Security
Headlines
HeadlinesLatestCVEs

Tag

#web

U.S. Army Soldier Arrested in AT&T, Verizon Extortions

Federal authorities have arrested and indicted a 20-year-old U.S. Army soldier on suspicion of being Kiberphant0m, a cybercriminal who has been selling and leaking sensitive customer call records stolen earlier this year from AT&T and Verizon. As first reported by KrebsOnSecurity last month, the accused is a communications specialist who was recently stationed in South Korea.

Krebs on Security
#web#ddos#dos#pdf#botnet#auth#blog
16 Chrome Extensions Hacked in Large-Scale Credential Theft Scheme

SUMMARY A sophisticated attack campaign has compromised at least 16 Chrome browser extensions, exposing over 600,000 users to…

Chinese State Hackers Breach US Treasury Department

In what's being called a "major cybersecurity incident," Beijing-backed adversaries broke into cyber vendor BeyondTrust to access the US Department of the Treasury workstations and steal unclassified data, according to a letter sent to lawmakers.

GHSA-gv7f-5qqh-vxfx: xous has unsound usages of `core::slice::from_raw_parts`

We consider `as_slice` and `as_slice_mut` unsound because: the pointer with any bit patterns could be cast to the slice of arbitrary types. The pointer could be created by unsafe new and deprecated `from_parts`. We consider that `from_parts` should be removed in latest version because it will help trigger unsoundness in `as_slice`. With new declared as unsafe, `as_slice` should also declared as unsafe. This was patched in by marking two functions as `unsafe`.

GHSA-8jhw-6pjj-8723: Better Auth has an Open Redirect Vulnerability in Verify Email Endpoint

## Summary An **open redirect vulnerability** has been identified in the **verify email endpoint** of Better Auth, potentially allowing attackers to redirect users to malicious websites. This issue affects users relying on email verification links generated by the library. ## Affected Versions - All versions prior to **v1.1.6**. ## Impact Attackers could craft malicious email verification links that exploit the redirect functionality to send users to untrusted domains. This can result in: - **Phishing attacks** – Users may unknowingly enter sensitive information on fake login pages. - **Reputation damage** – Trust issues for applications using Better Auth. ## Vulnerability Details The verify email callback endpoint accepts a `callbackURL` parameter. Unlike other verification methods, email verification only uses JWT to verify and redirect without proper validation of the target domain. The origin checker is bypassed in this scenario because it only checks for `POST` requests. An at...

GHSA-2697-96mv-3gfm: TeamPass does not properly check whether a folder is in a user's allowed folders list

TeamPass before 3.1.3.1, when retrieving information about access rights for a folder, does not properly check whether a folder is in a user's allowed folders list that has been defined by an admin.

GHSA-7rm3-4w6j-8xx4: TeamPass mail_me operation authorization issue

TeamPass before 3.1.3.1 does not properly check whether a mail_me (aka action_mail) operation is on behalf of an administrator or manager.

GHSA-9wmc-988h-2mv2: TeamPass privileges issue

TeamPass before 3.1.3.1 does not properly prevent a user from acting with the privileges of a different user_id.

ABB Cylon Aspect 3.08.02 (deployStart.php) Unauthenticated Command Execution

The ABB Cylon Aspect BMS/BAS controller suffers from an unauthenticated shell command execution vulnerability through the deployStart.php script. This allows any user to trigger the execution of 'rundeploy.sh' script, which initializes the Java deployment server that sets various configurations, potentially causing unauthorized server initialization and performance issues.