#git

The authentication service of the extension does not verify the OpenID Connect authentication state from the user lookup chain. Instead, the authentication service authenticates every valid frontend user from the user lookup chain, where the frontend user field “tx_oidc” is not empty. In scenarios, where either ext:felogin is active or where `$GLOBALS['TYPO3_CONF_VARS'][‘FE’][‘checkFeUserPid’]` is disabled, an attacker can login to OpenID Connect frontend user accounts by providing a valid username and any password.

By Cyber Newswire Washington, DC, United States, April 2nd, 2024, CyberNewsWire Authentic8, provider of the leading OSINT research platform Silo for… This is a post from HackRead.com Read the original post: Authentic8 launches Silo Shield program to protect high-risk communities in partnership with CISA

Cross Site Scripting vulnerability in CA17 TeamsACS v.1.0.1 allows a remote attacker to execute arbitrary code via a crafted script to the errmsg parameter.

An attacker can cause its peer to run out of memory sending a large number of NEW_CONNECTION_ID frames that retire old connection IDs. The receiver is supposed to respond to each retirement frame with a RETIRE_CONNECTION_ID frame. The attacker can prevent the receiver from sending out (the vast majority of) these RETIRE_CONNECTION_ID frames by collapsing the peers congestion window (by selectively acknowledging received packets) and by manipulating the peer's RTT estimate. I published a more detailed description of the attack and its mitigation in this blog post: https://seemann.io/posts/2024-03-19-exploiting-quics-connection-id-management/. I also presented this attack in the IETF QUIC working group session at IETF 119: https://youtu.be/JqXtYcZAtIA?si=nJ31QKLBSTRXY35U&t=3683 There's no way to mitigate this attack, please update quic-go to a version that contains the fix.

By Uzair Amir Clearpool launches Credit Vaults on Avalanche, offering an on-chain credit solution with real-world asset backing, marking a significant step in bridging traditional finance and DeFi through partnerships with firms like Banxa. This is a post from HackRead.com Read the original post: Clearpool Expands to Avalanche with Listed Fintech Firm Launching First Credit Vault

By Waqas Indian authorities rescue hundreds trafficked for cybercrime in Cambodia. Victims lured by false jobs, forced to work in… This is a post from HackRead.com Read the original post: Hundreds of Indians Rescued from Cambodian Cybercrime Gangs

While there are many legitimate uses for this software, adversaries are also finding ways to use them for command and control in their campaigns.

A vulnerability in the Eclipse Vert.x toolkit causes a memory leak in TCP servers configured with TLS and SNI support. When processing an unknown SNI server name assigned the default certificate instead of a mapped certificate, the SSL context is erroneously cached in the server name map, leading to memory exhaustion. This flaw allows attackers to send TLS client hello messages with fake server names, triggering a JVM out-of-memory error.

Improper Privilege Management in uvdesk/community-skeleton

Common Good Cyber is a global consortium connecting nonprofit, private sector, and government organizations to fund organizations focused on securing Internet infrastructure.