#auth

### Impact A vulnerability has been identified in which unauthenticated cross-site scripting (XSS) in Norman's public API endpoint can be exploited. This can lead to an attacker exploiting the vulnerability to trigger JavaScript code and execute commands remotely. The attack vector was identified as a Reflected XSS. Norman API propagates malicious payloads from user input to the UI, which renders the output. For example, a malicious URL gets rendered into a script that is executed on a page. The changes addressed by this fix are: - Encode input that comes from the request URL before adding it to the response. - The request input is escaped by changing the URL construction that is used for links to use `url.URL`. - The request input is escaped by escaping the JavaScript and CSS variables with attribute encoding as defined by [OWASP](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html#output-encoding-rules-summary). ### Patches Patched ver...

### Impact A vulnerability has been identified which may lead to sensitive data being leaked into Rancher's audit logs. [Rancher Audit Logging](https://ranchermanager.docs.rancher.com/how-to-guides/advanced-user-guides/enable-api-audit-log) is an opt-in feature, only deployments that have it enabled and have [AUDIT_LEVEL](https://ranchermanager.docs.rancher.com/how-to-guides/advanced-user-guides/enable-api-audit-log#audit-log-levels) set to `1 or above` are impacted by this issue. The leaks might be caught in the audit logs upon these actions: - Creating cloud credentials or new authentication providers. It is crucial to note that **all** [authentication providers](https://ranchermanager.docs.rancher.com/pages-for-subheaders/authentication-config#external-vs-local-authentication) (such as AzureAD) and [cloud providers](https://ranchermanager.docs.rancher.com/pages-for-subheaders/set-up-cloud-providers) (such as Google) are impacted. - Downloading a kubeconfig file from a downstream...

In a test at one station, Transport for London used a computer vision system to try and detect crime and weapons, people falling on the tracks, and fare dodgers, documents obtained by WIRED show.

By Waqas Remember, it is LastPass Password Manager, not LassPass Password Manager! This is a post from HackRead.com Read the original post: Fake LastPass Password Manager App Lurks on iOS App Store

By Waqas The cloud database belonging to Credit Union Service was left exposed without any security authentication or passwords, allowing public access. This is a post from HackRead.com Read the original post: US Credit Union Service Leaks Millions of Records and Passwords in Plain Text

KiTTY versions 0.76.1.13 and below suffer from a command injection vulnerability when getting a remote file through scp. It appears to leverage an ANSI escape sequence issue which is quite an interesting vector of attack.

The U.S. government on Wednesday said the Chinese state-sponsored hacking group known as Volt Typhoon had been embedded into some critical infrastructure networks in the country for at least five years. Targets of the threat actor include communications, energy, transportation, and water and wastewater systems sectors in the U.S. and Guam. "Volt Typhoon's choice of targets and pattern

Talos discovered a new, stealthy espionage campaign that has likely persisted since at least March 2021. The observed activity affects an Islamic non-profit organization using backdoors for a previously unreported malware family we have named “Zardoor.”

Passkeys are here to replace passwords. When they work, it’s a seamless vision of the future. But don’t ditch your old logins just yet.

View CSAF 1. EXECUTIVE SUMMARY CVSS v3 7.3 ATTENTION: Low attack complexity Vendor: Qolsys, Inc. Equipment: IQ Panel 4, IQ4 Hub Vulnerability: Exposure of Sensitive Information to an Unauthorized Actor 2. RISK EVALUATION Successful exploitation of this vulnerability could allow the panel software, under certain circumstances, to provide unauthorized access to settings. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following products from Qolsys, Inc, a subsidiary of Johnson Controls, are affected: Qolsys IQ Panel 4: Versions prior to 4.4.2 Qolsys IQ4 Hub: Versions prior to 4.4.2 3.2 Vulnerability Overview 3.2.1 EXPOSURE OF SENSITIVE INFORMATION TO AN UNAUTHORIZED ACTOR CWE-200 In Qolsys IQ Panel 4 and IQ4 Hub versions prior to 4.4.2, panel software, under certain circumstances, could allow unauthorized access to settings. CVE-2024-0242 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.3 has been calculated; the CVSS vector string is (AV:P/AC:L/PR:N/UI:N/S:C/C:N/I:H/...