Security
Headlines
HeadlinesLatestCVEs

Tag

#auth

ABB Cylon Aspect 3.08.01 (servicesUpdate.php) Remote Code Execution

The ABB BMS/BAS controller suffers from an unauthenticated blind OS command injection vulnerability. This can be exploited to inject and execute arbitrary shell commands through the 'instance' HTTP POST parameter called by servicesUpdate.php script.

Zero Science Lab
Open in Source
#vulnerability#php#rce#auth
Texas Teen Arrested for Scattered Spider Telecom Hacks

An FBI operation nabbed a member of the infamous cybercrime group, who is spilling the tea on 'key Scattered Spider members' and their tactics.

Microsoft Expands Access to Windows Recall AI Feature

The activity-recording capability has drawn concerns from the security community and privacy experts, but the tech giant is being measured in its gradual rollout, which is still in preview mode.

Europol takes down criminal data hub Manson Market in busy month for law enforcement

Two operators and 50 servers that were behind an online marketplace where criminals could buy stolen data have been seized

Why SOC Roles Need to Evolve to Attract a New Generation

The cybersecurity industry faces a growing crisis in attracting and retaining SOC analysts.

Open Source Security Priorities Get a Reshuffle

The "Census of Free and Open Source Software" report, which identifies the most critical software projects, sees more cloud infrastructure and Python software designated as critical software components.

GHSA-m9g8-fxxm-xg86: Django SQL injection in HasKey(lhs, rhs) on Oracle

An issue was discovered in Django 5.1 before 5.1.4, 5.0 before 5.0.10, and 4.2 before 4.2.17. Direct usage of the django.db.models.fields.json.HasKey lookup, when an Oracle database is used, is subject to SQL injection if untrusted data is used as an lhs value. (Applications that use the jsonfield.has_key lookup via __ are unaffected.)

GHSA-8498-2h75-472j: Django denial-of-service in django.utils.html.strip_tags()

An issue was discovered in Django 5.1 before 5.1.4, 5.0 before 5.0.10, and 4.2 before 4.2.17. The strip_tags() method and striptags template filter are subject to a potential denial-of-service attack via certain inputs containing large sequences of nested incomplete HTML entities.

Announcing the Adaptive Prompt Injection Challenge (LLMail-Inject)

We are excited to introduce LLMail-Inject, a new challenge focused on evaluating state-of-the-art prompt injection defenses in a realistic simulated LLM-integrated email client. In this challenge, participants assume the role of an attacker who sends an email to a user. The user then queries the LLMail service with a question (e.

GHSA-6c5q-fg3g-qhhv: LibreNMS stored cross-site scripting (XSS) vulnerability in the Device Settings section

A stored cross-site scripting (XSS) vulnerability in the Device Settings section of LibreNMS v24.9.0 to v24.10.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Display Name parameter.