Security
Headlines
HeadlinesLatestCVEs

Tag

#auth

Verizon and T-Mobile Deny Data Breaches as Millions of User Records Sold Online

User claims to sell stolen Verizon and T-Mobile data for millions of users (online Verizon says data is old T-Mobile denies any breach and links to it.

HackRead
#web#js#git#auth
CVE-2025-49713: Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability

**According to the CVSS metric, the attack vector is network (AV:N) and the user interaction is required (UI:R). What is the target context of the remote code execution?** This attack requires an authenticated client to click a link so that an unauthenticated attacker can initiate remote code execution.

GHSA-m43g-m425-p68x: junit-platform-reporting can leak Git credentials through its OpenTestReportGeneratingListener

### Summary This vulnerability affects JUnit's support for writing Open Test Reporting XML files which is an opt-in feature of `junit-platform-reporting`. If a repository is cloned using a GitHub token or other credentials in its URL, for example: ```bash git clone https://${GH_APP}:${GH_TOKEN}@github.com/example/example.git ``` The credentials are captured by `OpenTestReportGeneratingListener` which produces (trimmed for brevity): ```xml <infrastructure> <git:repository originUrl="https://username:[email protected]/example/example.git" /> </infrastructure> ``` ### Details https://github.com/junit-team/junit5/blob/6b7764dac92fd35cb348152d1b37f8726875a4e0/junit-platform-reporting/src/main/java/org/junit/platform/reporting/open/xml/OpenTestReportGeneratingListener.java#L183 I think this should be configurable in some way to exclude select git information or exclude it entirely. ### PoC 1. Clone a repo using a GitHub token as shown above. 2. Enable the listener `junit.platfor...

GHSA-hc55-p739-j48w: @modelcontextprotocol/server-filesystem vulnerability allows for path validation bypass via colliding path prefix

Versions of Filesystem prior to 0.6.3 & 2025.7.1 could allow access to unintended files in cases where the prefix matches an allowed directory. Users are advised to upgrade to 2025.7.1 to resolve the issue. Thank you to Elad Beber (Cymulate) for reporting these issues.

GHSA-q66q-fx2p-7w4m: @modelcontextprotocol/server-filesystem allows for path validation bypass via prefix matching and symlink handling

Versions of Filesystem prior to 0.6.3 & 2025.7.1 could allow access to unintended files via symlinks within allowed directories. Users are advised to upgrade to 2025.7.1 to resolve. Thank you to Elad Beber (Cymulate) for reporting these issues.

FBI Warns of Health Insurance Scam Stealing Personal and Medical Data

The Federal Bureau of Investigation (FBI) has issued a warning about a scam where criminals pretend to be…

Update your Chrome to fix new actively exploited zero-day vulnerability

Google has released an urgent update for the Chrome browser to patch a vulnerability which has already been exploited.

FESTO Hardware Controller, Hardware Servo Press Kit

View CSAF 1. EXECUTIVE SUMMARY CVSS v3 9.8 ATTENTION: Exploitable remotely/low attack complexity Vendor: FESTO Equipment: Hardware Controller, Hardware Servo Press Kit Vulnerabilities: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow an attacker to execute unauthorized system commands with root privileges. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS FESTO reports the following products are affected: Festo Firmware installed on Festo Hardware Controller CECC-X-M1: Version 4.0.14 Festo Firmware installed on Festo Hardware Controller CECC-X-M1: Versions 3.8.14 and prior Festo Firmware installed on Festo Hardware Controller CECC-X-M1-MV: Versions 3.8.14 and prior Festo Firmware installed on Festo Hardware Controller CECC-X-M1-MV: Version 4.0.14 Festo Firmware installed on Festo Hardware Controller CECC-X-M1-MV-S1: Version 4.0.14 Festo Firmware installed on Festo Hardware...

FESTO CODESYS

View CSAF 1. EXECUTIVE SUMMARY CVSS v3 9.8 ATTENTION: Exploitable remotely/low attack complexity Vendor: FESTO Equipment: CODESYS Vulnerabilities: Partial String Comparison, Uncontrolled Resource Consumption, Memory Allocation with Excessive Size Value 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow an attacker to block legitimate user connections, crash the application, or authenticate without proper credentials. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS FESTO reports that the following products are affected: FESTO CODESYS Gateway Server V2: All versions FESTO CODESYS Gateway Server V2: prior to V2.3.9.38 3.2 VULNERABILITY OVERVIEW 3.2.1 PARTIAL STRING COMPARISON CWE-187 In CODESYS Gateway Server V2 for versions prior to V2.3.9.38 only part of the specified password is being compared to the real CODESYS Gateway password. An attacker may perform authentication by specifying a small password that matches the corresponding part of the longer real CODESYS ...

FESTO Automation Suite, FluidDraw, and Festo Didactic Products

View CSAF 1. EXECUTIVE SUMMARY CVSS v3 9.8 ATTENTION: Exploitable remotely/low attack complexity Vendor: FESTO, FESTO Didactic Equipment: CIROS Studio / Education, Automation Suite, FluidDraw, FluidSIM, MES-PC Vulnerability: Out-of-bounds Write 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow an attacker to gain full control of the host system, including remote code execution. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS FESTO, FESTO Didactic reports that the following products are affected: FESTO Didactic CIROS Studio / Education: 6.0.0 - 6.4.6 FESTO Didactic CIROS Studio / Education: 7.0.0 - 7.1.7 FESTO Festo Automation Suite: <= 2.6.0.481 FESTO FluidDraw: P6 <= 6.2k FESTO FluidDraw: 365 <= 7.0a FESTO Didactic FluidSIM: 5 all versions FESTO Didactic FluidSIM: 6 <= 6.1c FESTO Didactic MES-PC: shipped before December 2023 3.2 VULNERABILITY OVERVIEW 3.2.1 OUT-OF-BOUNDS WRITE CWE-787 A heap buffer overflow vulnerability in Wibu CodeMeter Runtime network servi...