Security
Headlines
HeadlinesLatestCVEs

Tag

#git

GHSA-vr5f-php7-rg24: Pimcore Admin Classic Bundle allows user enumeration

Description Summary Pimcore Admin Classic Bundle allows attackers to enumerate valid accounts because the Forgot password functionality uses different messages when the account is valid vs not. Details -> error message discloses existing accounts and leads to user enumeration on the target via "Forgot password" function. since no generic error message is being implemented. PoC ![image](https://github.com/user-attachments/assets/866e4cd1-25b2-4ed8-8292-6c528ae660d5) Enter first a valid account email address and click on submit ![image](https://github.com/user-attachments/assets/7aaa1723-b0f9-4a76-b943-e1b01d1f37a9) A green message validating the account exists is shown and a login link is sent to the email ![image](https://github.com/user-attachments/assets/7adb1f05-7339-4265-95c9-4d4817d4a6a1) now go back and use a random email from temp-mail to test with a non existant account ![image](https://github.com/user-attachments/assets/5ce0bb53-16c3-4f34-9541-9e01b49c7472) ![image]...

ghsa
Open in Source
#git#php
Best Practices for Preparing and Automating Security Questionnaires

Security questionnaires serve as essential tools for building connections and trust in the digital realm. They help in…

Google's DMARC Push Pays Off, but Email Security Challenges Remain

A year after Google and Yahoo started requiring DMARC, the adoption rate of the email authentication specification has doubled; and yet, 87% of domains remain unprotected.

India’s RBI Introduces Exclusive "bank.in" Domain to Combat Digital Banking Fraud

India's central bank, the Reserve Bank of India (RBI), said it's introducing an exclusive "bank.in" internet domain for banks in the country to combat digital financial fraud. "This initiative aims to reduce cyber security threats and malicious activities like phishing; and, streamline secure financial services, thereby enhancing trust in digital banking and payment services," the RBI said in a

Exciting updates to the Copilot (AI) Bounty Program: Enhancing security and incentivizing innovation

At Microsoft, we are committed to fostering a secure and innovative environment for our customers and users. As part of this commitment, we are thrilled to announce significant updates to our Copilot (AI) Bounty Program. These changes are designed to enhance the program’s effectiveness, incentivize broader participation, and ensure that our Copilot consumer products remain robust, safe, and secure.

Cybercrime Forces Local Law Enforcement to Shift Focus

Local law enforcements need to steer away from "place-based policing" when investigating cybercrimes.

S. Korea’s Notorious Sex Crime Hub Ya-moon Hacked, User Data Leaked

Ya-moon, S. Korea’s notorious sex crime hub operating since 1990, hacked; user data leaked, exposing CSAM, exploitation, and illicit activities.

Experts Flag Security, Privacy Risks in DeepSeek AI App

New mobile apps from the Chinese artificial intelligence (AI) company DeepSeek have remained among the top three "free" downloads for Apple and Google devices since their debut on Jan. 25, 2025. But experts caution that many of DeepSeek's design choices -- such as using hard-coded encryption keys, and sending unencrypted user and device data to Chinese companies -- introduce a number of glaring security and privacy risks.