Security
Headlines
HeadlinesLatestCVEs

Tag

#auth

ABB Cylon Aspect 3.08.03 (MapServicesHandler) Authenticated Reflected XSS

The ABB BMS/BAS controller suffers from an authenticated reflected cross-site scripting vulnerability. Input passed to the GET parameters 'name' and 'id' is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML/JS code in a user's browser session in context of an affected site.

Zero Science Lab
Open in Source
#xss#vulnerability#web#linux#apache#js#java#intel#php#perl#auth
ABB Cylon Aspect 3.08.03 Hard-coded Secrets

The ABB Cylon Aspect BMS/BAS controller contains multiple instances of hard-coded credentials, including usernames, passwords, and encryption keys embedded in various java classes. This practice poses significant security risks, allowing attackers to gain unauthorized access and compromise the system's integrity.

GHSA-f27p-cmv8-xhm6: fetch: Authorization headers not dropped when redirecting cross-origin

### Summary When you send a request with the `Authorization` header to one domain, and the response asks to redirect to a different domain, Deno's`fetch()` redirect handling creates a follow-up redirect request that keeps the original `Authorization` header, leaking its content to that second domain. ### Details The [right behavior](https://fetch.spec.whatwg.org/#ref-for-cors-non-wildcard-request-header-name) would be to drop the `Authorization` header instead, in this scenario. The same is generally applied to `Cookie` and `Proxy-Authorization` headers, and is done for not only host changes, but also protocol/port changes. Generally referred to as "origin". The [documentation](https://docs.deno.com/runtime/reference/web_platform_apis/#:~:text=Deno%20does%20not%20follow%20the,leaking%20authenticated%20data%20cross%20origin.) states: > Deno does not follow the same-origin policy, because the Deno user agent currently does not have the concept of origins, and it does not have a cook...

New PhishWP Plugin on Russian Forum Turns Sites into Phishing Pages

SlashNext has discovered a malicious WordPress plugin, PhishWP, which creates convincing fake payment pages to steal your credit card information, 3DS codes, and personal data.

China's Salt Typhoon Adds Charter, Windstream to Telecom Victim List

These latest attacks follow a long string of cyberattacks and breaches targeting US and global telecom and ISP companies.

GHSA-2p95-8xvm-2pjx: REDAXO CMS Cross-site Scripting vulnerability

A stored cross-site scripting (XSS) vulnerability in the component /media/test.html of REDAXO CMS v5.17.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the password parameter.

GHSA-m78c-qx99-mvw9: Grav Cross-site Scripting vulnerability

A cross-site scripting (XSS) vulnerability in Grav v1.7.45 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.

FireScam Android Spyware Campaign Poses 'Significant Threat Worldwide'

A fake Telegram Premium app delivers information-stealing malware, in a prime example of the rising threat of adversaries leveraging everyday applications, researchers say.

EagerBee Backdoor Takes Flight Against Mideast ISPs, Government Targets

The malware, operated by China-backed cyberattackers, has been significantly fortified with new evasive and post-infection capabilities.

GHSA-237r-r8m4-4q88: Guzzle OAuth Subscriber has insufficient nonce entropy

### Impact Nonce generation does not use sufficient entropy nor a cryptographically secure pseudorandom source (https://github.com/guzzle/oauth-subscriber/blob/0.8.0/src/Oauth1.php#L192). This can leave servers vulnerable to replay attacks when TLS is not used. ### Patches Upgrade to version 0.8.1 or higher. ### Workarounds No. ### References Issue is similar to https://nvd.nist.gov/vuln/detail/CVE-2025-22376.