Security
Headlines
HeadlinesLatestCVEs

Tag

#web

Hacker Added Prompt to Amazon Q to Erase Files and Cloud Data

A hacker injected a malicious prompt into Amazon Q via GitHub, aiming to delete user files and wipe AWS data, exposing a major security flaw.

HackRead
Open in Source
#vulnerability#web#amazon#git#aws#auth
Watch out: Instagram users targeted in novel phishing campaign

Phishers are using legitimate looking Instagram emails in order to scam users.

GHSA-mvw6-62qv-vmqf: Koa Open Redirect Vulnerability

A vulnerability, which was classified as problematic, was found in KoaJS Koa up to 3.0.0. Affected is the function back in the library lib/response.js of the component HTTP Header Handler. The manipulation of the argument Referrer leads to open redirect. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.

The Age-Checked Internet Has Arrived

Starting today, UK adults will have to prove their age to access porn online. Experts warn that a global wave of age-check laws threatens to chill speech and ultimately harm children and adults alike.

Scavenger Trojan Targets Crypto Wallets via Game Mods and Browser Flaws

New Scavenger Trojan steals crypto wallet data using fake game mods and browser flaws, targeting MetaMask, Exodus, Bitwarden, and other popular apps.

Can Security Culture Be Taught? AWS Says Yes

Newly appointed Amazon Web Services CISO Amy Herzog believes security culture goes beyond frameworks and executive structures. Having the right philosophy throughout the organization is key.

GHSA-qc4j-v7h6-xr5h: Calibre Web and Autocaliweb have OS Command Injection vulnerability

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Calibre Web, Autocaliweb allows Blind OS Command Injection. This issue affects Calibre Web: 0.6.24 (Nicolette); Autocaliweb: from 0.7.0 before 0.7.1.

GHSA-2g7m-ph9x-7q7m: Calibre Web and Autocaliweb have a ReDoS vulnerability

ReDoS in strip_whitespaces() function in cps/string_helper.py in Calibre Web and Autocaliweb allows unauthenticated remote attackers to cause denial of service via specially crafted username parameter that triggers catastrophic backtracking during login. This issue affects Calibre Web: 0.6.24 (Nicolette); Autocaliweb: from 0.7.0 before 0.7.1.

GHSA-vr59-gm53-v7cq: XWiki Platform vulnerable to SQL injection through getdeleteddocuments.vm template sort parameter

### Impact It's possible for anyone to inject SQL using the parameter sort of the `getdeleteddocuments.vm`. It's injected as is as an ORDER BY value. One can see the result of the injection with http://127.0.0.1:8080/xwiki/rest/liveData/sources/liveTable/entries?sourceParams.template=getdeleteddocuments.vm&sort=injected (this example does not work, but it shows that an HQL query was executed with the passed value which look nothing like an order by value, without any kind of sanitation). ### Patches This has been patched in 17.3.0-rc-1, 16.10.6. ### Workarounds There is no known workaround, other than upgrading XWiki. ### References https://jira.xwiki.org/browse/XWIKI-23093 ### For more information If you have any questions or comments about this advisory: * Open an issue in [Jira XWiki.org](https://jira.xwiki.org/) * Email us at [Security Mailing List](mailto:security@xwiki.org) ### Attribution The vulnerability was identifier by Aleksey Solovev from Positive Technologies.