#auth

This post was authored by Kalpesh Mantri.  Cisco Talos is actively tracking a recent increase in activity from malicious email campaigns containing a suspicious Microsoft Excel attachment that, when opened, infected the victim's system with the DarkGate malware.  These campaigns, active since the second week of

HyperCycle enhances AI safety and efficiency with cryptographic proofs and peer-to-peer nodes. HyperShare supports decentralized governance and income…

A WIRED investigation, based on more than 22 million flight coordinates, reveals the complicated truth about the first full-blown police drone program in the US—and why your city could be next.

Wyoming’s secretary of state has proposed ways of “preventing fraud and abuse of corporate filings by commercial registered agents” in the aftermath of the scheme’s exposure.

Zyxel has released security updates to address critical flaws impacting two of its network-attached storage (NAS) devices that have currently reached end-of-life (EoL) status. Successful exploitation of three of the five vulnerabilities could permit an unauthenticated attacker to execute operating system (OS) commands and arbitrary code on affected installations. Impacted models include NAS326

These scammers are persistent and want your billing information to extort money from you.

### Describe the Bug Providing a non-numeric length value to the random string generation utility will create a memory issue breaking the capability to generate random strings platform wide. This creates a denial of service situation where logged in sessions can no longer be refreshed as sessions depend on the capability to generate a random session ID. ### To Reproduce 1. Test if the endpoint is working and accessible, `GET http://localhost:8055/utils/random/string` 2. Do a bad request `GET http://localhost:8055/utils/random/string?length=foo` 3. After this all calls to `GET http://localhost:8055/utils/random/string` will return an empty string instead of a random string 4. In this error situation you'll see authentication refreshes fail for the app and api. ### Impact This counts as an unauthenticated denial of service attack vector so this impacts all unpatched instances reachable over the internet.

### Summary Exposure of HTTP basic auth credentials from repository and keyring URLs in log output ### Details There was a handful of instances where the `apko` tool was outputting error messages and log entries where HTTP basic authentication credentials were exposed for one of two reasons: 1. The`%s` verb was used to format a `url.URL` as a string, which includes un-redacted HTTP basic authentication credentials if they are included in the URL. 2. A string URL value (such as from the configuration YAML file supplied used in an apko execution) was never parsed as a URL, so there was no chance of redacting credentials in the logical flow. apko, as well as its companion library `go-apk`, have been updated to ensure URLs are parsed and redacted before being output as string values. ### PoC Create a config file like this `apko.yaml`: ```yaml contents: keyring: - https://packages.wolfi.dev/os/wolfi-signing.rsa.pub repositories: - https://me%40example.com:supersecretpass...

Failing to properly encode user input, the CSS styled content component is susceptible to Cross-Site Scripting, allowing authenticated editors to inject arbitrary HTML or JavaScript.

Progress Software has rolled out updates to address a critical security flaw impacting the Telerik Report Server that could be potentially exploited by a remote attacker to bypass authentication and create rogue administrator users. The issue, tracked as CVE-2024-4358, carries a CVSS score of 9.8 out of a maximum of 10.0. "In Progress Telerik Report Server, version 2024 Q1 (10.0.24.305) or