Security
Headlines
HeadlinesLatestCVEs

Tag

#git

GHSA-fmg4-x8pw-hjhg: Fiber has Insecure CORS Configuration, Allowing Wildcard Origin with Credentials

The CORS middleware allows for insecure configurations that could potentially expose the application to multiple CORS-related vulnerabilities. Specifically, it allows setting the Access-Control-Allow-Origin header to a wildcard ("*") while also having the Access-Control-Allow-Credentials set to true, which goes against recommended security best practices. ## Impact The impact of this misconfiguration is high as it can lead to unauthorized access to sensitive user data and expose the system to various types of attacks listed in the PortSwigger article linked in the references. ## Proof of Concept The code in cors.go allows setting a wildcard in the AllowOrigins while having AllowCredentials set to true, which could lead to various vulnerabilities. ## Potential Solution Here is a potential solution to ensure the CORS configuration is secure: ```go func New(config ...Config) fiber.Handler { if cfg.AllowCredentials && cfg.AllowOrigins == "*" { panic("[CORS] Insecure setup, ...

ghsa
#vulnerability#web#js#git#java#auth
UOB, Samsung Back Singapore’s Startale Labs in $7 Million Web3 Push

By Owais Sultan Startale Labs, the developer behind Japan’s leading Web3 products like Astar Network and Startale Web3 Cloud, has secured… This is a post from HackRead.com Read the original post: UOB, Samsung Back Singapore’s Startale Labs in $7 Million Web3 Push

GHSA-pcm8-qqrp-w6qf: Enhavo Cross-site Scripting vulnerability

A cross-site scripting (XSS) vulnerability in the Header module of Enhavo CMS v0.13.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Title text field.

GHSA-38m8-5gfc-663g: Enhavo Cross-site Scripting vulnerability

A cross-site scripting (XSS) vulnerability in the New/Edit Article module of Enhavo CMS v0.13.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Create Tag text field.

GHSA-c579-hhw5-cr3p: Enhavo Cross-site Scripting vulnerability

A cross-site scripting (XSS) vulnerability in the Header module of Enhavo CMS v0.13.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Undertitle text field.

QNAP QTS / QuTS Hero Unauthenticated Remote Code Execution

There exists an unauthenticated command injection vulnerability in the QNAP operating system known as QTS and QuTS hero. QTS is a core part of the firmware for numerous QNAP entry and mid-level Network Attached Storage (NAS) devices, and QuTS hero is a core part of the firmware for numerous QNAP high-end and enterprise NAS devices. The vulnerable endpoint is the quick.cgi component, exposed by the device's web based administration feature. The quick.cgi component is present in an uninitialized QNAP NAS device. This component is intended to be used during either manual or cloud based provisioning of a QNAP NAS device. Once a device has been successfully initialized, the quick.cgi component is disabled on the system. An attacker with network access to an uninitialized QNAP NAS device may perform unauthenticated command injection, allowing the attacker to execute arbitrary commands on the device.

Bluzelle’s Curium App Makes Crypto Earning Effortless

By Uzair Amir Meet Curium by Bluzelle, a new Miner Pool app. This is a post from HackRead.com Read the original post: Bluzelle’s Curium App Makes Crypto Earning Effortless

New Leak Shows Business Side of China’s APT Menace

A new data leak that appears to have come from one of China's top private cybersecurity firms provides a rare glimpse into the commercial side of China's many state-sponsored hacking groups. Experts say the leak illustrates how Chinese government agencies increasingly are contracting out foreign espionage campaigns to the nation's burgeoning and highly competitive cybersecurity industry.

TinyTurla-NG in-depth tooling and command and control analysis

Cisco Talos, in cooperation with CERT.NGO, has discovered new malicious components used by the Turla APT. New findings from Talos illustrate the inner workings of the command and control (C2) scripts deployed on the compromised WordPress servers utilized in the compromise we previously disclosed.