Security
Headlines
HeadlinesLatestCVEs

Tag

#ios

GHSA-cc6x-8cc7-9953: OctoPrint has API key access in settings without reauthentication

### Impact OctoPrint versions up until and including 1.10.2 contain a vulnerability that allows an attacker that has gained temporary control over an authenticated victim's OctoPrint browser session to retrieve/recreate/delete the user's or - if the victim has admin permissions - the global API key without having to reauthenticate by re-entering the user account's password. An attacker could use a stolen API key to access OctoPrint through its API, or disrupt workflows depending on the API key they deleted. ### Patches The vulnerability will be patched in version 1.10.3. ### Credits This vulnerability was discovered and responsibly disclosed to OctoPrint by Jacopo Tediosi.

ghsa
#vulnerability#ios#auth
GHSA-xvxq-g8hw-fx4g: OctoPrint Vulnerable to Reflected XSS in Jinja2 Templates

### Impact OctoPrint versions up until and including 1.10.2 are vulnerable to reflected XSS vulnerabilities through its Jinja2 template system, as this is not configured to enforce automatic escaping. This affects, among other places, the login dialog and the standalone application key confirmation dialog. An attacker who successfully talked a victim into clicking on or through a malicious third party app successfully redirected a victim to a specially crafted link could use this to retrieve or modify sensitive configuration settings, interrupt prints or otherwise interact with the OctoPrint instance in a malicious way. ### Patches The above mentioned specific vulnerabilities of the login dialog and the standalone application key confirmation dialog will be patched in the bugfix release 1.10.3 by individual escaping of the detected locations. A global change throughout all of OctoPrint's templating system with the upcoming 1.11.0 release will handle this further, switching to glob...

How to Win at Cyber by Influencing People

Zero trust is a mature approach that will improve your organization's security.

Dark Reading Confidential: Quantum Has Landed, So Now What?

Episode #4: NIST's new post-quantum cryptography standards are here, so what comes next? This episode of Dark Reading Confidential digs into the world of quantum computing from a cybersecurity practitioner's point of view — with guests Matthew McFadden, vice president, Cyber, General Dynamics Information Technology (GDIT) and Thomas Scanlon, professor, Heinz College, Carnegie Mellon University.

Scammers Use DocuSign API to Evade Spam Filters with Phishing Invoices

Scammers are exploiting DocuSign’s APIs to send realistic fake invoices, primarily targeting security software like Norton. This phishing…

A week in security (October 28 – November 3)

A list of topics we covered in the week of October 28 to November 3 of 2024

NAKIVO Backup for MSP: Best Backup Solution for MSPs

Explore the features of the NAKIVO MSP backup solution. Choose the best MSP backup software to protect client…

Critical Auth Bugs Expose Smart Factory Gear to Cyberattack

Factory automation software from Mitsubishi Electric and Rockwell Automation could be subject to remote code execution (RCE), denial-of-service (DoS), and more.

EMERALDWHALE Steals 15,000+ Cloud Credentials, Stores Data in S3 Bucket

Operation EMERALDWHALE compromises over 15,000 cloud credentials, exploiting exposed Git and Laravel files. Attackers use compromised S3 buckets…

Developer Velocity & Security: Can You Get Out of the Way in Time?

When a CISO can articulate risk in context to the business as a whole, development teams can better prioritize their activities.