Security
Headlines
HeadlinesLatestCVEs

Tag

#auth

Temu must respect consumer protection laws, says EU

Temu is under investigation for a variety of misleading practices.

Malwarebytes
Open in Source
#web#auth
GHSA-8886-8v27-85j8: Stored XSS vulnerability in Jenkins Authorize Project Plugin

Jenkins Authorize Project Plugin 1.7.2 and earlier evaluates a string containing the job name with JavaScript on the Authorization view, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission. This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission. Authorize Project Plugin 1.8.0 no longer evaluates a string containing the job name with JavaScript on the Authorization view.

GHSA-h23j-73ww-7594: Session fixation vulnerability in Jenkins OpenId Connect Authentication Plugin

Jenkins OpenId Connect Authentication Plugin 4.418.vccc7061f5b_6d and earlier does not invalidate the previous session on login. This allows attackers to use social engineering techniques to gain administrator access to Jenkins. OpenId Connect Authentication Plugin 4.421.v5422614eb_e0a_ invalidates the existing session on login.

5 Ways to Save Your Organization From Cloud Security Threats

The shift to cloud means securing your organization's digital assets requires a proactive, multilayered approach.

Iranian Cybercriminals Target Aerospace Workers via LinkedIn

The group seeks out aerospace professionals by impersonating job recruiters — a demographic it has targeted in the past as well — then deploys the SlugResin backdoor malware.

Google AI Platform Bugs Leak Proprietary Enterprise LLMs

The tech giant fixed privilege-escalation and model-exfiltration vulnerabilities in Vertex AI that could have allowed attackers to steal or poison custom-built AI models.

GHSA-8237-957h-h2c2: FileManager Deserialization of Untrusted Data vulnerability

### Impact Deserialization of untrusted data from the `mimes` parameter could lead to remote code execution. ### Patches Fixed in 3.0.9 ### Workarounds Not needed, a `composer update` will solve it in a non-breaking way. ### References Reported responsibly Vladislav Gladkiy at [Positive Technologies](https://www.ptsecurity.com/ww-en/).

GHSA-cg23-qf8f-62rr: Symphony has an Authentication Bypass via RememberMe

### Description Whan consuming a persisted remember-me cookie, symfony does not check if the username persisted in the database matches the username attached with the cookie, leading to authentication bypass. ### Resolution The `PersistentRememberMeHandler` class now ensures the submitted username is the cookie owner. The patch for this issue is available [here](https://github.com/symfony/symfony/commit/81354d392c5f0b7a52bcbd729d6f82501e94135a) for branch 5.4. ### Credits We would like to thank Moritz Rauch - Pentryx AG for reporting the issue and Jérémy Derussé for providing the fix.

Siemens Energy Omnivise T3000 8.2 SP3 Privilege Escalation / File Download

Siemens Energy Omnivise T3000 version 8.2 SP3 suffers from local privilege escalation, cleartext storage of passwords in configuration and log files, file system access allowing for arbitrary file download, and IP whitelist bypass.

Hamas-Affiliated WIRTE Employs SameCoin Wiper in Disruptive Attacks Against Israel

A threat actor affiliated with Hamas has expanded its malicious cyber operations beyond espionage to carry out disruptive attacks that exclusively target Israeli entities. The activity, linked to a group called WIRTE, has also targeted the Palestinian Authority, Jordan, Iraq, Saudi Arabia, and Egypt, Check Point said in an analysis. "The [Israel-Hamas] conflict has not disrupted the WIRTE's