#mac

### Summary The `ImportIam` admin API validates permissions using **`ExportIAMAction`** instead of **`ImportIAMAction`**, allowing a principal with *export-only* IAM permissions to perform *import* operations. Since importing IAM data performs privileged **write** actions (creating/updating users, groups, policies, and service accounts), this can lead to **unauthorized IAM modification and privilege escalation**. --- ### Details In `ImportIam`, the authorization check is implemented as follows: ```rust validate_admin_request( &req.headers, &cred, owner, false, vec![Action::AdminAction(AdminAction::ExportIAMAction)], ).await?; ``` However, this code resides in the **Import IAM** operation (`struct ImportIam {}`), which performs **state-changing IAM writes**. The expected behavior is to validate against **`AdminAction::ImportIAMAction`** (or an equivalent import-specific admin action), not `ExportIAMAction`. --- ### PoC **Prerequisites** 1. A RustFS deploym...

Two actively exploited flaws—one brand new, one 16 years old—have been added to CISA’s KEV catalog, signaling urgent patching.

A smart toy doesn’t have to be a risky one. Lego’s Smart Bricks add sensors and sound without apps, accounts, or AI. We explain how it works.

The internet never stays quiet. Every week, new hacks, scams, and security problems show up somewhere. This week’s stories show how fast attackers change their tricks, how small mistakes turn into big risks, and how the same old tools keep finding new ways to break in. Read on to catch up before the next wave hits. Honeypot Traps Hackers Hackers Fall for

We unpack a trojanized WinRAR download that was hiding the Winzipper malware behind a real installer.

Cybersecurity researchers have discovered three malicious npm packages that are designed to deliver a previously undocumented malware called NodeCordRAT. The names of the packages, all of which were taken down as of November 2025, are listed below. They were uploaded by a user named "wenmoonx." bitcoin-main-lib (2,300 Downloads) bitcoin-lib-js (193 Downloads) bip40 (970 Downloads) "The

### Summary Miniflux's media proxy endpoint (`GET /proxy/{encodedDigest}/{encodedURL}`) can be abused to perform Server-Side Request Forgery (SSRF). An authenticated user can cause Miniflux to generate a signed proxy URL for attacker-chosen media URLs embedded in feed entry content, including internal addresses (e.g., localhost, private RFC1918 ranges, or link-local metadata endpoints). Requesting the resulting `/proxy/...` URL makes Miniflux fetch and return the internal response. ### Details - **Vulnerable route**: `GET /proxy/{encodedDigest}/{encodedURL}` (accessible without authentication, but requires a server-generated HMAC-signed URL) - **Handler**: `internal/ui/proxy.go` (`(*handler).mediaProxy`) - **Trigger**: entry content is rewritten to proxy media URLs (e.g., `mediaproxy.RewriteDocumentWithAbsoluteProxyURL(...)`), producing signed `/proxy/...` URLs. - **Root cause**: the proxy validates the URL scheme and HMAC signature, but does not restrict target hosts/IPs. As a result...

# RustFS Path Traversal Vulnerability ## Vulnerability Details - **CVE ID**: - **Severity**: Critical (CVSS estimated 9.9) - **Impact**: Arbitrary File Read/Write - **Component**: `/rustfs/rpc/read_file_stream` endpoint - **Root Cause**: Insufficient path validation in `crates/ecstore/src/disk/local.rs:1791` ### Vulnerable Code ```rust // local.rs:1791 - No path sanitization! let file_path = volume_dir.join(Path::new(&path)); // DANGEROUS! check_path_length(file_path.to_string_lossy().to_string().as_str())?; // Only checks length let mut f = self.open_file(file_path, O_RDONLY, volume_dir).await?; ``` The code uses `PathBuf::join()` without: - Canonicalization - Path boundary validation - Protection against `../` sequences - Protection against absolute paths ## Proof of Concept ### Test Environment - **Target**: RustFS v0.0.5 (Docker container) - **Endpoint**: `http://localhost:9000/rustfs/rpc/read_file_stream` - **RPC Secret**: `rustfsadmin` (from RUSTFS_SECRET_KEY) - **Disk I...

A cybercrime gang known as Black Cat has been attributed to a search engine optimization (SEO) poisoning campaign that employs fraudulent sites advertising popular software to trick users into downloading a backdoor capable of stealing sensitive data. According to a report published by the National Computer Network Emergency Response Technical Team/Coordination Center of China (CNCERT/CC) and

What happens under the hood of Cisco's security portfolio? Our reputation and detection services apply Talos' real-time intelligence to detect and block threats. Here's how.