#web

Red Hat Security Advisory 2024-6878-03 - New Red Hat Single Sign-On 7.6.11 packages are now available for Red Hat Enterprise Linux 7. Issues addressed include a privilege escalation vulnerability.

### Impact One longstanding feature of Plate is the ability to add custom DOM attributes to any element or leaf using the `attributes` property. These attributes are passed to the node component using the `nodeProps` prop. Note: The `attributes` prop that is typically rendered alongside `nodeProps` is unrelated. ```ts [{ type: 'p', attributes: { 'data-my-attribute': 'This will be rendered on the paragraph element' }, children: [{ bold: true, attributes: { 'data-my-attribute': 'This will be rendered on the bold leaf element' }, text: 'Bold text', }], }] ``` ```tsx const ParagraphElement = ({ attributes, nodeProps, children }) => ( <p {...attributes} {...nodeProps} // Arbitrary DOM attributes are injected here > {children} </p> ); const BoldLeaf = ({ attributes, nodeProps, children }) => ( <strong {...attributes} {...nodeProps} // Arbitrary DOM attributes are injected here > {children} </strong> ); ``` It has come to our attent...

### Impact Clients could clobber values set by intermediate proxies (such as X-Forwarded-For) by providing a underscore version of the same header (X-Forwarded_For). Any users trusting headers set by their proxy may be affected. Attackers may be able to downgrade connections to HTTP (non-SSL) or redirect responses, which could cause confidentiality leaks if combined with a separate MITM attack. ### Patches v6.4.3/v5.6.9 now discards any headers using underscores if the non-underscore version also exists. Effectively, allowing the proxy defined headers to always win. ### Workarounds Nginx has a [underscores_in_headers](https://nginx.org/en/docs/http/ngx_http_core_module.html#underscores_in_headers) configuration variable to discard these headers at the proxy level. Any users that are implicitly trusting the proxy defined headers for security or availability should immediately cease doing so until upgraded to the fixed versions.

The lack of abundant data on AI-enabled attacks in official reports shouldn't prevent us from preparing for and mitigating potential future threats.

Law enforcement authorities have announced the takedown of an international criminal network that leveraged a phishing platform to unlock stolen or lost mobile phones. The phishing-as-a-service (PhaaS) platform, called iServer, is estimated to have claimed more than 483,000 victims globally, led by Chile (77,000), Colombia (70,000), Ecuador (42,000), Peru (41,500), Spain (30,000), and Argentina

An Iranian advanced persistent threat (APT) threat actor likely affiliated with the Ministry of Intelligence and Security (MOIS) is now acting as an initial access facilitator that provides remote access to target networks. Google-owned Mandiant is tracking the activity cluster under the moniker UNC1860, which it said shares similarities with intrusion sets tracked by Microsoft, Cisco Talos, and

Google on Thursday unveiled a Password Manager PIN to let Chrome web users sync their passkeys across Windows, macOS, Linux, ChromeOS, and Android devices. "This PIN adds an additional layer of security to ensure your passkeys are end-to-end encrypted and can't be accessed by anyone, not even Google," Chrome product manager Chirag Desai said. The PIN is a six-digit code by default, although it's

German law enforcement agencies have managed to de-anonymize Tor users after putting surveillance on Tor servers for months.