Latest News
KEY SUMMARY POINTS The FBI has issued a Private Industry Notification (PIN) to highlight new malware campaigns targeting…
### Impact You are affected if your php.ini configuration has `register_argc_argv` enabled. ### Patches Update to 4.13.2 or 5.5.2. ### Workarounds If you can't upgrade yet, and `register_argc_argv` is enabled, you can disable it to mitigate the issue.
Many professionals juggle multiple document formats, leading to confusion and wasted time. Imagine a streamlined process that simplifies…
A plugin name containing a path separator may allow an attacker to execute an arbitrary binary. Such a plugin name can be provided to the age CLI through an attacker-controlled recipient or identity string, or to the [`plugin.NewIdentity`](https://pkg.go.dev/filippo.io/age/plugin#NewIdentity), [`plugin.NewIdentityWithoutData`](https://pkg.go.dev/filippo.io/age/plugin#NewIdentityWithoutData), or [`plugin.NewRecipient`](https://pkg.go.dev/filippo.io/age/plugin#NewRecipient) APIs. On UNIX systems, a directory matching `${TMPDIR:-/tmp}/age-plugin-*` needs to exist for the attack to succeed. The binary is executed with a single flag, either `--age-plugin=recipient-v1` or `--age-plugin=identity-v1`. The standard input includes the recipient or identity string, and the random file key (if encrypting) or the header of the file (if decrypting). The format is constrained by the [age-plugin](https://c2sp.org/age-plugin) protocol. An equivalent issue was fixed by the [rage](https://github.com/...
A plugin name containing a path separator may allow an attacker to execute an arbitrary binary. Such a plugin name can be provided to the `rage` CLI through an attacker-controlled recipient or identity string, or to the following `age` APIs when the `plugin` feature flag is enabled: - [`age::plugin::Identity::from_str`](https://docs.rs/age/0.11.0/age/plugin/struct.Identity.html#impl-FromStr-for-Identity) (or equivalently [`str::parse::<age::plugin::Identity>()`](https://doc.rust-lang.org/stable/core/primitive.str.html#method.parse)) - [`age::plugin::Identity::default_for_plugin`](https://docs.rs/age/0.11.0/age/plugin/struct.Identity.html#method.default_for_plugin) - [`age::plugin::IdentityPluginV1::new`](https://docs.rs/age/0.11.0/age/plugin/struct.IdentityPluginV1.html#method.new) - [`age::plugin::Recipient::from_str`](https://docs.rs/age/0.11.0/age/plugin/struct.Recipient.html#impl-FromStr-for-Recipient) (or equivalently [`str::parse::<age::plugin::Recipient>()`](https://doc.rust-la...
### Impact An issue with the way OTAPI manages client connections results in stale UUIDs remaining on `RemoteClient` instances after a player disconnects. Because of this, if the following conditions are met a player may assume the login state of a previously connected player: 1. The server has UUID login enabled 2. An authenticated player disconnects 3. A subsequent player connects with a modified client that does not send the `ClientUUID#68` packet during connection 4. The server assigns the same `RemoteClient` object that belonged to the originally authenticated player to the newly connected player ### Patches TShock 5.2.1 hotfixes this issue. A more robust fix will be made to OTAPI itself. ### Workarounds Implement a RemoteClient reset event handler in a plugin like so: ```csharp public override void Initialize() { On.Terraria.RemoteClient.Reset += RemoteClient_Reset; } private static void RemoteClient_Reset(On.Terraria.RemoteClient.orig_Reset orig, RemoteClient client...
Attackers are using links to the popular Google scheduling app to lead users to pages that steal credentials, with the ultimate goal of committing financial fraud.
Cyberattackers used fake DocuSign links and HubSpot forms to try to solicit Azure cloud logins from hundreds of thousands of employees across Europe.
Pallet liquidation is an attractive playing field for online scammers. Will you receive goods or get your credit card details stolen?