Security
Headlines
HeadlinesLatestCVEs

Tag

#ssl

The School Shootings Were Fake. The Terror Was Real

The inside story of the teenager whose “swatting” calls sent armed police racing into hundreds of schools nationwide—and the private detective who tracked him down.

Wired
Open in Source
#vulnerability#web#mac#windows#google#git#acer#sap#ssl
New PayPal Phishing Scam Exploits MS365 Tools and Genuine-Looking Emails

Fortinet uncovers a new PayPal phishing scam exploiting legitimate platform features. Learn how this sophisticated attack works and how to protect yourself from falling victim.

Millions of Email Servers Exposed Due to Missing TLS Encryption

Millions of email servers worldwide remain alarmingly vulnerable to cyberattacks due to a critical security oversight: the absence of Transport Layer Security (TLS) encryption.

New PhishWP Plugin on Russian Forum Turns Sites into Phishing Pages

SlashNext has discovered a malicious WordPress plugin, PhishWP, which creates convincing fake payment pages to steal your credit card information, 3DS codes, and personal data.

EagerBee Backdoor Takes Flight Against Mideast ISPs, Government Targets

The malware, operated by China-backed cyberattackers, has been significantly fortified with new evasive and post-infection capabilities.

GHSA-237r-r8m4-4q88: Guzzle OAuth Subscriber has insufficient nonce entropy

### Impact Nonce generation does not use sufficient entropy nor a cryptographically secure pseudorandom source (https://github.com/guzzle/oauth-subscriber/blob/0.8.0/src/Oauth1.php#L192). This can leave servers vulnerable to replay attacks when TLS is not used. ### Patches Upgrade to version 0.8.1 or higher. ### Workarounds No. ### References Issue is similar to https://nvd.nist.gov/vuln/detail/CVE-2025-22376.

Is nowhere safe from AI slop? (Lock and Code S05E27)

This week on the Lock and Code podcast, we speak with Anna Brading and Mark Stockley about whether anywhere is safe from AI slop.

GHSA-4fwj-m62q-pp47: Password Pusher Allows Session Token Interception Leading to Potential Hijacking

### Impact A vulnerability has been reported in Password Pusher where an attacker can copy the session cookie before a user logs out, potentially allowing session hijacking. Although the session token is replaced and invalidated upon logout, if an attacker manages to capture the session cookie before this process, they can use the token to gain unauthorized access to the user's session until the token expires or is manually cleared. This vulnerability hinges on the attacker's ability to access the session cookie during an active session, either through a man-in-the-middle attack, by exploiting another vulnerability like XSS, or via direct access to the victim's device. ### Patches Although there is no direct resolution to this vulnerability, it is recommended to always use the latest version of Password Pusher to best mitigate risk. ### Workarounds If self-hosting, ensure Password Pusher is hosted exclusively over SSL connections to encrypt traffic and prevent session cookies fr...

GHSA-9mgx-552f-59p6: TCPDF missing certificate validation

An issue was discovered in TCPDF before 6.8.0. If libcurl is used, CURLOPT_SSL_VERIFYHOST and CURLOPT_SSL_VERIFYPEER are set unsafely.

The Worst Hacks of 2024

From Chinese cyberspies breaching US telecoms to ruthless ransomware gangs disrupting health care for millions of people, 2024 saw some of the worst hacks, breaches, and data leaks ever.