Security
Headlines
HeadlinesLatestCVEs

Tag

#vulnerability

Fed 'Cyber Trust' Label: Good Intentions That Fall Short

The voluntary program is intended to boost consumer confidence in vulnerable IoT devices, but experts want to see vendors held to a higher standard.

DARKReading
Open in Source
#vulnerability#auth
GHSA-6gf2-ffq8-gcww: GHSL-2024-288: SickChill open redirect in login

SickChill is an automatic video library manager for TV shows. A user-controlled `login` endpoint's `next_` parameter takes arbitrary content. Prior to commit c7128a8946c3701df95c285810eb75b2de18bf82, an authenticated attacker may use this to redirect the user to arbitrary destinations, leading to open redirect. Commit c7128a8946c3701df95c285810eb75b2de18bf82 changes the login page to redirect to `settings.DEFAULT_PAGE` instead of to the `next` parameter.

About Remote Code Execution – Apache Struts (CVE-2024-53677) vulnerability

About Remote Code Execution – Apache Struts (CVE-2024-53677) vulnerability. Apache Struts is an open source software framework for building Java web applications. It allows developers to separate the application’s business logic from the user interface. Due to its scalability and flexibility, Apache Struts is often used in large enterprise projects. A security bulletin describing the […]

Green Bay Packers' Online Pro Shop Sacked by Payment Skimmer

Cyberattackers injected the NFL Wild Card team's online Pro Shop with malicious code to steal credit card data from 8,500 fans.

GHSA-j3f9-p6hm-5w6q: Carbon has an arbitrary file include via unvalidated input passed to Carbon::setLocale

### Impact Application passing unsanitized user input to `Carbon::setLocale` are at risk of arbitrary file include, if the application allows users to upload files with `.php` extension in an folder that allows `include` or `require` to read it, then they are at risk of arbitrary code ran on their servers. ### Patches - [3.8.4](https://github.com/briannesbitt/Carbon/releases/tag/3.8.4) - [2.72.6](https://github.com/briannesbitt/Carbon/releases/tag/2.72.6) ### Workarounds Any of the below actions can be taken to prevent the issue: - Validate input before calling `setLocale()`, for instance by forbidding or removing `/` and `\` - Call `setLocale()` only with a locale from a whitelist of supported locales - When uploading files, rename them so they cannot have a `.php` extension (this is recommended even if you're not affected by this issue) - Prefer storage system that are not local to the application (remote service, or local service ran by another user so the uploaded files actually ...

GHSA-cjgq-5qmw-rcj6: keras Path Traversal vulnerability

An issue in keras 3.7.0 allows attackers to write arbitrary files to the user's machine via downloading a crafted tar file through the get_file function.

New Docuseries Spotlights Hackers Who Shaped Cybersecurity

"Where Warlocks Stay Up Late" project speaks to hackers who have played pivotal roles in shaping the field of cybersecurity. The video interviews are complemented by an encyclopedia and an anthropological map.

Best Practices & Risks Considerations in LCNC and RPA Automation

Low-code/no-code (LCNC) and robotic process automation (RPA) technologies allow companies to speed up development processes and reduce costs, but security is often overlooked. When this happens, the risks can outweigh the benefits.

Mirai Botnet Variant Exploits Four-Faith Router Vulnerability for DDoS Attacks

A Mirai botnet variant has been found exploiting a newly disclosed security flaw impacting Four-Faith industrial routers since early November 2024 with the goal of conducting distributed denial-of-service (DDoS) attacks. The botnet maintains approximately 15,000 daily active IP addresses, with the infections primarily scattered across China, Iran, Russia, Turkey, and the United States.