Security
Headlines
HeadlinesLatestCVEs

Tag

#auth

GHSA-q9h3-r6wr-p3j3: Drupal Commerce Eurobank (Redirect) Incorrect Authorization vulnerability

Incorrect Authorization vulnerability in Drupal Commerce Eurobank (Redirect) allows Functionality Misuse. This issue affects Commerce Eurobank (Redirect): from 0.0.0 before 2.1.1.

ghsa
#vulnerability#auth
GHSA-rx97-6c62-55mf: Hashicorp Nomad Incorrect Privilege Assignment vulnerability

Nomad Community and Nomad Enterprise (“Nomad”) prefix-based ACL policy lookup can lead to incorrect rule application and shadowing. This vulnerability, identified as CVE-2025-4922, is fixed in Nomad Community Edition 1.10.2 and Nomad Enterprise 1.10.2, 1.9.10, and 1.8.14.

GHSA-48wx-8736-jgx2: Drupal Commerce Alphabank Redirect Incorrect Authorization vulnerability

Incorrect Authorization vulnerability in Drupal Commerce Alphabank Redirect allows Functionality Misuse. This issue affects Commerce Alphabank Redirect: from 0.0.0 before 1.0.3.

GHSA-c424-hgg9-9c4w: Drupal Quick Node Block Missing Authorization vulnerability

Missing Authorization vulnerability in Drupal Quick Node Block allows Forceful Browsing. This issue affects Quick Node Block: from 0.0.0 before 2.0.0.

GHSA-r6xj-43cf-9f88: Drupal Quick Node Block Missing Authorization vulnerability

Missing Authorization vulnerability in Drupal Quick Node Block allows Forceful Browsing. This issue affects Quick Node Block: from 0.0.0 before 2.0.0.

GHSA-hq9p-pm7w-8p54: pgjdbc Client Allows Fallback to Insecure Authentication Despite channelBinding=require Configuration

### Impact When the PostgreSQL JDBC driver is configured with channel binding set to `required` (default value is `prefer`), the driver would incorrectly allow connections to proceed with authentication methods that do not support channel binding (such as password, MD5, GSS, or SSPI authentication). This could allow a man-in-the-middle attacker to intercept connections that users believed were protected by channel binding requirements. ### Patches TBD ### Workarounds Configure `sslMode=verify-full` to prevent MITM attacks. ### References * https://www.postgresql.org/docs/current/sasl-authentication.html#SASL-SCRAM-SHA-256 * https://datatracker.ietf.org/doc/html/rfc7677 * https://datatracker.ietf.org/doc/html/rfc5802

Operation Secure: INTERPOL Disrupts 20,000 Infostealer Domains, 32 Arrested

INTERPOL disrupts 20,000 infostealer domains in major cybercrime crackdown across Asia-Pacific, 32 arrested, 216K victims notified in Operation Secure.

GHSA-4r67-4x4p-fprg: Mattermost allows authenticated administrator to execute LDAP search filter injection

Mattermost versions 10.7.x <= 10.7.1, 10.6.x <= 10.6.3, 10.5.x <= 10.5.4, 9.11.x <= 9.11.13 fail to properly validate LDAP group ID attributes, allowing an authenticated administrator with PermissionSysconsoleWriteUserManagementGroups permission to execute LDAP search filter injection via the PUT /api/v4/ldap/groups/{remote_id}/link API when objectGUID is configured as the Group ID Attribute.

Salesforce Industry Cloud Hit by 20 Vulnerabilities Including 0days

AppOmni research reveals over 20 security vulnerabilities, including zero-days, in the Salesforce Industry Cloud. Learn about critical risks, customer responsibilities, and how to protect sensitive data.

SinoTrack GPS Devices Vulnerable to Remote Vehicle Control via Default Passwords

Two security vulnerabilities have been disclosed in SinoTrack GPS devices that could be exploited to control certain remote functions on connected vehicles and even track their locations. "Successful exploitation of these vulnerabilities could allow an attacker to access device profiles without authorization through the common web management interface," the U.S. Cybersecurity and Infrastructure