Security
Headlines
HeadlinesLatestCVEs

Latest News

GHSA-9c3x-r3wp-mgxm: Symfony allows internal address and port enumeration by NoPrivateNetworkHttpClient

### Description When using the `NoPrivateNetworkHttpClient`, some internal information is still leaking during host resolution, which leads to possible IP/port enumeration. ### Resolution The `NoPrivateNetworkHttpClient` now filters blocked IPs earlier to prevent such leaks. The patch for this issue is available [here](https://github.com/symfony/symfony/commit/296d4b34a33b1a6ca5475c6040b3203622520f5b) for branch 5.4. ### Credits We would like to thank Linus Karlsson for reporting the issue and Nicolas Grekas for providing the fix.

ghsa
Open in Source
#vulnerability#web#git#auth
GHSA-jxgr-3v7q-3w9v: Symfony's `Security::login` does not take into account custom `user_checker`

### Description The custom `user_checker` defined on a firewall is not called when Login Programmaticaly with the `Security::login` method, leading to unwanted login. ### Resolution The `Security::login` method now ensure to call the configured `user_checker`. The patch for this issue is available [here](https://github.com/symfony/symfony/commit/22a0789a0085c3ee96f4ef715ecad8255cf0e105) for branch 6.4. ### Credits We would like to thank Oleg Andreyev, Antoine MAKDESSI for reporting the issue and Christian Flothmann for providing the fix.

GHSA-x8vp-gf4q-mw5j: Symfony allows changing the environment through a query

### Description When the `register_argc_argv` php directive is set to `on` , and users call any URL with a special crafted query string, they are able to change the environment or debug mode used by the kernel when handling the request. ### Resolution The `SymfonyRuntime` now ignores the `argv` values for non-cli SAPIs PHP runtimes The patch for this issue is available [here](https://github.com/symfony/symfony/commit/a77b308c3f179ed7c8a8bc295f82b2d6ee3493fa) for branch 5.4. ### Credits We would like to thank Vladimir Dusheyko for reporting the issue and Wouter de Jong for providing the fix.

How to Outsmart Stealthy E-Crime and Nation-State Threats

In a time of increasingly sophisticated cross-domain attacks, relying solely on automated solutions isn't enough.

New Winos 4.0 Malware Infects Gamers Through Malicious Game Optimization Apps

Cybersecurity researchers are warning that a command-and-control (C&C) framework called Winos is being distributed within gaming-related applications like installation tools, speed boosters, and optimization utilities. "Winos 4.0 is an advanced malicious framework that offers comprehensive functionality, a stable architecture, and efficient control over numerous online endpoints to execute

8 security tips for small businesses

Small businesses have the same security problems as big corporations, but not the budget or staff to match. Here are some tips to help.

8 security tips for small businesses

Small businesses have the same security problems as big corporations, but not the budget or staff to match. Here are some tips to help.

How Playing Cyber Games Can Help You Get Hired

When it comes to landing a job in cybersecurity, what does it take to stand out from the pack? Try playing games.

Update your Android: Google patches two zero-day vulnerabilities

Google has released patches for two zero-days and a lot of other high level vulnerabilities.

GHSA-32p4-gm2c-wmch: ansible-core Incorrect Authorization vulnerability

A flaw was found in Ansible. The ansible-core `user` module can allow an unprivileged user to silently create or replace the contents of any file on any system path and take ownership of it when a privileged user executes the `user` module against the unprivileged user's home directory. If the unprivileged user has traversal permissions on the directory containing the exploited target file, they retain full control over the contents of the file as its owner.