#auth

CCMS Project version 1.0 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

Biobook Social Networking Site version 1.0 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

The proliferation of new top-level domains (TLDs) has exacerbated a well-known security weakness: Many organizations set up their internal Microsoft authentication systems years ago using domain names in TLDs that didn't exist at the time. Meaning, they are continuously sending their Windows usernames and passwords to domain names they do not control and which are freely available for anyone to register. Here's a look at one security researcher's efforts to map and shrink the size of this insidious problem.

Read the full article for key points from Intruder’s VP of Product, Andy Hornegold’s recent talk on exposure management. If you’d like to hear Andy’s insights first-hand, watch Intruder’s on-demand webinar. To learn more about reducing your attack surface, reach out to their team today.  Attack surface management vs exposure management Attack surface management (ASM) is the ongoing

The threat actors behind a recently observed Qilin ransomware attack have stolen credentials stored in Google Chrome browsers on a small set of compromised endpoints. The use of credential harvesting in connection with a ransomware infection marks an unusual twist, and one that could have cascading consequences, cybersecurity firm Sophos said in a Thursday report. The attack, detected in July

The Telegram channel and website Deep State uses public data and insider intelligence to power its live tracker of Ukraine’s ever-shifting front line.

Casdoor is a UI-first Identity and Access Management (IAM) / Single-Sign-On (SSO) platform. In Casdoor 1.577.0 and earlier, a logic vulnerability exists in the beego filter CorsFilter that allows any website to make cross domain requests to Casdoor as the logged in user. Due to the a logic error in checking only for a prefix when authenticating the Origin header, any domain can create a valid subdomain with a valid subdomain prefix (Ex: localhost.example.com), allowing the website to make requests to Casdoor as the current signed-in user.

Cybersecurity researchers have uncovered a hardware backdoor within a particular model of MIFARE Classic contactless cards that could allow authentication with an unknown key and open hotel rooms and office doors. The attacks have been demonstrated against FM11RF08S, a new variant of MIFARE Classic that was released by Shanghai Fudan Microelectronics in 2020. "The FM11RF08S backdoor enables any

### Summary The `gix` and `ein` commands write pathnames and other metadata literally to terminals, even if they contain characters terminals treat specially, including ANSI escape sequences. This sometimes allows an untrusted repository to misrepresent its contents and to alter or concoct error messages. ### Details `gitoxide-core`, which provides most underlying functionality of the `gix` and `ein` commands, does not neutralize newlines, backspaces, or control characters—including those that form ANSI escape sequences—that appear in a repository's paths, author and committer names, commit messages, or other metadata. Such text may be written as part of the output of a command, as well as appearing in error messages when an operation fails. ANSI escape sequences are of particular concern because, when printed to a terminal, they can change colors, including to render subsequent text unreadable; reposition the cursor to write text in a different location, including where text has a...

### Summary Several API endpoints can be accessed by users without correct authentication/authorization. The main API endpoints affected by this: - `/api/v3/crypto/certificatekeypairs/<uuid>/view_certificate/` - `/api/v3/crypto/certificatekeypairs/<uuid>/view_private_key/` - `/api/v3/.../used_by/` Note that all of the affected API endpoints require the knowledge of the ID of an object, which especially for certificates is not accessible to an unprivileged user. Additionally the IDs for most objects are UUIDv4, meaning they are not easily guessable/enumerable. ### Patches authentik 2024.4.4, 2024.6.4 and 2024.8.0 fix this issue. ### Workarounds Access to the API endpoints can be blocked at a Reverse-proxy/Load balancer level to prevent this issue from being exploited. ### For more information If you have any questions or comments about this advisory: - Email us at [[email protected]](mailto:[email protected])