Security
Headlines
HeadlinesLatestCVEs

Tag

#auth

GHSA-wppr-j57c-8jpm: Improper Authorization in dolibarr/dolibarr

An Improper Authorization vulnerability exists in Dolibarr versions prior to version 15.0.0. A user with restricted permissions in the 'Reception' section is able to access specific reception details via direct URL access, bypassing the intended permission restrictions.

ghsa
#vulnerability#auth
GHSA-hhvr-2q69-4563: Cross site scripting in sylius/sylius

sylius/sylius versions prior to 1.9.10, 1.10.11, and 1.11.2 are vulnerable to stored cross-site scripting (XSS) through SVG files. This vulnerability allows attackers to inject malicious scripts that can be executed in the context of the user's browser.

GHSA-46c3-5xc5-wwhv: Apache Airflow: Sensitive configuration values are not masked in the logs by default

Apache Airflow versions before 2.10.3 contain a vulnerability that could expose sensitive configuration variables in task logs. This vulnerability allows DAG authors to unintentionally or intentionally log sensitive configuration variables. Unauthorized users could access these logs, potentially exposing critical data that could be exploited to compromise the security of the Airflow deployment. In version 2.10.3, secrets are now masked in task logs to prevent sensitive configuration variables from being exposed in the logging output. Users should upgrade to Airflow 2.10.3 or the latest version to eliminate this vulnerability. If you suspect that DAG authors could have logged the secret values to the logs and that your logs are not additionally protected, it is also recommended that you update those secrets.

An Interview With the Target & Home Depot Hacker

In December 2023, KrebsOnSecurity revealed the real-life identity of Rescator, the nickname used by a Russian cybercriminal who sold more than 100 million payment cards stolen from Target and Home Depot between 2013 and 2014. Moscow resident Mikhail Shefel, who confirmed using the Rescator identity in a recent interview, also admitted reaching out because he is broke and seeking publicity for several new money making schemes.

TSA Proposes Cyber Risk Mandates for Pipelines, Transportation Systems

The proposed rules codify existing temporary directives requiring pipeline and railroad operators to report cyber incidents and create cyber risk management plans.

Hardening your operating system? Red Hat Enterprise Linux to the rescue!

Security is important in enterprise scenarios, where core business applications need to run seamlessly but are often connected to the external world where they are vulnerable to attack.Malware, unauthorized access to files and execution of unverified code are just some examples of how system security can be compromised, not only by exploiting known bugs and vulnerabilities, but also by the lack of appropriate countermeasures.Red Hat Enterprise Linux (RHEL) can help, as it provides some tools and services that can natively support the process of system hardening to help make your system more se

Frenos Takes Home the Prize at 2024 DataTribe Challenge

Frenos offers a zero-impact, continuous security assessment platform for operational technology environments.

Varonis Warns of Bug Discovered in PostgreSQL PL/Perl

Several versions of PostgreSQL are impacted, and customers will need to upgrade in order to patch.

Idaho Man Turns to RaaS to Extort Orthodontist

In addition to his prison sentence, he will have to pay more than $1 million in restitution to his victims.

The Vendor's Role in Combating Alert Fatigue

As alerts pile up, the complexity can overwhelm security professionals, allowing real threats to be missed. This is where vendors must step up.