Security
Headlines
HeadlinesLatestCVEs

Tag

#vulnerability

HYSCALE System 1.9 Add Administrator / Cross Site Request Forgery

HYSCALE System version 1.9 suffers from add administrator and cross site request forgery vulnerabilities.

Packet Storm
Open in Source
#csrf#vulnerability#windows#google#php#auth#firefox
Furniture Master 2 SQL Injection

Furniture Master version 2 suffers from a remote SQL injection vulnerability.

Food Ordering And Table Reservation System For Restaurants 1.0 Insecure Settings

Food Ordering and Table Reservation System for Restaurants version 1.0 suffers from an ignored default credential vulnerability.

Beauty Parlour And Saloon Management System 1.1 Insecure Settings

Beauty Parlour and Saloon Management System version 1.1 suffers from an ignored default credential vulnerability.

North Korean Hackers Target Energy and Aerospace Industries with New MISTPEN Malware

A North Korea-linked cyber-espionage group has been observed leveraging job-themed phishing lures to target prospective victims in energy and aerospace verticals and infect them with a previously undocumented backdoor dubbed MISTPEN. The activity cluster is being tracked by Google-owned Mandiant under the moniker UNC2970, which it said overlaps with a threat group known as TEMP.Hermit, which is

Did a Chinese University Hacking Competition Target a Real Victim?

Participants in a hacking competition with ties to China’s military were, unusually, required to keep their activities secret, but security researchers say the mystery only gets stranger from there.

As Geopolitical Tensions Mount, Iran's Cyber Operations Grow

Increasing attacks by the OilRig/APT34 group linked to Iran's Ministry of Intelligence and Security show that the nation's capabilities are growing, and targeting regional allies and enemies alike.

Patch Issued for Critical VMware vCenter Flaw Allowing Remote Code Execution

Broadcom on Tuesday released updates to address a critical security flaw impacting VMware vCenter Server that could pave the way for remote code execution. The vulnerability, tracked as CVE-2024-38812 (CVSS score: 9.8), has been described as a heap-overflow vulnerability in the DCE/RPC protocol. "A malicious actor with network access to vCenter Server may trigger this vulnerability by sending a

GHSA-gc7q-jgjv-vjr2: Keycloak Services has a potential bypass of brute force protection

If an attacker launches many login attempts in parallel then the attacker can have more guesses at a password than the brute force protection configuration permits. This is due to the brute force check occurring before the brute force protector has locked the user. **Acknowledgements:** Special thanks to Maurizio Agazzini for reporting this issue and helping us improve our project.

GHSA-gp8f-8m3g-qvj9: Next.js Cache Poisoning

### Impact By sending a crafted HTTP request, it is possible to poison the cache of a non-dynamic server-side rendered route in the pages router (this does not affect the app router). When this crafted request is sent it could coerce Next.js to cache a route that is meant to not be cached and send a `Cache-Control: s-maxage=1, stale-while-revalidate` header which some upstream CDNs may cache as well. To be potentially affected all of the following must apply: - Next.js between 13.5.1 and 14.2.9 - Using pages router - Using non-dynamic server-side rendered routes e.g. `pages/dashboard.tsx` not `pages/blog/[slug].tsx` The below configurations are unaffected: - Deployments using only app router - Deployments on [Vercel](https://vercel.com/) are not affected ### Patches This vulnerability was resolved in Next.js v13.5.7, v14.2.10, and later. We recommend upgrading regardless of whether you can reproduce the issue or not. ### Workarounds There are no official or recommended work...