Security
Headlines
HeadlinesLatestCVEs

Tag

#git

GHSA-hgxv-3497-3hhj: Duplicate Advisory: @fastify/oauth2 Oauth2 state parameter reuse

## Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-g8x5-p9qc-cf95. This link is maintained to preserve external references. ## Original Description All versions of @fastify/oauth2 used a statically generated state parameter at startup time and were used across all requests for all users. The purpose of the Oauth2 state parameter is to prevent Cross-Site-Request-Forgery attacks. As such, it should be unique per user and should be connected to the user's session in some way that will allow the server to validate it. v7.2.0 changes the default behavior to store the state in a cookie with the http-only and same-site=lax attributes set. The state is now by default generated for every user. Note that this contains a breaking change in the checkStateFunction function, which now accepts the full Request object.

ghsa
Open in Source
#nodejs#git#oauth#auth
Teen among suspects arrested in Android banking malware scheme

By Waqas The arrests took place in Singapore over complaints from unsuspecting victims. This is a post from HackRead.com Read the original post: Teen among suspects arrested in Android banking malware scheme

CVE-2023-3503: CveHubList/Shopping Website (E-Commerce) insert-product.php has a file upload (RCE) vulnerability.pdf at main · Turbo51/CveHubList

A vulnerability has been found in SourceCodester Shopping Website 1.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file insert-product.php. The manipulation leads to unrestricted upload. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-232951.

Ubuntu Security Notice USN-6198-1

Ubuntu Security Notice 6198-1 - It was discovered that GNU Screen was not properly checking user identifiers before sending certain signals to target processes. If GNU Screen was installed as setuid or setgid, a local attacker could possibly use this issue to cause a denial of service on a target application.

D-Link DAP-1325 Insecure Direct Object Reference

D-Link DAP-1325 suffers from an insecure direct object reference vulnerability.

Authors Sue OpenAI: ChatGPT’s Training Methods Challenged in Lawsuit

By Habiba Rashid Another day, another lawsuit against the developers of the groundbreaking AI chatbot ChatGPT. This is a post from HackRead.com Read the original post: Authors Sue OpenAI: ChatGPT’s Training Methods Challenged in Lawsuit

POS Codekop 2.0 Shell Upload

POS Codekop version 2.0 suffers from a remote shell upload vulnerability.

CVE-2023-3133: Tutor LMS – eLearning and online course solution

The Tutor LMS WordPress plugin before 2.2.1 does not implement adequate permission checks for REST API endpoints, allowing unauthenticated attackers to access information from Lessons that should not be publicly available.

Fake reviewers face big fines

Categories: Business Tags: reviews Tags: fake Tags: ftc Tags: fine Tags: fraud Tags: bogus Tags: portal Tags: site Tags: rating Tags: score The FTC's new proposed rule would apply large fines to those found distributing fake reviews online. (Read more...) The post Fake reviewers face big fines appeared first on Malwarebytes Labs.

Elderly targeted in car accident scam, kingpin arrested

Categories: News Categories: Personal Tags: Europol Tags: relative Tags: law enforcement The head of a criminal network responsible for defrauding hundreds of elderly people has been arrested, Europol has announced. (Read more...) The post Elderly targeted in car accident scam, kingpin arrested appeared first on Malwarebytes Labs.