Security
Headlines
HeadlinesLatestCVEs

Tag

#web

Meet the Hired Guns Who Make Sure School Cyberattacks Stay Hidden

An investigation into more than 300 cyberattacks against US K–12 schools over the past five years shows how schools can withhold crucial details from students and parents whose data was stolen.

Wired
#web#mac#google#git#intel#acer#auth
ABB Cylon FLXeon 9.3.4 (cert.js) Authenticated Root Remote Code Execution

The ABB Cylon FLXeon BACnet controller is vulnerable to authenticated remote root code execution via the /api/cert endpoint. An attacker with valid credentials can inject arbitrary system commands by manipulating the affected parameters. The issue arises due to improper input validation in cert.js, where user-supplied data is executed via ChildProcess.exec() without adequate sanitization.

GHSA-qwp8-x4ff-5h87: ZX Allows Environment Variable Injection for dotenv API

### Impact This vulnerability is an **Environment Variable Injection** issue in `dotenv.stringify`, affecting `google/zx` version **8.3.1**. An attacker with control over environment variable values can inject unintended environment variables into `process.env`. This can lead to **arbitrary command execution** or **unexpected behavior** in applications that rely on environment variables for security-sensitive operations. Applications that process untrusted input and pass it through `dotenv.stringify` are particularly vulnerable. ### Patches This issue has been **patched** in version **8.3.2**. Users should **immediately upgrade** to this version to mitigate the vulnerability. ### Workarounds If upgrading is not feasible, users can mitigate the vulnerability by **sanitizing user-controlled environment variable values** before passing them to `dotenv.stringify`. Specifically, avoid using `"`, `'`, and backticks in values, or enforce strict validation of environment variables before u...

'Constitutional Classifiers' Technique Mitigates GenAI Jailbreaks

Anthropic says its Constitutional Classifiers approach offers a practical way to make it harder for bad actors to try and coerce an AI model off its guardrails.

Your Health Information Was Compromised. Now What? 

The healthcare industry has become increasingly reliant on technology to enhance patient care, from advanced image-guided surgery to…

GHSA-2ccp-vqmv-4r4x: S3Proxy allows insecure path traversal in filesystem and filesystem-nio2 storage backends

### Impact Users of the filesystem and filesystem-nio2 storage backends could unintentionally expose local files to authenticated clients. ### Patches Upgrade to S3Proxy 2.6.0 which includes apache/jclouds@b0819e0ef5e08c792a4d1724b938714ce9503aa3 and 86b6ee4749aa163a78e7898efc063617ed171980. ### Workarounds None ### References Privately reported by XBOW Team @xbow-security.

GHSA-g9wf-5777-gq43: Django-Unicorn Class Pollution Vulnerability, Leading to XSS, DoS and Authentication Bypass

# Summary Django-Unicorn is vulnerable to python class pollution vulnerability, a new type of vulnerability categorized under [CWE-915](https://cwe.mitre.org/data/definitions/915.html). The vulnerability arises from the core functionality `set_property_value`, which can be remotely triggered by users by crafting appropriate component requests and feeding in values of second and third parameter to the vulnerable function, leading to arbitrary changes to the python runtime status. With this finding, so far we've found at least five ways of vulnerability exploitation, stably resulting in Cross-Site Scripting (XSS), Denial of Service (DoS), and Authentication Bypass attacks in almost every Django-Unicorn-based application. # Analysis of Vulnerable Function By taking a look at the vulnerable function `set_property_value` located at: `django_unicorn/views/action_parsers/utils.py`. You can observe the functionality is responsible for modifying a property value of an object. The propert...

1-Click Phishing Campaign Targets High-Profile X Accounts

In an attack vector that's been used before, threat actors aim to commit crypto fraud by hijacking highly followed users, thus reaching a broad audience of secondary victims.