Security
Headlines
HeadlinesLatestCVEs

Tag

#web

Verizon and T-Mobile Deny Data Breaches as Millions of User Records Sold Online

User claims to sell stolen Verizon and T-Mobile data for millions of users (online Verizon says data is old T-Mobile denies any breach and links to it.

HackRead
#web#js#git#auth
PDFs: Portable documents, or perfect deliveries for phish?

A popular social engineering technique returns: callback phishing, or TOAD attacks, which leverage PDFs, VoIP anonymity and even QR code tricks.

GHSA-hc55-p739-j48w: @modelcontextprotocol/server-filesystem vulnerability allows for path validation bypass via colliding path prefix

Versions of Filesystem prior to 0.6.3 & 2025.7.1 could allow access to unintended files in cases where the prefix matches an allowed directory. Users are advised to upgrade to 2025.7.1 to resolve the issue. Thank you to Elad Beber (Cymulate) for reporting these issues.

GHSA-q66q-fx2p-7w4m: @modelcontextprotocol/server-filesystem allows for path validation bypass via prefix matching and symlink handling

Versions of Filesystem prior to 0.6.3 & 2025.7.1 could allow access to unintended files via symlinks within allowed directories. Users are advised to upgrade to 2025.7.1 to resolve. Thank you to Elad Beber (Cymulate) for reporting these issues.

GHSA-xg8h-j46f-w952: Pillow vulnerability can cause write buffer overflow on BCn encoding

There is a heap buffer overflow when writing a sufficiently large (>64k encoded with default settings) image in the DDS format due to writing into a buffer without checking for available space. This only affects users who save untrusted data as a compressed DDS image. * Unclear how large the potential write could be. It is likely limited by process segfault, so it's not necessarily deterministic. It may be practically unbounded. * Unclear if there's a restriction on the bytes that could be emitted. It's likely that the only restriction is that the bytes would be emitted in chunks of 8 or 16. This was introduced in Pillow 11.2.0 when the feature was added.

FBI Warns of Health Insurance Scam Stealing Personal and Medical Data

The Federal Bureau of Investigation (FBI) has issued a warning about a scam where criminals pretend to be…

Update your Chrome to fix new actively exploited zero-day vulnerability

Google has released an urgent update for the Chrome browser to patch a vulnerability which has already been exploited.

Chrome Zero-Day, 'FoxyWallet' Firefox Attacks Threaten Browsers

Separate threats to popular browsers highlight the growing security risk for enterprises presented by the original gateway to the Web, which remains an integral tool for corporate users.

FESTO Hardware Controller, Hardware Servo Press Kit

View CSAF 1. EXECUTIVE SUMMARY CVSS v3 9.8 ATTENTION: Exploitable remotely/low attack complexity Vendor: FESTO Equipment: Hardware Controller, Hardware Servo Press Kit Vulnerabilities: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow an attacker to execute unauthorized system commands with root privileges. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS FESTO reports the following products are affected: Festo Firmware installed on Festo Hardware Controller CECC-X-M1: Version 4.0.14 Festo Firmware installed on Festo Hardware Controller CECC-X-M1: Versions 3.8.14 and prior Festo Firmware installed on Festo Hardware Controller CECC-X-M1-MV: Versions 3.8.14 and prior Festo Firmware installed on Festo Hardware Controller CECC-X-M1-MV: Version 4.0.14 Festo Firmware installed on Festo Hardware Controller CECC-X-M1-MV-S1: Version 4.0.14 Festo Firmware installed on Festo Hardware...

FESTO CODESYS

View CSAF 1. EXECUTIVE SUMMARY CVSS v3 9.8 ATTENTION: Exploitable remotely/low attack complexity Vendor: FESTO Equipment: CODESYS Vulnerabilities: Partial String Comparison, Uncontrolled Resource Consumption, Memory Allocation with Excessive Size Value 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow an attacker to block legitimate user connections, crash the application, or authenticate without proper credentials. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS FESTO reports that the following products are affected: FESTO CODESYS Gateway Server V2: All versions FESTO CODESYS Gateway Server V2: prior to V2.3.9.38 3.2 VULNERABILITY OVERVIEW 3.2.1 PARTIAL STRING COMPARISON CWE-187 In CODESYS Gateway Server V2 for versions prior to V2.3.9.38 only part of the specified password is being compared to the real CODESYS Gateway password. An attacker may perform authentication by specifying a small password that matches the corresponding part of the longer real CODESYS ...