Security
Headlines
HeadlinesLatestCVEs

Tag

#web

Cisco Patches CVE-2025-20188 (10.0 CVSS) in IOS XE That Enables Root Exploits via JWT

Cisco has released software fixes to address a maximum-severity security flaw in its IOS XE Wireless Controller that could enable an unauthenticated, remote attacker to upload arbitrary files to a susceptible system. The vulnerability, tracked as CVE-2025-20188, has been rated 10.0 on the CVSS scoring system. "This vulnerability is due to the presence of a hard-coded JSON Web Token (JWT) on an

The Hacker News
Open in Source
#vulnerability#web#ios#cisco#js#auth#The Hacker News
Pakistani Firm Shipped Fentanyl Analogs, Scams to US

A Texas firm recently charged with conspiring to distribute synthetic opioids in the United States is at the center of a vast network of companies in the U.S. and Pakistan whose employees are accused of using online ads to scam westerners seeking help with trademarks, book writing, mobile app development and logo designs, a new investigation reveals.

The Trump Administration Sure Is Having Trouble Keeping Its Comms Private

In the wake of SignalGate, a knockoff version of Signal used by a high-ranking member of the Trump administration was hacked. Today on Uncanny Valley, we discuss the platforms used for government communications.

GHSA-72qj-48g4-5xgx: JRuby-OpenSSL has hostname verification disabled by default

### Summary When verifying SSL certificates, jruby-openssl is not verifying that the hostname presented in the certificate matches the one we are trying to connect to, meaning a MITM could just present _any_ valid cert for a completely different domain they own, and JRuby wouldn't complain. ### Details n/a ### PoC An example domain bad.substitutealert.com was created to present the a certificate for the domain s8a.me. The following script run in IRB in CRuby 3.4.3 will fail with `certificate verify failed (hostname mismatch)`, but will work just fine in JRuby 10.0.0.0 and JRuby 9.4.2.0, both of which use jruby-openssl version 0.15.3 ```ruby require "net/http" require "openssl" uri = URI("https://bad.substitutealert.com/") https = Net::HTTP.new(uri.host, uri.port) https.use_ssl = true https.verify_mode = OpenSSL::SSL::VERIFY_PEER body = https.start { https.get(uri.request_uri).body } puts body ``` ### Impact Anybody using JRuby to make requests of external APIs, or scrapi...

GHSA-hcjv-982c-5f29: Easy Appointments Denial of Service (DoS)

A business logic vulnerability in Easy Appointments v1.5.1 allows attackers to cause a Denial of Service (DoS) via unspecified vectors.

GHSA-79m9-55jc-p6mw: scanner has a Public API without sufficient bounds checking

`Match::get()` and `Match::ptr()` lack sufficient bounds checks, leading to potential out of bounds reads.

FBI issues warning as scammers target victims of crime

The FBI has warned scammers are impersonating the IC3, tricking victims by claiming to be able to recover funds.

Europol, Poland Bust Major DDoS-for-Hire Operation, Arrest 4

Polish authorities arrest 4 behind major DDoS-for-hire sites used in global attacks. Europol, US, Germany, and Dutch forces…

Fake SSA Emails Trick Users into Installing ScreenConnect RAT

Cybercriminals are using fake Social Security Administration emails to distribute the ScreenConnect RAT (Remote Access Trojan) and compromise…