Security
Headlines
HeadlinesLatestCVEs

Tag

#auth

Hacklink Market Linked to SEO Poisoning Attacks in Google Results

Cybersecurity researchers at Netcraft have discovered a series of new SEO poisoning related attacks exploiting Google’s search results…

HackRead
#web#mac#google#git#auth#sap
GHSA-f7gq-h8jv-h3cq: ash_authentication_phoenix has Insufficient Session Expiration

### Impact Session tokens remain valid on the server after user logout, creating a security gap where: - Compromised tokens (via XSS, network interception, or device theft) continue to work even after the user logs out - The sessions stored in the database still expire, limiting the duration during which this could be exploited - Users cannot fully invalidate their sessions when logging out from shared or potentially compromised devices - by default, changing one's password *does* invalidate all other sessions, so changing your password as a security measure would have been effective - May cause compliance issues with security frameworks requiring complete session ### Patches Upgrade to version 2.10.0. After upgrading, users must update their AuthController implementation to use the new `clear_session/2` function with their OTP app name. You will be prompted to do so with a compile-time error. If you do not have the setting `require_token_presence_for_authentication?` set to `...

GHSA-7pr5-w74r-jjj7: Mezzanine CMS has a Stored Cross-Site Scripting (XSS) vulnerability in the displayable_links_js function

Mezzanine CMS, in versions prior to 6.1.1, contains a Stored Cross-Site Scripting (XSS) vulnerability in the admin interface. The vulnerability exists in the "displayable_links_js" function, which fails to properly sanitize blog post titles before including them in JSON responses served via "/admin/displayable_links.js". An authenticated admin user can create a blog post with a malicious JavaScript payload in the title field, then trick another admin user into clicking a direct link to the "/admin/displayable_links.js" endpoint, causing the malicious script to execute in their browser.

Dover Fueling Solutions ProGauge MagLink LX Consoles

View CSAF 1. EXECUTIVE SUMMARY CVSS v4 9.2 ATTENTION: Exploitable remotely/Low attack complexity Vendor: Dover Fueling Solutions Equipment: ProGauge MagLink LX consoles Vulnerability: Missing Authentication for Critical Function 2. RISK EVALUATION Successful exploitation of this vulnerability could result in an attacker gaining control of the monitoring device, manipulating fueling operations, deleting system configurations, or deploying malware. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following versions of ProGauge MagLink LX, a fuel and water tank monitor, are affected: ProGauge MagLink LX 4: Versions prior to 4.20.3 ProGauge MagLink LX Plus: Versions prior to 4.20.3 ProGauge MagLink LX Ultimate: Versions prior to 5.20.3 3.2 VULNERABILITY OVERVIEW 3.2.1 MISSING AUTHENTICATION FOR CRITICAL FUNCTION CWE-306 The device exposes an undocumented and unauthenticated Target Communication Framework (TCF) interface on a specific port. Files can be created, deleted, or modified, potentia...

Zoomcar Data Breach Exposes Personal Info of 8.4 Million Users

Zoomcar confirms 2025 breach affecting 8.4M users, echoing its 2018 data leak. Personal info exposed, financial data safe, investigation ongoing.

Reddit’s new AI-powered tools scan your posts to serve you better ads

Reddit has announced more AI-powered tools to help advertisers. But do users care for it?

Hard-Coded 'b' Password in Sitecore XP Sparks Major RCE Risk in Enterprise Deployments

Cybersecurity researchers have disclosed three security flaws in the popular Sitecore Experience Platform (XP) that could be chained to achieve pre-authenticated remote code execution. Sitecore Experience Platform is an enterprise-oriented software that provides users with tools for content management, digital marketing, and analytics and reports. The list of vulnerabilities, which are yet to be

GHSA-rp38-pj7h-r8q2: python-a2a has a path traversal in the create_workflow function

A vulnerability classified as critical has been found in themanojdesai python-a2a up to 0.5.5. Affected is the function create_workflow of the file python_a2a/agent_flow/server/api.py. The manipulation leads to path traversal. Upgrading to version 0.5.6 is able to address this issue. It is recommended to upgrade the affected component.

Minnesota Shooting Suspect Allegedly Used Data Broker Sites to Find Targets’ Addresses

The shooter allegedly researched several “people search” sites in an attempt to target his victims, highlighting the potential dangers of widely available personal data.

GHSA-rvpw-p7vw-wj3m: OpenNext for Cloudflare (opennextjs-cloudflare) has a SSRF vulnerability via /_next/image endpoint

A Server-Side Request Forgery (SSRF) vulnerability was identified in the @opennextjs/cloudflare package. The vulnerability stems from an unimplemented feature in the Cloudflare adapter for Open Next, which allowed unauthenticated users to proxy arbitrary remote content via the `/_next/image` endpoint. This issue allowed attackers to load remote resources from arbitrary hosts under the victim site’s domain for any site deployed using the Cloudflare adapter for Open Next. For example: `https://victim-site.com/_next/image?url=https://attacker.com`. In this example, attacker-controlled content from attacker.com is served through the victim site’s domain (`victim-site.com`), violating the same-origin policy and potentially misleading users or other services. ### Impact - SSRF via unrestricted remote URL loading - Arbitrary remote content loading - Potential internal service exposure or phishing risks through domain abuse ### Mitigation The following mitigations have been put in...