Security
Headlines
HeadlinesLatestCVEs

Latest News

Crooked Cops, Stolen Laptops & the Ghost of UGNazi

A California man accused of failing to pay taxes on tens of millions of dollars allegedly earned from cybercrime also paid local police officers hundreds of thousands of dollars to help him extort, intimidate and silence rivals and former business partners, a new indictment charges. KrebsOnSecurity has learned that many of the man's alleged targets were members of UGNazi, a hacker group behind multiple high-profile breaches and cyberattacks back in 2012.

Krebs on Security
Open in Source
#web#intel#pdf#auth#blog
Overtaxed State CISOs Struggle With Budgeting, Staffing

CISOs for US states face the same kinds of challenges those at private companies do: lots of work to handle, but not necessarily enough money or people to handle it sufficiently well.

DoJ Charges 3 Iranian Hackers in Political 'Hack & Leak' Campaign

The cyberattackers allegedly stole information from US campaign officials only to turn around and weaponize it against unfavored candidates.

FERC Outlines Supply Chain Security Rules for Power Plants

The US Federal Energy Regulatory Commission spells out what electric utilities should do to protect their software supply chains, as well as their network "trust zones."

Reachability Analysis Pares Down Static Security-Testing Overload

For development teams awash in vulnerability reports, reachability analysis can help tame the chaos and offer another path to prioritize exploitable issues.

Mozilla Faces GDPR Complaint Over New Firefox Tracking Feature

NOYB, a European privacy group has filed a complaint with Austrian authorities, alleging that Mozilla breached GDPR by…

GHSA-62r2-gcxr-426x: starcitizentools/citizen-skin vulnerable to stored, self-XSS in the "real name" field

### Summary A user with the `editmyprivateinfo` right or who can otherwise change their name can XSS themselves by setting their "real name" to an XSS payload. ### Details Here's the offending line: https://github.com/StarCitizenTools/mediawiki-skins-Citizen/blob/d45c3d69f30863f622f16eb40dd41d3ca943454a/includes/Components/CitizenComponentUserInfo.php#L137 This was introduced in 717d16af35b10dab04d434aefddbf991fc8c168c ### PoC 1. Login 2. Go to Special:Preferences 3. Set the real name field to a string like `<script>alert("Admin with a propensity for self-XSSes")</script>` 4. Save your settings and use Citizen if it's not being used already ![](https://github.com/user-attachments/assets/22adbb70-fcd7-4f81-8e53-1f5f3a730270) ### Impact Any user who can change their name (whether it's through the editmyprivateinfo right or through other means) can add XSS payloads that trigger for themselves only.

GHSA-7p89-p6hx-q4fw: basic-auth-connect's callback uses time unsafe string comparison

### Impact basic-auth-connect <1.1.0 uses a timing-unsafe equality comparison that can leak timing information ### Patches this issue has been fixed in basic-auth-connect 1.1.0 ### References

GHSA-h5q3-fjp4-2x7r: MantisBT vulnerable to information disclosure with user profiles

Using a crafted POST request, an unprivileged, registered user is able to retrieve information about other users' personal system profiles. ### Impact Disclosure of private system profiles: Platform, OS, OS version, Description. ### Patches Work in progress ### Workarounds None ### References https://mantisbt.org/bugs/view.php?id=34640

GHSA-5rfv-66g4-jr8h: RestrictedPython information leakage via `AttributeError.obj` and the `string` module

### Impact A user can gain access to protected (and potentially sensible) information indirectly via `AttributeError.obj` and the `string` module. ### Patches The problem will be fixed in version 7.3. ### Workarounds If the application does not require access to the module `string`, it can remove it from `RestrictedPython.Utilities.utility_builtins` or otherwise do not make it available in the restricted execution environment.