#git

Information newly made available under California law has shed light on data broker practices, including exactly what categories of information they trade in.

### Impact ZITADEL uses a cookie to identify the user agent (browser) and its user sessions. Although the cookie was handled according to best practices, it was accessible on subdomains of the ZITADEL instance. An attacker could take advantage of this and provide a malicious link hosted on the subdomain to the user to gain access to the victim’s account in certain scenarios. A possible victim would need to login through the malicious link for this exploit to work. If the possible victim already had the cookie present, the attack would not succeed. The attack would further only be possible if there was an initial vulnerability on the subdomain. This could either be the attacker being able to control DNS or a XSS vulnerability in an application hosted on a subdomain. ### Patches 2.x versions are fixed on >= [2.46.0](https://github.com/zitadel/zitadel/releases/tag/v2.46.0) 2.45.x versions are fixed on >= [2.45.1](https://github.com/zitadel/zitadel/releases/tag/v2.45.1) 2.44.x versio...

Borrowing from the playbook of ransomware purveyors, the darknet narcotics bazaar Incognito Market has begun extorting all of its vendors and buyers, threatening to publish cryptocurrency transaction and chat records of users who refuse to pay a fee ranging from $100 to $20,000. The bold mass extortion attempt comes just days after Incognito Market administrators reportedly pulled an "exit scam" that left users unable to withdraw millions of dollars worth of funds from the platform.

Numbas versions prior to 7.3 suffer from a remote code execution vulnerability.

RUPPEINVOICE version 1.0 suffers from a remote SQL injection vulnerability.

Akaunting versions 3.1.3 and below suffer from a remote command execution vulnerability.

By Deeba Ahmed Midnight Blizzard (aka Cozy Bear and APT29) originally breached Microsoft on January 12, 2024. This is a post from HackRead.com Read the original post: Russian Midnight Blizzard Hackers Breached Microsoft Source Code

By Waqas That new Dropbox email landing in your inbox might be part of a phishing or malspam attack! This is a post from HackRead.com Read the original post: Dropbox Abused in New Phishing, Malspam Scam to Steal SaaS Logins

Content creators are using copyright laws to get nonconsensual deepfakes removed from the web. With the complaints covering nearly 30,000 URLs, experts say Google should do more to help.

1Panel is vulnerable to command injection. This vulnerability has been classified as critical, has been found in 1Panel up to 1.10.1-lts. Affected by this issue is the function baseApi.UpdateDeviceSwap of the file /api/v1/toolbox/device/update/swap. The manipulation of the argument Path with the input 123123123\nopen -a Calculator leads to command injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-256304.