#auth

A joint operation by Spanish law enforcement has resulted in the apprehension of Natohub, a “dangerous hacker” suspected of orchestrating numerous cyberattacks against prominent organizations in Spain and internationally.

Wired reported this week that a 19-year-old working for Elon Musk's so-called Department of Government Efficiency (DOGE) was given access to sensitive US government systems even though his past association with cybercrime communities should have precluded him from gaining the necessary security clearances to do so. As today's story explores, the DOGE teen is a former denizen of 'The Com,' an archipelago of Discord and Telegram chat channels that function as a kind of distributed cybercriminal social network for facilitating instant collaboration.

SQL injection vulnerability in Beijing Guoju Information Technology Co., Ltd JeecgBoot v.3.7.2 allows a remote attacker to obtain sensitive information via the getTotalData component.

The ABB Cylon FLXeon BACnet controller is vulnerable to an authenticated JSON flooding attack, leading to uncontrolled resource consumption and a denial-of-service (DoS) condition. The /api/serialConfig endpoint allows an authenticated attacker to abuse an unrestricted loop to create a large number of JSON objects by sending specially crafted requests through the ports JSON array. This results in excessive memory and CPU usage, causing resource exhaustion and potential service failure.

The ACLU says it stands ready to sue for access to government records that detail DOGE’s access to sensitive personnel data.

Microsoft cybersecurity experts have identified a vulnerability flaw affecting ASP.NET applications, putting thousands of web servers at risk.…

### Impact - Information that is restricted from viewing in the search results of site searches (※) can still be viewed via the main text (a feature added in v1.8.0). - Impact by version - v1.8.0 ~ v1.8.3: It will be displayed in the text. - v1.8.0 and earlier: It will not be displayed in the body of the text, but the title (frame name) will be displayed with a link. - Target viewing restriction function - Frame publishing function (private, limited publishing) - IP Restriction Page - Password setting page ### Patches (fixed version) - Apply v1.8.4. ### Workarounds - Remove the site search (e.g. hide frames).。 ### References none

### Impact SFTPGo supports execution of a defined set of commands via SSH. Besides a set of default commands some optional commands can be activated, one of them being `rsync`: it is disabled in the default configuration and it is limited to the local filesystem, it does not work with cloud/remote storage backends. Due to missing sanitization of the client provided `rsync` command, an authenticated remote user can use some options of the rsync command to read or write files with the permissions of the SFTPGo server process. ### Patches This issue was fixed in version v2.6.5 by checking the client provided arguments. https://github.com/drakkan/sftpgo/commit/b347ab6051f6c501da205c09315fe99cd1fa3ba1

The secret use of other people's generative AI platforms, wherein hijackers gain unauthorized access to an LLM while someone else foots the bill, is getting quicker and stealthier by the month.

Five years after a Russian APT infiltrated a software update to gain access to thousands of SolarWinds customers, the board has voted unanimously to sell at a top valuation and plans for uninterrupted operations.