#js

Red Hat Security Advisory 2024-6000-03 - An update for the postgresql:12 module is now available for Red Hat Enterprise Linux 8.10.

Red Hat Security Advisory 2024-5999-03 - An update for the postgresql is now available for Red Hat Enterprise Linux 9.

Red Hat Security Advisory 2024-5982-03 - An update for linux-firmware is now available for Red Hat Enterprise Linux 7.7 Advanced Update Support. Issues addressed include a bypass vulnerability.

Attackers are increasingly using new phishing toolkits (open-source, commercial, and criminal) to execute adversary-in-the-middle (AitM) attacks. AitM enables attackers to not just harvest credentials but steal live sessions, allowing them to bypass traditional phishing prevention controls such as MFA, EDR, and email content filtering. In this article, we’re going to look at what AitM phishing

Red Hat Security Advisory 2024-5930-03 - An update for bind is now available for Red Hat Enterprise Linux 7 Extended Lifecycle Support.

Red Hat Security Advisory 2024-5929-03 - An update for the postgresql:16 module is now available for Red Hat Enterprise Linux 9.

Red Hat Security Advisory 2024-5908-03 - An update for bind is now available for Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions, and Red Hat Enterprise Linux 8.6 Telecommunications Update Service.

Red Hat Security Advisory 2024-5907-03 - An update for bind and bind-dyndb-ldap is now available for Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions.

Red Hat Security Advisory 2024-5906-03 - An update for squid is now available for Red Hat Enterprise Linux 9.2 Extended Update Support. Issues addressed include denial of service and out of bounds write vulnerabilities.

### Impact Directus v10.13.0 allows an authenticated external attacker to modify presets created by the same user to assign them to another user. This is possible because the application only validates the user parameter in the `POST /presets` request but not in the PATCH request. When chained with [CVE-2024-6533](https://github.com/directus/directus/security/advisories/GHSA-9qrm-48qf-r2rw), it could result in account takeover. This vulnerability occurs because the application only validates the user parameter in the `POST /presets` request but not in the PATCH request. ### PoC To exploit this vulnerability, we need to do the follow steps using a non-administrative, default role attacker account. 1. Create a preset for a collection. Store the preset id, or use it if it already exists from `GET /presets`. The following example will use the direct_users preset. ```bash TARGET_HOST="http://localhost:8055" ATTACKER_EMAIL="[email protected]" ATTACKER_PASSWORD="123456" root_dir=$(...