#auth

Flatboard version 3.2 suffers from a persistent cross site scripting vulnerability.

Carbon Forum version 5.9.0 suffers from access control, cross site request forgery, file upload, outdated library, and remote SQL injection vulnerabilities.

Student Attendance Management System version 1.0 suffers from a remote SQL Injection vulnerability that allows for authentication bypass.

Red Hat Security Advisory 2024-4051-03 - An update for pki-core is now available for Red Hat Enterprise Linux 9.2 Extended Update Support. Issues addressed include a bypass vulnerability.

Red Hat Security Advisory 2024-4050-03 - An update for libreswan is now available for Red Hat Enterprise Linux 9.

Paradox IP150 Internet Module version 1.40.00 suffers from a cross site request forgery vulnerability.

Red Hat Enterprise Linux 9.4 introduces the ability for centrally managed users to authenticate through passwordless authentication with a passkey, meaning it's an enterprise Linux distribution with Fast Identity Online 2 (FIDO2) authentication for centrally managed users! This is all built on the Identity Management solution already in Red Hat Enterprise Linux, but enhances product security by enabling passwordless, Multi-Factor Authentication (MFA), and Single Sign-On (SSO).What is Passkey?A passkey is a FIDO2 compatible device that can be used for user authentication. FIDO2 is an open authe

A new campaign is tricking users searching for the Meta Quest (formerly Oculus) application for Windows into downloading a new adware family called AdsExhaust. "The adware is capable of exfiltrating screenshots from infected devices and interacting with browsers using simulated keystrokes," cybersecurity firm eSentire said in an analysis, adding it identified the activity earlier this month. "

Plus: Alleged Apple source code leaks online, cybercrime group Scattered Spider's alleged kingpin gets arrested, and more.

This affects versions of the package opencart/opencart from 4.0.0.0. A reflected XSS issue was identified in the directory parameter of admin common/filemanager.list route. An attacker could obtain a user's token by tricking the user to click on a maliciously crafted URL. The user is then prompted to login and redirected again upon authentication with the payload automatically executing. If the attacked user has admin privileges, this vulnerability could be used as the start of a chain of exploits like Zip Slip or arbitrary file write vulnerabilities in the admin functionality. **Notes:** 1) This is only exploitable if the attacker knows the name or path of the admin directory. The name of the directory is "admin" by default but there is a pop-up in the dashboard warning users to rename it. 2) The fix for this vulnerability is incomplete. The redirect is removed so that it is not possible for an attacker to control the redirect post admin login anymore, but it is still possible to e...