command to read or write files with the permissions of the SFTPGo server process. ### Patches This issue was fixed in version v2.6.5 by checking the client provided arguments. https://github.com/drakkan/sftpgo/commit/b347ab6051f6c501da205c09315fe99cd1fa3ba1

ghsa
Open in Source
#git#auth#ssh
GHSA-vr5f-php7-rg24: Pimcore Admin Classic Bundle allows user enumeration

Description Summary Pimcore Admin Classic Bundle allows attackers to enumerate valid accounts because the Forgot password functionality uses different messages when the account is valid vs not. Details -> error message discloses existing accounts and leads to user enumeration on the target via "Forgot password" function. since no generic error message is being implemented. PoC ![image](https://github.com/user-attachments/assets/866e4cd1-25b2-4ed8-8292-6c528ae660d5) Enter first a valid account email address and click on submit ![image](https://github.com/user-attachments/assets/7aaa1723-b0f9-4a76-b943-e1b01d1f37a9) A green message validating the account exists is shown and a login link is sent to the email ![image](https://github.com/user-attachments/assets/7adb1f05-7339-4265-95c9-4d4817d4a6a1) now go back and use a random email from temp-mail to test with a non existant account ![image](https://github.com/user-attachments/assets/5ce0bb53-16c3-4f34-9541-9e01b49c7472) ![image]...

Best Practices for Preparing and Automating Security Questionnaires

Security questionnaires serve as essential tools for building connections and trust in the digital realm. They help in…

Google's DMARC Push Pays Off, but Email Security Challenges Remain

A year after Google and Yahoo started requiring DMARC, the adoption rate of the email authentication specification has doubled; and yet, 87% of domains remain unprotected.

India’s RBI Introduces Exclusive "bank.in" Domain to Combat Digital Banking Fraud

India's central bank, the Reserve Bank of India (RBI), said it's introducing an exclusive "bank.in" internet domain for banks in the country to combat digital financial fraud. "This initiative aims to reduce cyber security threats and malicious activities like phishing; and, streamline secure financial services, thereby enhancing trust in digital banking and payment services," the RBI said in a

Exciting updates to the Copilot (AI) Bounty Program: Enhancing security and incentivizing innovation

At Microsoft, we are committed to fostering a secure and innovative environment for our customers and users. As part of this commitment, we are thrilled to announce significant updates to our Copilot (AI) Bounty Program. These changes are designed to enhance the program’s effectiveness, incentivize broader participation, and ensure that our Copilot consumer products remain robust, safe, and secure.

Cybercrime Forces Local Law Enforcement to Shift Focus

Local law enforcements need to steer away from "place-based policing" when investigating cybercrimes.

S. Korea’s Notorious Sex Crime Hub Ya-moon Hacked, User Data Leaked

Ya-moon, S. Korea’s notorious sex crime hub operating since 1990, hacked; user data leaked, exposing CSAM, exploitation, and illicit activities.