#auth

The United States joined the United Kingdom and Australia today in sanctioning 31-year-old Russian national Dmitry Yuryevich Khoroshev as the alleged leader of the infamous ransomware group LockBit. The U.S. Department of Justice also indicted Khoroshev as the gang's leader "LockbitSupp," and charged him with using Lockbit to attack more than 2,000 victims and extort at least $100 million in ransomware payments.

The Trix editor, versions prior to 2.1.1, is vulnerable to arbitrary code execution when copying and pasting content from the web or other documents with markup into the editor. The vulnerability stems from improper sanitization of pasted content, allowing an attacker to embed malicious scripts which are executed within the context of the application. **Vulnerable Versions**: Up to 2.1.0 **Fixed Version**: 2.1.1 **Vector**: - **Bug 1**: When copying content manipulated by a script, such as: ```js document.addEventListener('copy', function(e){ e.clipboardData.setData('text/html', '<div><noscript><div class="123</noscript>456<img src=1 onerror=alert(1)//"></div></noscript></div>'); e.preventDefault(); }); ``` and pasting into the Trix editor, the script within the content is executed. - **Bug 2**: Similar execution occurs with content structured as: ```js document.write(`copy<div data-trix-attachment="{&quot;contentType&quot;:&quot;text/html&quot;,&quot;content&quot;:&quot;&l...

An authenticated user could potentially access metadata for a datasource they are not authorized to view by submitting a targeted REST API request. This issue affects Apache Superset before 4.0.0. Users are recommended to upgrade to version 4.0.0, which fixes the issue.

In Eclipse Dataspace Components from version 0.2.1 to 0.6.2, in the [EDC Connector component](https://github.com/eclipse-edc/Connector), an attacker might obtain OAuth2 client secrets from the vault. In Eclipse Dataspace Components from version 0.2.1 to 0.6.2, we have identified a security vulnerability in the EDC Connector component ( https://github.com/eclipse-edc/Connector ) regarding the OAuth2-protected data sink feature. When using a custom, OAuth2-protected data sink, the OAuth2-specific data address properties are resolved by the provider data plane. Problematically, the consumer-provided clientSecretKey, which indicates the OAuth2 client secret to retrieve from a secrets vault, is resolved in the context of the provider's vault, not the consumer. This secret's value is then sent to the tokenUrl, also consumer-controlled, as part of an OAuth2 client credentials grant. The returned access token is then sent as a bearer token to the data sink URL. This feature is now disabled e...

By Deeba Ahmed A massive data leak of 820,000 Dominicans' personal information (including COVID vaccination status) has been leaked online puting individuals at risk of identity theft, scams, and social engineering attacks. This is a post from HackRead.com Read the original post: Hackers Leak COVID-19 Data of 820K Dominicans, Including Vaccination Info

Google on Monday announced that it's simplifying the process of enabling two-factor authentication (2FA) for users with personal and Workspace accounts. Also called, 2-Step Verification (2SV), it aims to add an extra layer of security to users' accounts to prevent takeover attacks in case the passwords are stolen. The new change entails adding a second step method, such as an

By Deeba Ahmed Cuckoo malware targets macOS users, stealing passwords, browsing history, crypto wallet details & more. Disguised as a music converter, it poses a major security risk. Learn how to protect yourself from this sophisticated infostealer. This is a post from HackRead.com Read the original post: Cuckoo Mac Malware Mimics Music Converter to Steals Passwords and Crypto

This week on the Lock and Code podcast, we speak with Dr. Jean Twenge about smartphones, social media, and a teen mental health crisis.

Virtual private networking (VPN) companies market their services as a way to prevent anyone from snooping on your Internet usage. But new research suggests this is a dangerous assumption when connecting to a VPN via an untrusted network, because attackers on the same network could force a target's traffic off of the protection provided by their VPN without triggering any alerts to the user.

# Summary **Local File Inclusion via Path Traversal in LiteStar Static File Serving** A Local File Inclusion (LFI) vulnerability has been discovered in the static file serving component of [LiteStar](https://github.com/litestar-org/litestar). This vulnerability allows attackers to exploit path traversal flaws, enabling unauthorized access to sensitive files outside the designated directories. Such access can lead to the disclosure of sensitive information or potentially compromise the server. ## Details The vulnerability is located in the file path handling mechanism within the static content serving function, specifically at [line 70 in `litestar/static_files/base.py`](https://github.com/litestar-org/litestar/blob/main/litestar/static_files/base.py#L70). The function fails to properly validate the destination file path derived from user input, thereby permitting directory traversal. The critical code segment is as follows: ```python commonpath([str(directory), file_info["name"], j...