Tag
#intel
### Impact The WP Crontrol plugin for WordPress is vulnerable to Blind Server-Side Request Forgery in versions 1.17.0 to 1.19.1 via the `wp_remote_request()` function. This makes it possible for authenticated attackers, with Administrator-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. It is not possible for a user without Administrator level access to exploit this weakness. It is not possible for an Administrator performing an attack to see the HTTP response to the request to their chosen URL, nor is it possible for them to time the response. ### Patches WP Crontrol version 1.19.2 makes the following changes to harden the URL cron event feature: * URLs are now validated for safety with the `wp_http_validate_url()` function upon saving. The user is informed if they save a cron event containing a URL that is not considered safe, and the HTTP request will ...
Startups are ready to bring AI powered toys to the market as an alternative for screen time. But is that really progress?
The U.K. government has apparently abandoned its plans to force Apple to weaken encryption protections and include a backdoor that would have enabled access to the protected data of U.S. citizens. U.S. Director of National Intelligence (DNI) Tulsi Gabbard, in a statement posted on X, said the U.S. government had been working with its partners with the U.K. over the past few months to ensure that
Get an inside look at how JJ Cummings helped build and lead one of Cisco Talos’ most impactful security teams, and discover what drives him to stay at the forefront of threat intelligence.
A cyberattack on Manpower’s Michigan office compromised data for 144,000 people. Meanwhile, Workday reveals a data breach in…
CloudSEK uncovered a Pakistan-based family cybercrime network that spread infostealers via pirated software, netting $4.67M and millions of…
Plus: ICE agents accidentally add a random person to a sensitive group chat, Norwegian intelligence blames the Kremlin for hacking a dam, and new facial recognition vans roam the UK.
### Impact Duplicate logging of the input values in the `fetch:template` action in the Scaffolder meant that some of the secrets were not properly redacted. If you're not passing through `${{ secrets.x }}` to `fetch:template` there is no impact. ### Patches This issue has been resolved in `2.1.1` of the `scaffolder-backend` plugin. ### Workarounds Template Authors can remove the use of `${{ secrets }}` being used as an argument to `fetch:template`. ### References If you have any questions or comments about this advisory: Open an issue in the [Backstage repository](https://github.com/backstage/backstage) Visit our Discord, linked to in [Backstage README](https://github.com/backstage/backstage)
Cybercriminal groups peddling sophisticated phishing kits that convert stolen card data into mobile wallets have recently shifted their focus to targeting customers of brokerage services, new research shows. Undeterred by security controls at these trading platforms that block users from wiring funds directly out of accounts, the phishers have pivoted to using multiple compromised brokerage accounts in unison to manipulate the prices of foreign stocks.
NIST has released a concept paper for new control overlays to secure AI systems, built on the SP…