#web

### Impact Applications that use the `verifyWebhook()` helper to verify incoming Clerk webhooks are susceptible to accepting improperly signed webhook events. ### Patches * `@clerk/backend`: the helper has been patched as of `2.4.0` * `@clerk/astro`: the helper has been patched as of `2.10.2` * `@clerk/express`: the helper has been patched as of `1.7.4` * `@clerk/fastify`: the helper has been patched as of `2.4.4` * `@clerk/nextjs`: the helper has been patched as of `6.23.3` * `@clerk/nuxt`: the helper has been patched as of `1.7.5` * `@clerk/react-router`: the helper has been patched as of `1.6.4` * `@clerk/remix`: the helper has been patched as of `4.8.5` * `@clerk/tanstack-react-start`: the helper has been patched as of `0.18.3` ### Resolution The issue was resolved in **`@clerk/backend` `2.4.0`** by: * Properly parsing the webhook request's signatures and comparing them against the signature generated from the received event ### Workarounds If unable to upgrade, developers ...

### Impact Any user with a Juju account on a controller can read debug log messages from the `/log` endpoint. No specific permissions are required - it's just sufficient for the user to exist in the controller user database. The log messages may contain sensitive information. ### Details The `/log` endpoint is accessible at the following endpoints: - `wss://<controller-ip>/log` - `wss://<controller-ip>/model/<model-uuid>/log` In order to connect to these endpoints, the client must pass an X-Juju-Client-Version header that matches the current version and pass credentials in a Basic Authorization header. Once connected, the service will stream log events even though the user is not authorised to view them. To reproduce: ``` juju bootstrap juju add-user testuser juju change-user-password testuser ``` Run the [wscat](https://github.com/websockets/wscat) command below to connect to `wss://<controller-ip>:17070/api`. Update the JSON payload to include the username and password that were...

Researchers have discovered a campaign of malicious browser extensions that were available in the official Chrome and Edge web stores.

### Summary Any unauthenticated attacker can bypass the localhost restrictions posed by the application and utilize this to create arbitrary packages. ### Details Any unauthenticated attacker can bypass the localhost restrictions posed by the application and utilize this to create arbitrary packages. This is done by changing the `Host` header to the value of `127.0.0.1:9666`. ### PoC The application has middleware that prevents access to several routes by checking whether the `Host` header has a specific value. We bypassed this restriction. https://github.com/pyload/pyload/blob/4159a1191ec4fe6d927e57a9c4bb8f54e16c381d/src/pyload/webui/app/blueprints/cnl_blueprint.py#L21-L36 ```python #: decorator def local_check(func): @wraps(func) def wrapper(*args, **kwargs): remote_addr = flask.request.environ.get("REMOTE_ADDR", "0") http_host = flask.request.environ.get("HTTP_HOST", "0") if remote_addr in ("127.0.0.1", "::ffff:127.0.0.1", "::1", "localhost") or h...

### Summary Sending a message that modifies the validator set at the epoch boundary halts the chain. ### Impact Denial of Service - Comos-sdk prevents modifying the validator set from two different modules - https://github.com/cosmos/cosmos-sdk/blob/release/v0.50.x/types/module/module.go#L811. Such an operation leads to panic and chain halt. ### Detailed Post mortem https://boiling-lake-106.notion.site/2025-06-18-Genesis-mainnet-chain-halt-post-mortem-229f60cc1b5f80b7adf5e3ea0541ea87

View CSAF 1. EXECUTIVE SUMMARY CVSS v4 9.3 ATTENTION: Exploitable remotely/Low attack complexity Vendor: Emerson Equipment: ValveLink Products Vulnerabilities: Cleartext Storage of Sensitive Information in Memory, Protection Mechanism Failure, Uncontrolled Search Path Element, Improper Input Validation 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow an attacker with access to the system to read sensitive information stored in cleartext, tamper with parameters, and run un-authorized code. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following ValveLink products are affected: ValveLink SOLO: All versions prior to ValveLink 14.0 ValveLink DTM: All versions prior to ValveLink 14.0 ValveLink PRM: All versions prior to ValveLink 14.0 ValveLink SNAP-ON: All versions prior to ValveLink 14.0 3.2 VULNERABILITY OVERVIEW 3.2.1 CLEARTEXT STORAGE OF SENSITIVE INFORMATION IN MEMORY CWE-316 The product stores sensitive information in cleartext in memory. The sensitive...

A newly released report by cybersecurity firm CTM360 reveals a large-scale scam operation utilizing fake news websites—known as Baiting News Sites (BNS)—to deceive users into online investment fraud across 50 countries. These BNS pages are made to look like real news outlets: CNN, BBC, CNBC, or regional media. They publish fake stories that feature public figures, central banks, or financial

### Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-x698-5hjm-w2m5. This link is maintained to preserve external references. ### Original Description Any unauthenticated attacker can bypass the localhost restrictions posed by the application and utilize this to create arbitrary packages

**What kind of security feature could be bypassed by successfully exploiting this vulnerability?** An attacker who successfully exploited the vulnerability could evade Mark of the Web (MOTW) defenses.

**According to the CVSS metric, user interaction is required (UI:R). What does that mean for this vulnerability?** An attacker must trick the user into interacting with a spoofed WebAuthn prompt and entering their credentials.