Security
Headlines
HeadlinesLatestCVEs

Tag

#auth

GHSA-3787-6prv-h9w3: Undici proxy-authorization header not cleared on cross-origin redirect in fetch

### Impact Undici already cleared Authorization headers on cross-origin redirects, but did not clear `Proxy-Authorization` headers. ### Patches This is patched in v5.28.3 and v6.6.1 ### Workarounds There are no known workarounds. ### References - https://fetch.spec.whatwg.org/#authentication-entries - https://github.com/nodejs/undici/security/advisories/GHSA-wqq4-5wpv-mx2g

ghsa
Open in Source
#nodejs#js#git#auth
Microsoft Exchange vulnerability actively exploited

One of Microsoft's Patch Tuesday fixes has flipped from "Likely to be Exploited" to “Exploitation Detected”.

U.S. State Government Network Breached via Former Employee's Account

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has revealed that an unnamed state government organization's network environment was compromised via an administrator account belonging to a former employee. "This allowed the threat actor to successfully authenticate to an internal virtual private network (VPN) access point," the agency said in a joint advisory published

Elon Musk’s X Gave Check Marks to Terrorist Group Leaders, Report Says

A new report cited 28 “verified” accounts on X that appear to be tied to sanctioned groups or individuals.

Why the toothbrush DDoS story fooled us all

There was about a 24-hour period where many news outlets reported on a reported DDoS attack that involved a botnet made up of thousands of internet-connected toothbrushes.

Massive utility scam campaign spreads via online ads

Malwarebytes researchers have discovered a prolific campaign of fraudulent energy ads shown to users via Google searches.

GHSA-cw9j-q3vf-hrrv: Scrapy authorization header leakage on cross-domain redirect

### Impact When you send a request with the `Authorization` header to one domain, and the response asks to redirect to a different domain, Scrapy’s built-in redirect middleware creates a follow-up redirect request that keeps the original `Authorization` header, leaking its content to that second domain. The [right behavior](https://fetch.spec.whatwg.org/#ref-for-cors-non-wildcard-request-header-name) would be to drop the `Authorization` header instead, in this scenario. ### Patches Upgrade to Scrapy 2.11.1. If you are using Scrapy 1.8 or a lower version, and upgrading to Scrapy 2.11.1 is not an option, you may upgrade to Scrapy 1.8.4 instead. ### Workarounds If you cannot upgrade, make sure that you are not using the `Authentication` header, either directly or through some third-party plugin. If you need to use that header in some requests, add `"dont_redirect": True` to the `request.meta` dictionary of those requests to disable following redirects for them. If you need to kee...

Metabase 0.46.6 Remote Code Execution

Metabase version 0.46.6 pre-authentication remote code execution exploit.

DS Wireless Communication Code Execution

Proof of concept code for a flaw in DS Wireless Communication (DWC) with DWC_VERSION_3 and DWC_VERSION_11 that allows remote attackers to execute arbitrary code on a game-playing client's machine via a modified GPCM message.

Russian Turla Hackers Target Polish NGOs with New TinyTurla-NG Backdoor

The Russia-linked threat actor known as Turla has been observed using a new backdoor called TinyTurla-NG as part of a three-month-long campaign targeting Polish non-governmental organizations in December 2023. "TinyTurla-NG, just like TinyTurla, is a small 'last chance' backdoor that is left behind to be used when all other unauthorized access/backdoor mechanisms have failed or been