Tag
#web
Federal authorities have arrested and indicted a 20-year-old U.S. Army soldier on suspicion of being Kiberphant0m, a cybercriminal who has been selling and leaking sensitive customer call records stolen earlier this year from AT&T and Verizon. As first reported by KrebsOnSecurity last month, the accused is a communications specialist who was recently stationed in South Korea.
SUMMARY A sophisticated attack campaign has compromised at least 16 Chrome browser extensions, exposing over 600,000 users to…
In what's being called a "major cybersecurity incident," Beijing-backed adversaries broke into cyber vendor BeyondTrust to access the US Department of the Treasury workstations and steal unclassified data, according to a letter sent to lawmakers.
We consider `as_slice` and `as_slice_mut` unsound because: the pointer with any bit patterns could be cast to the slice of arbitrary types. The pointer could be created by unsafe new and deprecated `from_parts`. We consider that `from_parts` should be removed in latest version because it will help trigger unsoundness in `as_slice`. With new declared as unsafe, `as_slice` should also declared as unsafe. This was patched in by marking two functions as `unsafe`.
## Summary An **open redirect vulnerability** has been identified in the **verify email endpoint** of Better Auth, potentially allowing attackers to redirect users to malicious websites. This issue affects users relying on email verification links generated by the library. ## Affected Versions - All versions prior to **v1.1.6**. ## Impact Attackers could craft malicious email verification links that exploit the redirect functionality to send users to untrusted domains. This can result in: - **Phishing attacks** – Users may unknowingly enter sensitive information on fake login pages. - **Reputation damage** – Trust issues for applications using Better Auth. ## Vulnerability Details The verify email callback endpoint accepts a `callbackURL` parameter. Unlike other verification methods, email verification only uses JWT to verify and redirect without proper validation of the target domain. The origin checker is bypassed in this scenario because it only checks for `POST` requests. An at...
TeamPass before 3.1.3.1, when retrieving information about access rights for a folder, does not properly check whether a folder is in a user's allowed folders list that has been defined by an admin.
TeamPass before 3.1.3.1 does not properly check whether a mail_me (aka action_mail) operation is on behalf of an administrator or manager.
TeamPass before 3.1.3.1 does not properly prevent a user from acting with the privileges of a different user_id.
The ABB Cylon Aspect BMS/BAS controller suffers from an unauthenticated shell command execution vulnerability through the deployStart.php script. This allows any user to trigger the execution of 'rundeploy.sh' script, which initializes the Java deployment server that sets various configurations, potentially causing unauthorized server initialization and performance issues.