Security
Headlines
HeadlinesLatestCVEs

Latest News

Zivver Report Reveals Critical Challenges in Email Security for 2025

DARKReading
Open in Source
About Remote Code Execution – Apache Struts (CVE-2024-53677) vulnerability

About Remote Code Execution – Apache Struts (CVE-2024-53677) vulnerability. Apache Struts is an open source software framework for building Java web applications. It allows developers to separate the application’s business logic from the user interface. Due to its scalability and flexibility, Apache Struts is often used in large enterprise projects. A security bulletin describing the […]

Alexander V. Leonov
Open in Source
#vulnerability#web#apache#java#rce#auth#blog
Green Bay Packers' Online Pro Shop Sacked by Payment Skimmer

Cyberattackers injected the NFL Wild Card team's online Pro Shop with malicious code to steal credit card data from 8,500 fans.

GHSA-j3f9-p6hm-5w6q: Carbon has an arbitrary file include via unvalidated input passed to Carbon::setLocale

### Impact Application passing unsanitized user input to `Carbon::setLocale` are at risk of arbitrary file include, if the application allows users to upload files with `.php` extension in an folder that allows `include` or `require` to read it, then they are at risk of arbitrary code ran on their servers. ### Patches - [3.8.4](https://github.com/briannesbitt/Carbon/releases/tag/3.8.4) - [2.72.6](https://github.com/briannesbitt/Carbon/releases/tag/2.72.6) ### Workarounds Any of the below actions can be taken to prevent the issue: - Validate input before calling `setLocale()`, for instance by forbidding or removing `/` and `\` - Call `setLocale()` only with a locale from a whitelist of supported locales - When uploading files, rename them so they cannot have a `.php` extension (this is recommended even if you're not affected by this issue) - Prefer storage system that are not local to the application (remote service, or local service ran by another user so the uploaded files actually ...

GHSA-cjgq-5qmw-rcj6: keras Path Traversal vulnerability

An issue in keras 3.7.0 allows attackers to write arbitrary files to the user's machine via downloading a crafted tar file through the get_file function.

Neglected Domains Used in Malspam to Evade SPF and DMARC Security Protections

Cybersecurity researchers have found that bad actors are continuing to have success by spoofing sender email addresses as part of various malspam campaigns. Faking the sender address of an email is widely seen as an attempt to make the digital missive more legitimate and get past security mechanisms that could otherwise flag it as malicious. While there are safeguards such as DomainKeys

New Docuseries Spotlights Hackers Who Shaped Cybersecurity

"Where Warlocks Stay Up Late" project speaks to hackers who have played pivotal roles in shaping the field of cybersecurity. The video interviews are complemented by an encyclopedia and an anthropological map.

US Cyber Trust Mark logo for smart devices is coming

The White House has launched the Cyber Trust Mark to assist consumers in their quest to buy cybersecure internet connected devices.

Unconventional Cyberattacks Aim to Take Over PayPal Accounts

Attackers are abusing a Microsoft 365 feature to send payment requests to users, tricking them into logging in to their accounts so attackers can seize control over them.