Security
Headlines
HeadlinesLatestCVEs

Tag

#web

GHSA-f27p-cmv8-xhm6: fetch: Authorization headers not dropped when redirecting cross-origin

### Summary When you send a request with the `Authorization` header to one domain, and the response asks to redirect to a different domain, Deno's`fetch()` redirect handling creates a follow-up redirect request that keeps the original `Authorization` header, leaking its content to that second domain. ### Details The [right behavior](https://fetch.spec.whatwg.org/#ref-for-cors-non-wildcard-request-header-name) would be to drop the `Authorization` header instead, in this scenario. The same is generally applied to `Cookie` and `Proxy-Authorization` headers, and is done for not only host changes, but also protocol/port changes. Generally referred to as "origin". The [documentation](https://docs.deno.com/runtime/reference/web_platform_apis/#:~:text=Deno%20does%20not%20follow%20the,leaking%20authenticated%20data%20cross%20origin.) states: > Deno does not follow the same-origin policy, because the Deno user agent currently does not have the concept of origins, and it does not have a cook...

ghsa
Open in Source
#web#js#auth
New PhishWP Plugin on Russian Forum Turns Sites into Phishing Pages

SlashNext has discovered a malicious WordPress plugin, PhishWP, which creates convincing fake payment pages to steal your credit card information, 3DS codes, and personal data.

GHSA-2p95-8xvm-2pjx: REDAXO CMS Cross-site Scripting vulnerability

A stored cross-site scripting (XSS) vulnerability in the component /media/test.html of REDAXO CMS v5.17.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the password parameter.

GHSA-m78c-qx99-mvw9: Grav Cross-site Scripting vulnerability

A cross-site scripting (XSS) vulnerability in Grav v1.7.45 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.

FireScam Android Spyware Campaign Poses 'Significant Threat Worldwide'

A fake Telegram Premium app delivers information-stealing malware, in a prime example of the rising threat of adversaries leveraging everyday applications, researchers say.

EagerBee Backdoor Takes Flight Against Mideast ISPs, Government Targets

The malware, operated by China-backed cyberattackers, has been significantly fortified with new evasive and post-infection capabilities.

Terraform Labs Founder Do Kwon Extradited to US, Faces 130-Year Sentence

SUMMARY: Do Hyeong Kwon (Do Kwon), the 33-year-old co-founder and former CEO of Terraform Labs, has been extradited…

Some weeks in security (December 16 – January 5)

A list of topics we covered in the weeks of December 16 to January 5 of 2025

New FireScam Infostealer Spyware Hits Android via Fake Telegram Premium

Researchers at Cyfirma have discovered FireScam, an Android malware disguised as 'Telegram Premium' that steals data, monitors activity, and infiltrates devices. Learn about its distribution, functionality, and the impact on user privacy.

Legacy App Migration: Transforming Outdated Systems

Businesses are perpetually under pressure to innovate in a fast-paced digital era. But legacy applications, written with outdated…