Security
Headlines
HeadlinesLatestCVEs

Tag

#web

GHSA-2237-5r9w-vm8j: Connect-CMS information that is restricted to viewing is visible

### Impact - Information that is restricted from viewing in the search results of site searches (※) can still be viewed via the main text (a feature added in v1.8.0). - Impact by version - v1.8.0 ~ v1.8.3: It will be displayed in the text. - v1.8.0 and earlier: It will not be displayed in the body of the text, but the title (frame name) will be displayed with a link. - Target viewing restriction function - Frame publishing function (private, limited publishing) - IP Restriction Page - Password setting page ### Patches (fixed version) - Apply v1.8.4. ### Workarounds - Remove the site search (e.g. hide frames).。 ### References none

ghsa
Open in Source
#vulnerability#web#auth
GHSA-5rjc-jc28-cwgg: Connect-CMS Access control vulnerability

### Impact(影響) There is an Access control vulnerability on the management system of Connect-CMS. Affected Version : Connect-CMS v1.8.6, 2.4.6 and earlier ### Patches(修正バージョン) version v1.8.7, v2.4.7 ### Workarounds(運用回避手段) Upgrade Connect-CMS to latest version

LLM Hijackers Quickly Incorporate DeepSeek API Keys

The secret use of other people's generative AI platforms, wherein hijackers gain unauthorized access to an LLM while someone else foots the bill, is getting quicker and stealthier by the month.

Microsoft: Thousands of Public ASP.NET Keys Allow Web Server RCE

Developers are pulling in publicly available ASP.NET keys into their environments, without realizing that cyberattackers can use them for clandestine code injection.

Google's DMARC Push Pays Off, but Email Security Challenges Remain

A year after Google and Yahoo started requiring DMARC, the adoption rate of the email authentication specification has doubled; and yet, 87% of domains remain unprotected.

20 Million OpenAI accounts offered for sale

A cybercriminal calling themselves emirking is offering 20 million OpenAI accounts for sale on a Dark Web forum

ABB Cylon FLXeon 9.3.4 (wsConnect.js) WebSocket Command Spawning PoC

The ABB Cylon FLXeon BACnet controller is vulnerable to an unauthenticated WebSocket implementation that allows an attacker to execute the tcpdump command. This command captures network traffic and filters it on serial ports 4855 and 4851, which are relevant to the device's services. The vulnerability can be exploited in a loop to start multiple instances of tcpdump, leading to resource exhaustion, denial of service (DoS) conditions, and potential data exfiltration. The lack of authentication on the WebSocket interface allows unauthorized users to continuously spawn new tcpdump processes, amplifying the attack's impact.

ABB Cylon FLXeon 9.3.4 (runtimeSetup.sh) Hidden Backdoor Account

The application has a hidden administrative account 'cxpro' that has write access permissions to the device.

S. Korea’s Notorious Sex Crime Hub Ya-moon Hacked, User Data Leaked

Ya-moon, S. Korea’s notorious sex crime hub operating since 1990, hacked; user data leaked, exposing CSAM, exploitation, and illicit activities.

7AI Streamlines Security Operations With Autonomous AI Agents

Cybereason co-founders launch their second act with a security startup focused on offering a platform that uses agentic AI to offload repetitive tasks commonly performed by security analysts.