Security
Headlines
HeadlinesLatestCVEs

Tag

#auth

Cybercriminals Use Webflow to Deceive Users into Sharing Sensitive Login Credentials

Cybersecurity researchers have warned of a spike in phishing pages created using a website builder tool called Webflow, as threat actors continue to abuse legitimate services like Cloudflare and Microsoft Sway to their advantage. "The campaigns target sensitive information from different crypto wallets, including Coinbase, MetaMask, Phantom, Trezor, and Bitbuy, as well as login credentials for

The Hacker News
#web#google#microsoft#cisco#git#auth#chrome#The Hacker News
GHSA-c4q5-6c82-3qpw: Spring Security vulnerable to Authorization Bypass of Static Resources in WebFlux Applications

Spring WebFlux applications that have Spring Security authorization rules on static resources can be bypassed under certain circumstances. For this to impact an application, all of the following must be true: * It must be a WebFlux application * It must be using Spring's static resources support * It must have a non-permitAll authorization rule applied to the static resources support

Researchers Uncover OS Downgrade Vulnerability Targeting Microsoft Windows Kernel

A new attack technique could be used to bypass Microsoft's Driver Signature Enforcement (DSE) on fully patched Windows systems, leading to operating system (OS) downgrade attacks. "This bypass allows loading unsigned kernel drivers, enabling attackers to deploy custom rootkits that can neutralize security controls, hide processes and network activity, maintain stealth, and much more," SafeBreach

GHSA-hxf3-vgpm-fv9p: CycloneDX cdxgen may execute code contained within build-related files

CycloneDX cdxgen through 10.10.7, when run against an untrusted codebase, may execute code contained within build-related files such as build.gradle.kts, a similar issue to CVE-2022-24441. cdxgen is used by, for example, OWASP dep-scan. NOTE: this has been characterized as a design limitation, rather than an implementation mistake.

GHSA-mgfv-m47x-4wqp: useragent Regular Expression Denial of Service vulnerability

Useragent is a user agent parser for Node.js. All versions as of time of publication contain one or more regular expressions that are vulnerable to Regular Expression Denial of Service (ReDoS).

GHSA-w455-mfq9-hf74: insane vulnerable to Regular Expression Denial of Service

insane is a whitelist-oriented HTML sanitizer. Versions 2.6.2 and prior contain one or more regular expressions that are vulnerable to Regular Expression Denial of Service (ReDoS). As of time of publication, no known patches are available.

GHSA-68qg-g787-3rp5: Knwl.js Regular Expression Denial of Service vulnerability

Knwl.js is a Javascript library that parses through text for dates, times, phone numbers, emails, places, and more. Versions 1.0.2 and prior contain one or more regular expressions that are vulnerable to Regular Expression Denial of Service (ReDoS). As of time of publication, no known patches are available.

GHSA-rv73-9c8w-jp4c: validate.js Regular Expression Denial of Service vulnerability

Validate.js provides a declarative way of validating javascript objects. Versions 0.13.1 and prior contain one or more regular expressions that are vulnerable to Regular Expression Denial of Service (ReDoS). As of time of publication, no known patches are available.

GHSA-pmvv-57rg-5g86: CommonRegexJS Regular Expression Denial of Service vulnerability

CommonRegexJS is a CommonRegex port for JavaScript. All available versions contain one or more regular expressions that are vulnerable to Regular Expression Denial of Service (ReDoS). As of time of publication, no known patches are available.

GHSA-p8pc-3f7w-jr5q: Foundation Regular Expression Denial of Service vulnerability

Foundation is a front-end framework. Versions 6.3.3 and prior contain one or more regular expressions that are vulnerable to Regular Expression Denial of Service (ReDoS). As of time of publication, it is unknown if any fixes are available.