Security
Headlines
HeadlinesLatestCVEs

Tag

#vulnerability

Hackers Exploit Roundcube Webmail XSS Vulnerability to Steal Login Credentials

Unknown threat actors have been observed attempting to exploit a now-patched security flaw in the open-source Roundcube webmail software as part of a phishing attack designed to steal user credentials. Russian cybersecurity company Positive Technologies said it discovered last month that an email was sent to an unspecified governmental organization located in one of the Commonwealth of

The Hacker News
Open in Source
#xss#vulnerability#web#microsoft#java#The Hacker News
Hackers Use Fake ESET Emails to Target Israeli Firms with Wiper Malware

Hackers impersonate ESET in phishing attacks targeting Israeli organizations. Malicious emails, claiming to be from ESET, deliver wiper…

Acronym Overdose – Navigating the Complex Data Security Landscape

In the modern enterprise, data security is often discussed using a complex lexicon of acronyms—DLP, DDR, DSPM, and many others. While these acronyms represent critical frameworks, architectures, and tools for protecting sensitive information, they can also overwhelm those trying to piece together an effective security strategy. This article aims to demystify some of the most important acronyms

GHSA-c7qv-q95q-8v27: Denial of service in http-proxy-middleware

Versions of the package http-proxy-middleware before 2.0.7, from 3.0.0 and before 3.0.3 are vulnerable to Denial of Service (DoS) due to an UnhandledPromiseRejection error thrown by micromatch. An attacker could kill the Node.js process and crash the server by making requests to certain paths.

The Disinformation Warning Coming From the Edge of Europe

Moldova is facing a tide of disinformation unprecedented in complexity and aggression, the head of a new center meant to combat it tells WIRED. And platforms like Facebook, TikTok, Telegram and YouTube could do more.

MacOS Safari 'HM Surf' Exploit Exposes Camera, Mic, Browser Data

Microsoft researchers toyed with app permissions to uncover CVE-2024-44133, using it to access sensitive user data. Adware merchants may have as well.

GHSA-7vfh-cqpc-4267: Security Update for the OPC UA .NET Standard Stack

This security update resolves a vulnerability in the OPC UA .NET Standard Stack that allows an unauthorized attacker to trigger a gradual degradation in performance.

GHSA-qm9f-c3v9-wphv: Security Update for the OPC UA .NET Standard Stack

This security update resolves a vulnerability in the OPC UA .NET Standard Stack that enables an unauthorized attacker to trigger a rapid increase in memory consumption.

Time to Get Strict With DMARC

Adoption of the email authentication and policy specification remains low, and only about a tenth of DMARC-enabled domains enforce policies. Everyone is waiting for major email providers to get strict.

GHSA-p5wf-cmr4-xrwr: Permissive Regular Expression in tacquito

### Impact The CVE is for a software vulnerability. Network admins who have deployed tacquito (or versions of tacquito) in their production environments and use tacquito to perform command authorization for network devices should be impacted. Tacquito code prior to commit 07b49d1358e6ec0b5aa482fcd284f509191119e2 was performing regex matches on authorized commands and arguments in a more permissive than intended manner. Configured allowed commands/arguments were intended to require a match on the entire string, but instead only enforced a match on a sub-string. This behaviour could potentially allowed unauthorized commands to be executed. ### Patches The problem has been patched, and users should update to the latest github repo commit to get the patch. ### Workarounds Users should be able to add boundary conditions anchors '^' and '$' to their command configs to remediate the vulnerability without the upgrade