Security
Headlines
HeadlinesLatestCVEs

Tag

#auth

Urgent: Secret Backdoor Found in XZ Utils Library, Impacts Major Linux Distros

RedHat on Friday released an "urgent security alert" warning that two versions of a popular data compression library called XZ Utils (previously LZMA Utils) have been backdoored with malicious code designed to allow unauthorized remote access. The software supply chain compromise, tracked as CVE-2024-3094, has a CVSS score of 10.0, indicating maximum severity. It impacts XZ Utils

The Hacker News
Open in Source
#linux#backdoor#auth#The Hacker News
GHSA-35w3-6qhc-474v: @workos-inc/authkit-nextjs session replay vulnerability

### Impact A user can reuse an expired session by controlling the `x-workos-session` header. ### Patches Patched in https://github.com/workos/authkit-nextjs/releases/tag/v0.4.2

TheMoon Malware Returns: 6,000 Asus Routers Hacked in 72 Hours

By Waqas A new variant of "TheMoon Malware" has emerged, specifically targeting vulnerable IoT devices, particularly Asus routers. This is a post from HackRead.com Read the original post: TheMoon Malware Returns: 6,000 Asus Routers Hacked in 72 Hours

GHSA-cj3c-5xpm-cx94: Kimai API returns timesheet entries a user should not be authorized to view

### Summary The permission `view_other_timesheet` performs differently for the Kimai UI and the API, thus returning unexpected data through the API. ### Details When setting the `view_other_timesheet` permission to true, on the frontend, users can only see timesheet entries for teams they are a part of. When requesting all timesheets from the API, however, all timesheet entries are returned, regardless of whether the user shares team permissions or not. Example: There are projects P1 and P2, Teams T1 and T2, users U1 and U2 and Timesheet entries E1 and E2. U1 is team leader of team T1 and has access to P1. U2 is in Team T2 and has access to both P1 and P2. U2 creates E1 for P1 and E2 for P2. In the UI, U1 with `view _other_timesheet` perms sees E1 as he is a part of T1 that has access to P1. In the API, however, he has access to E1 **and E2**. Additionally, if U1 is not a team leader T1, he does not see any timesheet from a user other than himself in the UI, but still all timesheets...

WatchGuard XTM Firebox Unauthenticated Remote Command Execution

This Metasploit module exploits a buffer overflow at the administration interface (8080 or 4117) of WatchGuard Firebox and XTM appliances which is built from a cherrypy python backend sending XML-RPC requests to a C binary called wgagent using pre-authentication endpoint /agent/login. This vulnerability impacts Fireware OS before 12.7.2_U2, 12.x before 12.1.3_U8, and 12.2.x through 12.5.x before 12.5.9_U2. Successful exploitation results in remote code execution as user nobody.

Soholaunch 4.9.4 r44 Shell Upload

Soholaunch version 4.9.4 r44 suffers from a remote shell upload vulnerability.

FoF Pretty Mail 1.1.2 Local File Inclusion

The FoF Pretty Mail extension version 1.1.2 for Flarum suffers from a local file inclusion vulnerability.

FoF Pretty Mail 1.1.2 Server-Side Template Injection

The FoF Pretty Mail extension version 1.1.2 for Flarum suffers from a server-side template injection vulnerability.

FoF Pretty Mail 1.1.2 Command Injection

The FoF Pretty Mail extension version 1.1.2 for Flarum suffers from a command injection vulnerability.

Intel PowerGadget 3.6 Local Privilege Escalation

Intel PowerGadget version 3.6 suffers from a local privilege escalation vulnerability.