Security
Headlines
HeadlinesLatestCVEs

Tag

#web

Automated Sextortion Spyware Takes Webcam Pics of Victims Watching Porn

A new specimen of “infostealer” malware offers a disturbing feature: It monitors a target's browser for NSFW content, then takes simultaneous screenshots and webcam photos of the victim.

Wired
Open in Source
#web#google#git#botnet
GHSA-m63c-3rmg-r2cf: XWiki configuration files can be accessed through jsx and sx endpoints

### Impact It's possible to get access and read configuration files by using URLs such as `http://localhost:8080/bin/ssx/Main/WebHome?resource=../../WEB-INF/xwiki.cfg&minify=false`. This can apparently be reproduced on Tomcat instances. ### Patches This has been patched in 17.4.0-rc-1, 16.10.7. ### Workarounds There is no known workaround, other than upgrading XWiki. ### For more information If you have any questions or comments about this advisory: * Open an issue in [Jira XWiki.org](https://jira.xwiki.org/) * Email us at [Security Mailing List](mailto:security@xwiki.org) ### Attribution The vulnerability was reported by Gregor Neumann.

GHSA-qww7-89xh-x7m7: XWiki configuration files can be accessed through the webjars API

### Impact It's possible to get access and read configuration files by using URLs such as `http://localhost:8080/xwiki/webjars/wiki%3Axwiki/..%2F..%2F..%2F..%2F..%2FWEB-INF%2Fxwiki.cfg`. The trick here is to encode the / which is decoded when parsing the URL segment, but not re-encoded when assembling the file path. ### Patches This has been patched in 17.4.0-rc-1, 16.10.7. ### Workarounds There is no known workaround, other than upgrading XWiki. ### For more information If you have any questions or comments about this advisory: * Open an issue in [Jira XWiki.org](https://jira.xwiki.org/) * Email us at [Security Mailing List](mailto:security@xwiki.org)

Cloudflare Mitigates Largest Ever Recorded DDoS Attack at 11.5 Tbps

Cloudflare mitigated the largest DDoS attack ever recorded, an 11.5 Tbps flood that lasted 35 seconds without disrupting…

Governance-Driven Automation: How Flowable Is Redefining Digital Process Management

A newly published independent research report highlights Flowable’s rise in the digital process automation market. Built on open-source…

Threat Actors Weaponize HexStrike AI to Exploit Citrix Flaws Within a Week of Disclosure

Threat actors are attempting to leverage a newly released artificial intelligence (AI) offensive security tool called HexStrike AI to exploit recently disclosed security flaws. HexStrike AI, according to its website, is pitched as an AI‑driven security platform to automate reconnaissance and vulnerability discovery with an aim to accelerate authorized red teaming operations, bug bounty hunting,

What Is a Passkey? Here’s How to Set Up and Use Them (2025)

Passkeys were built to enable a password-free future. Here's what they are and how you can start using them.

Misconfigured Server Leaks 378GB of Navy Federal Credit Union Files

Cybersecurity researcher Jeremiah Fowler discovered an unsecured and misconfigured server exposing 378 GB of internal Navy Federal Credit…

Fake AnyDesk Installer Spreads MetaStealer Through ClickFix Scam

A new and clever ClickFix scam is using a fake AnyDesk installer and Windows search to bypass security,…

Cloudflare Blocks Record-Breaking 11.5 Tbps DDoS Attack

Cloudflare on Tuesday said it automatically mitigated a record-setting volumetric distributed denial-of-service (DDoS) attack that peaked at 11.5 terabits per second (Tbps). "Over the past few weeks, we've autonomously blocked hundreds of hyper-volumetric DDoS attacks, with the largest reaching peaks of 5.1 Bpps and 11.5 Tbps," the web infrastructure and security company said in a post on X. "