Security
Headlines
HeadlinesLatestCVEs

Tag

#git

FTC Slams TikTok With Lawsuit After Continued COPPA Violations

Though TikTok is expected to adhere to certain COPPA-outlined measures, the social media giant has failed to meet those expectations, the Feds allege.

DARKReading
Open in Source
#web#git#auth
China's Evasive Panda Attacks ISP to Send Malicious Software Updates

The APT used DNS poisoning to install the Macma backdoor on targeted networks and then deliver malware to steal data via post-exploitation activity.

GHSA-hf66-xfgj-42g8: Microweber Cross Site Scripting (XSS) vulnerability

Microweber 2.0.16 was discovered to contain a Cross Site Scripting (XSS) vulnerability via userfiles\modules\tags\add_tagging_tagged.php.

GHSA-6vjm-54vp-mxhx: Juju's unprivileged user running on charm node can leak any secret or relation data accessible to the local charm

An issue was discovered in Juju that resulted in the leak of the sensitive context ID, which allows a local unprivileged attacker to access other sensitive data or relation accessible to the local charm. A potential exploit where a user can run a bash loop attempting to execute hook tools. If running while another hook is executing, we log an error with the context ID, making it possible for the user to then use that ID in a following call successfully. This means an unprivileged user can access anything available via a hook tool such as config, relation data and secrets.

Linux DRM drm_file_update_pid() Race Condition / Use-After-Free

Linux DRM has drm_file_update_pid() call to get_pid() too late, which creates a race condition that can lead to use-after-free issue of a struct pid.

Devika 1 Path Traversal

Devika version 1 suffers from a path traversal vulnerability.

GHSA-3wfj-3x8q-hrpg: Kubean vulnerable to cluster-level privilege escalation

### Impact This ClusterRole has `*` verbs of `*` resources. If a malicious user can access the worker node which has kubean's deployment, he/she can abuse these excessive permissions to do whatever he/she likes to the whole cluster, resulting in a cluster-level privilege escalation. ### Patches `>=v0.18.0` ### References Reporting by @younaman(Nanzi Yang) https://github.com/kubean-io/kubean/issues/1326

GHSA-qv35-3gw6-8q4j: In regclient, pinned manifest digests may be ignored

### Impact A malicious registry could return a different digest for a pinned manifest without detection. ### Patches This has been fixed in the v0.7.1 release. ### Workarounds After running a `regclient.ManifestGet`, the returned digest can be compared to the requested digest.

GHSA-w9pg-7c3h-fc8j: ipl/web's `ipl\Web\Common\CsrfCounterMeasure` is susceptible to CSRF

### Impact Some of the recent development by Icinga is, under certain circumstances, susceptible to cross site request forgery. (CSRF) Affected products: * Icinga Web (>=2.12.0) * Icinga DB Web (>=1.0.0) * Icinga Notifications Web (>=0.1.0) * Icinga Web JIRA Integration (>=1.3.0) All affected products, in any version, will be unaffected by this once `icinga-php-library` is upgraded. ### Patches Version 0.10.1 will include a fix for this. It will be published as part of the `icinga-php-library` v0.14.1 release.

Protect Data Differently for a Different World

Adopting a military mindset toward cybersecurity means the industry moves beyond the current network protection strategies and toward a data-centric security approach.