Security
Headlines
HeadlinesLatestCVEs

Latest News

FBI Warns of HiatusRAT Malware Targeting Webcams and DVRs

KEY SUMMARY POINTS The FBI has issued a Private Industry Notification (PIN) to highlight new malware campaigns targeting…

HackRead
#vulnerability#web#git#pdf#botnet#auth#telnet
GHSA-2p6p-9rc9-62j9: Craft CMS has potential RCE when PHP `register_argc_argv` config setting is enabled

### Impact You are affected if your php.ini configuration has `register_argc_argv` enabled. ### Patches Update to 4.13.2 or 5.5.2. ### Workarounds If you can't upgrade yet, and `register_argc_argv` is enabled, you can disable it to mitigate the issue.

Maximizing Productivity with Online Document Solutions

Many professionals juggle multiple document formats, leading to confusion and wasted time. Imagine a streamlined process that simplifies…

GHSA-32gq-x56h-299c: age vulnerable to malicious plugin names, recipients, or identities causing arbitrary binary execution

A plugin name containing a path separator may allow an attacker to execute an arbitrary binary. Such a plugin name can be provided to the age CLI through an attacker-controlled recipient or identity string, or to the [`plugin.NewIdentity`](https://pkg.go.dev/filippo.io/age/plugin#NewIdentity), [`plugin.NewIdentityWithoutData`](https://pkg.go.dev/filippo.io/age/plugin#NewIdentityWithoutData), or [`plugin.NewRecipient`](https://pkg.go.dev/filippo.io/age/plugin#NewRecipient) APIs. On UNIX systems, a directory matching `${TMPDIR:-/tmp}/age-plugin-*` needs to exist for the attack to succeed. The binary is executed with a single flag, either `--age-plugin=recipient-v1` or `--age-plugin=identity-v1`. The standard input includes the recipient or identity string, and the random file key (if encrypting) or the header of the file (if decrypting). The format is constrained by the [age-plugin](https://c2sp.org/age-plugin) protocol. An equivalent issue was fixed by the [rage](https://github.com/...

GHSA-4fg7-vxc8-qx5w: rage vulnerable to malicious plugin names, recipients, or identities causing arbitrary binary execution

A plugin name containing a path separator may allow an attacker to execute an arbitrary binary. Such a plugin name can be provided to the `rage` CLI through an attacker-controlled recipient or identity string, or to the following `age` APIs when the `plugin` feature flag is enabled: - [`age::plugin::Identity::from_str`](https://docs.rs/age/0.11.0/age/plugin/struct.Identity.html#impl-FromStr-for-Identity) (or equivalently [`str::parse::<age::plugin::Identity>()`](https://doc.rust-lang.org/stable/core/primitive.str.html#method.parse)) - [`age::plugin::Identity::default_for_plugin`](https://docs.rs/age/0.11.0/age/plugin/struct.Identity.html#method.default_for_plugin) - [`age::plugin::IdentityPluginV1::new`](https://docs.rs/age/0.11.0/age/plugin/struct.IdentityPluginV1.html#method.new) - [`age::plugin::Recipient::from_str`](https://docs.rs/age/0.11.0/age/plugin/struct.Recipient.html#impl-FromStr-for-Recipient) (or equivalently [`str::parse::<age::plugin::Recipient>()`](https://doc.rust-la...

GHSA-hvm9-wc8j-mgrc: TShock Security Escalation Exploit

### Impact An issue with the way OTAPI manages client connections results in stale UUIDs remaining on `RemoteClient` instances after a player disconnects. Because of this, if the following conditions are met a player may assume the login state of a previously connected player: 1. The server has UUID login enabled 2. An authenticated player disconnects 3. A subsequent player connects with a modified client that does not send the `ClientUUID#68` packet during connection 4. The server assigns the same `RemoteClient` object that belonged to the originally authenticated player to the newly connected player ### Patches TShock 5.2.1 hotfixes this issue. A more robust fix will be made to OTAPI itself. ### Workarounds Implement a RemoteClient reset event handler in a plugin like so: ```csharp public override void Initialize() { On.Terraria.RemoteClient.Reset += RemoteClient_Reset; } private static void RemoteClient_Reset(On.Terraria.RemoteClient.orig_Reset orig, RemoteClient client...

Phishers Spoof Google Calendar Invites in Fast-Spreading, Global Campaign

Attackers are using links to the popular Google scheduling app to lead users to pages that steal credentials, with the ultimate goal of committing financial fraud.

Manufacturers Lose Azure Creds to HubSpot Phishing Attack

Cyberattackers used fake DocuSign links and HubSpot forms to try to solicit Azure cloud logins from hundreds of thousands of employees across Europe.

Pallet liquidation scams and how to recognize them

Pallet liquidation is an attractive playing field for online scammers. Will you receive goods or get your credit card details stolen?