#web

A recent investigation by cybersecurity researchers at Oasis Security has revealed a data overreach in how Microsoft’s OneDrive…

### Summary This vulnerability is similar to CVE-2018-14732. When running a Next.js server locally (e.g. through `npm run dev`), the WebSocket server is vulnerable to the Cross-site WebSocket hijacking (CSWSH) attack. and a bad actor can access the source code of client components, if a user was to visit a malicious link while having the Next.js dev server running. ### Impact If a user is running a Next.js server locally (e.g. `npm run dev`), and they were to browse to a malicious website, the malicious website may be able to access the source code of the Next.js app. This vulnerability only affects applications making use of App Router. _Note: App Router was experimental requiring_ `experimental.appDir = true` _in versions_ `>=13.0.0` to `<13.4`.

Researchers at Oasis Security say the problem has to do with OneDrive File Picker having overly broad permissions.

### Impact * Some source-builds may be impacted by a CWE-1395 (eg. vulnerable `setuptools` dependency). * Multicast prior to v2.0.9a3 on systems with minimal dependancies installed may use `setuptools <78.1.1` and thus rely on a compromised dependency. In some cases there is a chance that source-builds would fail due to an exploit of the closely related CVE-2025-47273, or become arbitrarily modified. ### Patches * Pre-release version v2.0.9a0 and later resolve the issue by bumping requirements to `setuptools>=80.4` * Pre-release version v2.0.9a3 and later are recommended for improved stability over v2.0.9a0 ### Workarounds * Further hardening in v2.0.9a4+ of the build process in CI builds allowing source builds to be verified via GH attestations. ### References * [GHSA-5rjg-fvgr-3xxf](https://github.com/pypa/setuptools/security/advisories/GHSA-5rjg-fvgr-3xxf) * pypa/setuptools#4946 ### Fixes * https://github.com/reactive-firewall/multicast/blob/c5c7c7de272421d944beca845287...

Authorities in Pakistan have arrested 21 individuals accused of operating "Heartsender," a once popular spam and malware dissemination service that operated for more than a decade. The main clientele for HeartSender were organized crime groups that tried to trick victim companies into making payments to a third party, and its alleged proprietors were publicly identified by KrebsOnSecurity in 2021 after they inadvertently infected their computers with malware.

A man is facing a $450,000 AU fine after he published deepfake images of prominent Australian women on the now-defunct MrDeepfakes...

A man is facing a $450,000 AU fine after he published deepfake images of prominent Australian women on the now-defunct MrDeepfakes web site.

### Summary This advisory addresses an Open Redirection vulnerability in Mautic's user unlocking endpoint. This vulnerability could be exploited by an attacker to redirect legitimate users to malicious websites, potentially leading to phishing attacks or the delivery of exploit kits. Open Redirection via `returnUrl` Parameter: An Open Redirection vulnerability exists in the `/s/action/unlock/user.user/0` endpoint. The `returnUrl` parameter, intended for post-action redirection, is not properly validated. This allows an attacker to craft a URL that, when clicked by a user, redirects them to an arbitrary external website controlled by the attacker. ### Mitigation Update Mautic to a version that properly validates or sanitizes the `returnUrl` parameter to ensure that redirects only occur to trusted, internal URLs or explicitly whitelisted domains.

### Summary This advisory addresses a security vulnerability in Mautic where sensitive `.env` configuration files may be directly accessible via a web browser. This exposure could lead to the disclosure of sensitive information, including database credentials, API keys, and other critical system configurations. Sensitive Information Disclosure via `.env` File Exposure: The `.env` file, which typically contains environment variables and sensitive application configurations, is directly accessible via a web browser due to missing web server configurations that restrict access to such files. This allows an unauthenticated attacker to view the contents of this file by simply navigating to its URL. ### Mitigation Update Mautic to the latest Mautic version. By default, Mautic does not use `.env` files for production data. **For Apache users:** Ensure your web server is configured to respect `.htaccess` files. **For Nginx users:** As Nginx does not inherently support `.htaccess` files, y...

Mandiant Threat Defense uncovers a campaign where Vietnam-based group UNC6032 tricks users with malicious social media ads for…