Security
Headlines
HeadlinesLatestCVEs

Tag

#web

GHSA-hgjh-9rj2-g67j: Spring Framework URL Parsing with Host Validation Vulnerability

Applications that use UriComponentsBuilder in Spring Framework to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect https://cwe.mitre.org/data/definitions/601.html  attack or to a SSRF attack if the URL is used after passing validation checks. This is the same as CVE-2024-22243 https://spring.io/security/cve-2024-22243, but with different input.

ghsa
Open in Source
#vulnerability#web#git#java#ssrf#maven
GHSA-879p-8gw4-mcpw: fgr Vulnerable to Insecure Default Variable Initialization

### Impact Any users whom would not desire a traceback to be included in their logs whenever an error is raised in their code will be affected. If users have inadvertently created a scenario in their code that could cause a traceback to include sensitive information _and_ a malicious entity gained access to their log stream, this could create an issue. ### Patches None yet... users will need to upgrade to `0.4.*` ### Workarounds No particularly reasonable ones at present. ### References * https://cwe.mitre.org/data/definitions/453.html * https://www.invicti.com/web-vulnerability-scanner/vulnerabilities/stack-trace-disclosure-python/

Financials By Coda Cross Site Scripting

Financials by Coda versions prior to 2023Q4 suffer from a cross site scripting vulnerability.

HALO 2.13.1 CORS Issue

HALO version 2.13.1 has an insecure cross-origin resource sharing setting that allows an arbitrary origin.

Membership Management System 1.0 SQL Injection / Shell Upload

Membership Management System version 1.0 suffers from remote shell upload and remote SQL injection vulnerabilities.

The LockBit story: Why the ransomware affiliate model can turn takedowns into disruptions

Talos explores the recent law enforcement takedown of LockBit, a prolific ransomware group that claimed to resume their operations 7 days later.

AI-Powered Scams, Human Trafficking Fuel Global Cybercrime Surge: INTERPOL

By Waqas New INTERPOL Financial Fraud assessment reveals how cybercrime is being fueled by the abuse of AI and other technologies. This is a post from HackRead.com Read the original post: AI-Powered Scams, Human Trafficking Fuel Global Cybercrime Surge: INTERPOL

GHSA-qmgx-j96g-4428: SSRF vulnerability using the Aegis DataBinding in Apache CXF

A SSRF vulnerability using the Aegis DataBinding in versions of Apache CXF before 4.0.4, 3.6.3 and 3.5.8 allows an attacker to perform SSRF style attacks on webservices that take at least one parameter of any type. Users of other data bindings (including the default databinding) are not impacted.

Massive Data Breach Exposes Info of 43 Million French Workers

By Deeba Ahmed Another day, another massive data breach! This is a post from HackRead.com Read the original post: Massive Data Breach Exposes Info of 43 Million French Workers

CEO of Data Privacy Company Onerep.com Founded Dozens of People-Search Firms

The data privacy company Onerep.com bills itself as a Virginia-based service for helping people remove their personal information from almost 200 people-search websites. However, an investigation into the history of onerep.com finds this company is operating out of Belarus and Cyprus, and that its founder has launched dozens of people-search services over the years.