Security
Headlines
HeadlinesLatestCVEs

Tag

#acer

GHSA-995c-qww8-64fj: Oqtane Framework Incorrect Access Control vulnerability

Oqtane Framework 6.0.0 is vulnerable to Incorrect Access Control. By manipulating the entityid parameter, attackers can bypass passcode validation and successfully log into the application or access restricted data without proper authorization. The lack of server-side validation exacerbates the issue, as the application relies on client-side information for authentication.

ghsa
Open in Source
#vulnerability#web#acer#auth
GHSA-3q97-vjpp-c8rp: Socialstream has a Potential Account Takeover Vulnerability in Social Account Linking Due to Missing User Consent After OAuth Callback

## Description When linking a social account to an already authenticated user, the lack of a confirmation step introduces a security risk. This is exacerbated if ->stateless() is used in the Socialite configuration, bypassing state verification and making the exploit easier. Developers should ensure that users explicitly confirm account linking and avoid configurations that skip critical security checks. ## Resolution Socialstream v6.2 introduces a new custom route that requires a user to "Confirm" or "Deny" a request to link a social account.

Managing Threats When Most of the Security Team Is Out of the Office

During holidays and slow weeks, teams thin out and attackers move in. Here are strategies to bridge gaps, stay vigilant, and keep systems secure during those lulls.

Thai Police Systems Under Fire From 'Yokai' Backdoor

Hackers are abusing legitimate Windows utilities to target Thai law enforcement with a novel malware that is a mix of sophistication and amateurishness.

Cyberbullying and the Law: When Does Online Harassment Become a Criminal Offense?

The rise of social media and digital communication has transformed how we connect, but it has also opened…

GHSA-4c49-9fpc-hc3v: lxd CA certificate sign check bypass

### Summary If a `server.ca` file is present in `LXD_DIR` at LXD start up, LXD is in "PKI mode". In this mode, only TLS clients that have a CA-signed certificate should be able to authenticate with LXD. We have discovered that if a client that sends a non-CA signed certificate during the TLS handshake, that client is able to authenticate with LXD if their certificate is present in the trust store. - The LXD Go client (and by extension `lxc`) does not send non-CA signed certificates during the handshake. - A manual client (e.g. `cURL`) might send a non-CA signed certificate during the handshake. #### Versions affected LXD 4.0 and above. ### Details When PKI mode was added to LXD it was intended that all client and server certificates *must* be signed by the certificate authority (see https://github.com/canonical/lxd/pull/2070/commits/84d917bdcca6fe1e3191ce47f1597c7d094e1909). In PKI mode, the TLS listener configuration is altered to add the CA certificate but the `ClientAut...

She Escaped an Abusive Marriage—Now She Helps Women Battle Cyber Harassment

Inspired by her own experience of abuse, Nighat Dad fights for women’s social and digital rights in Pakistan and beyond.

Misconfigured WAFs Heighten DoS, Breach Risks

Organizations that rely on their content delivery network provider for Web application firewall services may be inadvertently leaving themselves open to attack.

'Bootkitty' First Bootloader to Take Aim at Linux

Though it's still just a proof of concept, the malware is functional and can evade the Secure Boot process on devices from multiple vendors.