#web

### Summary Nuxt allows any websites to send any requests to the development server and read the response due to default CORS settings. ### Details While Vite patched the default CORS settings to fix https://github.com/vitejs/vite/security/advisories/GHSA-vg6x-rcgg-rjx6, nuxt uses its own CORS handler by default (https://github.com/nuxt/nuxt/pull/23995). https://github.com/nuxt/nuxt/blob/7d345c71462d90187fd09c96c7692f306c90def5/packages/vite/src/client.ts#L257-L263 That CORS handler sets `Access-Control-Allow-Origin: *`. > [!IMPORTANT] > If on an affected version, it may be possible to opt-out of the default Nuxt CORS handler by configuring `vite.server.cors`. ### PoC 1. Start a dev server in any nuxt project using Vite by `nuxt dev`. 2. Send a fetch request to `http://localhost:3000/_nuxt/app.vue` (`fetch('http://localhost:3000/_nuxt/app.vue')`) from a different origin page. ### Impact Users with the default server.cors option using Vite builder may get the source code stolen ...

The Open Web Application Security Project has recently introduced a new Top 10 project - the Non-Human Identity (NHI) Top 10. For years, OWASP has provided security professionals and developers with essential guidance and actionable frameworks through its Top 10 projects, including the widely used API and Web Application security lists.  Non-human identity security represents an emerging

Relative Path Traversal vulnerability in Apache Solr. Solr instances running on Windows are vulnerable to arbitrary filepath write-access, due to a lack of input-sanitation in the "configset upload" API.  Commonly known as a "zipslip", maliciously constructed ZIP files can use relative filepaths to write data to unanticipated parts of the filesystem.   This issue affects Apache Solr: from 6.6 through 9.7.0. Users are recommended to upgrade to version 9.8.0, which fixes the issue.  Users unable to upgrade may also safely prevent the issue by using Solr's "Rule-Based Authentication Plugin" to restrict access to the configset upload API, so that it can only be accessed by a trusted set of administrators/users.

Cybersecurity researchers discovered 270,000+ lines of American National Insurance customer data leaked online, potentially linked to the 2023…

Plus: A hacker finds an issue with Cloudflare’s systems that could reveal app users’ rough locations, and the Trump administration puts a wrench in a key cybersecurity investigation.

A departmentwide initiative has now led to five major law enforcement actions, in an attempt to curb the increasingly common trend of North Korean hackers posing as IT job applicants.

Third-party API security requires a tailored approach for different scenarios. Learn how to adapt your security strategy to outbound data flows, inbound traffic, and SaaS-to-SaaS interconnections.

US prosecutors charged five, including North Koreans, for tricking firms into hiring fake IT workers, sending $866K+ to…

Crooks pwning crooks – Hackers exploit script kiddies with XWorm RAT, compromising 18,000+ devices globally and stealing sensitive…