Security
Headlines
HeadlinesLatestCVEs

Tag

#git

LockBit Developer Rostislav Panev, a Dual Russian-Israeli Citizen, Arrested

LockBit ransomware gang's takedown is in progress!

HackRead
Open in Source
#web#git#botnet#auth
Our Santa wishlist: Stronger identity security for kids

The personal information of children is leaked by trusted institutions which can lead to identity fraud and identity theft

GHSA-2qgm-m29m-cj2h: uptime-kuma vulnerable to Local File Inclusion (LFI) via Improper URL Handling in `Real-Browser` monitor

### Summary An **Improper URL Handling Vulnerability** allows an attacker to access sensitive local files on the server by exploiting the `file:///` protocol. This vulnerability is triggered via the **"real-browser"** request type, which takes a screenshot of the URL provided by the attacker. By supplying local file paths, such as `file:///etc/passwd`, an attacker can read sensitive data from the server. ### Details The vulnerability arises because the system does not properly validate or sanitize the user input for the URL field. Specifically: 1. The URL input (`<input data-v-5f5c86d7="" id="url" type="url" class="form-control" pattern="https?://.+" required="">`) allows users to input arbitrary file paths, including those using the `file:///` protocol, without server-side validation. 2. The server then uses the user-provided URL to make a request, passing it to a browser instance that performs the "real-browser" request, which takes a screenshot of the content at the given URL....

GHSA-3q97-vjpp-c8rp: Socialstream has a Potential Account Takeover Vulnerability in Social Account Linking Due to Missing User Consent After OAuth Callback

## Description When linking a social account to an already authenticated user, the lack of a confirmation step introduces a security risk. This is exacerbated if ->stateless() is used in the Socialite configuration, bypassing state verification and making the exploit easier. Developers should ensure that users explicitly confirm account linking and avoid configurations that skip critical security checks. ## Resolution Socialstream v6.2 introduces a new custom route that requires a user to "Confirm" or "Deny" a request to link a social account.

How Nation-State Cybercriminals Are Targeting the Enterprise

Combating nation-state threat actors at the enterprise level requires more than just cyber readiness and investment — it calls for a collaborative effort.

Top AI Trends Every Software Development Company to Follow in 2025

The software development industry is expanding tremendously. It drives up the need for technical people and new solutions.…

GHSA-pr98-23f8-jwxv: QOS.CH logback-core Expression Language Injection vulnerability

ACE vulnerability in JaninoEventEvaluator by QOS.CH logback-core up to and including version 1.5.12 in Java applications allows attackers to execute arbitrary code by compromising an existing logback configuration file or by injecting an environment variable before program execution. Malicious logback configuration files can allow the attacker to execute arbitrary code using the JaninoEventEvaluator extension. A successful attack requires the user to have write access to a configuration file. Alternatively, the attacker could inject a malicious environment variable pointing to a malicious configuration file. In both cases, the attack requires existing privilege.

Orgs Scramble to Fix Actively Exploited Bug in Apache Struts 2

A newly discovered vulnerability, CVE-2024-53677, in the aging Apache framework is going to cause major headaches for IT teams, since patching isn't enough to fix it.

Bridging the 'Keyboard-to-Chair' Gap With Identity Verification

Modern identity verification (IDV) approaches aim to connect digital credentials and real-world identity without sacrificing usability.

Vendors Chase Potential of Non-Human Identity Management

Non-human identities authenticate machine-to-machine communication. The big challenge now is to secure their elements and processes — before attackers can intercept.