Security
Headlines
HeadlinesLatestCVEs

Tag

#google

GHSA-v8wj-f5c7-pvxf: Strapi allows Server-Side Request Forgery in Webhook function

## Description In Strapi latest version, at function Settings -> Webhooks, the application allows us to input a URL in order to create a Webook connection. However, we can input into this field the local domains such as `localhost`, `127.0.0.1`, `0.0.0.0`,.... in order to make the Application fetching into the internal itself, which causes the vulnerability `Server - Side Request Forgery (SSRF)`. ## Payloads - `http://127.0.0.1:80` -> `The Port is not open` - `http://127.0.0.1:1337` -> `The Port which Strapi is running on` ## Steps to Reproduce - First of all, let's input the URL `http://127.0.0.1:80` into the `URL` field, and click "Save". ![CleanShot 2024-06-04 at 22 45 17@2x](https://github.com/strapi/strapi/assets/71650574/7336b817-cb61-41e6-9b3f-87151d8667e9) - Next, use the "Trigger" function and use Burp Suite to capture the request / response ![CleanShot 2024-06-04 at 22 47 50@2x](https://github.com/strapi/strapi/assets/71650574/659f1bbe-6b03-456c-a9c2-5187fca20dd6) ...

ghsa
#vulnerability#web#mac#google#git#ssrf
Why Quiet Expertise No Longer Wins Cybersecurity Clients

There’s a graveyard of brilliant cybersecurity companies that no one has ever heard of. These firms had incredible…

The Privacy-Friendly Tech to Replace Your US-Based Email, Browser, and Search

Thanks to drastic policy changes in the US and Big Tech’s embrace of the second Trump administration, many people are moving their digital lives abroad. Here are a few options to get you started.

Employees Searching Payroll Portals on Google Tricked Into Sending Paychecks to Hackers

Threat hunters have exposed a novel campaign that makes use of search engine optimization (SEO) poisoning techniques to target employee mobile devices and facilitate payroll fraud. The activity, first detected by ReliaQuest in May 2025 targeting an unnamed customer in the manufacturing sector, is characterized by the use of fake login pages to access the employee payroll portal and redirect

The US Is Building a One-Stop Shop for Buying Your Data

Plus: A mysterious hacking group’s secret client is exposed, Signal takes a swipe at Microsoft Recall, Russian hackers target security cameras to spy on aid to Ukraine, and more.

Operation Endgame Takes Down DanaBot Malware, Neutralizes 300 Servers

Operation Endgame takes down DanaBot malware network; 300 servers neutralized, €21.2M in crypto seized, 16 charged, 20 international warrants.

Chrome 0-Day CVE-2025-4664 Exposes Windows, Linux Browser Activity

A Chrome zero-day bug, CVE-2025-4664, exposes login tokens on Windows and Linux. Google has issued a fix, users should update immediately.

Oops: DanaBot Malware Devs Infected Their Own PCs

The U.S. government today unsealed criminal charges against 16 individuals accused of operating and selling DanaBot, a prolific strain of information-stealing malware that has been sold on Russian cybercrime forums since 2018. The FBI says a newer version of DanaBot was used for espionage, and that many of the defendants exposed their real-life identities after accidentally infecting their own systems with the malware.

Mysterious Database of 184 Million Records Exposes Vast Array of Login Credentials

The trove has now been taken down but included users’ logins for platforms including Apple, Google, and Meta, plus services from multiple governments.

New updates for Red Hat Enterprise Linux on confidential virtual machines

The new major release of Red Hat Enterprise Linux (RHEL) brings a number of important improvements in the confidential computing domain. This article covers the most important features available now in both RHEL 10 and RHEL 9.6: Full support for RHEL Unified Kernel Image (UKI), including FIPS and kdump supportIntel Trusted Domain Extension (TDX) guestsTrustee attestation clientFull support for RHEL Unified Kernel Image (UKI)First introduced in RHEL9.2 as a Technology Preview, UKI for RHEL is a UEFI Portable Executable (PE) binary containing the Linux kernel, initramfs, and kernel command line.