Tag
#web
This Metasploit module exploits an authentication bypass vulnerability that allows an unauthenticated attacker to create a new administrator user account on a vulnerable ConnectWise ScreenConnect server. The attacker can leverage this to achieve remote code execution by uploading a malicious extension module. All versions of ScreenConnect version 23.9.7 and below are affected.
Red Hat Security Advisory 2024-0952-03 - An update for firefox is now available for Red Hat Enterprise Linux 9. Issues addressed include a spoofing vulnerability.
Time to get patching!
By Deeba Ahmed In 2024, over 60 countries worldwide are holding elections. The most significant threat to the integrity of these elections? Deepfake videos, readily accessible on the dark web and Telegram, with prices ranging from as low as $2 to $100. This is a post from HackRead.com Read the original post: Deepfake Threat: $2 Deceptive Content Undermines Election Integrity
Applications that use UriComponentsBuilder to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect attack or to a SSRF attack if the URL is used after passing validation checks.
The U.S. Federal Trade Commission (FTC) has hit antivirus vendor Avast with a $16.5 million fine over charges that the firm sold users' browsing data to advertisers after claiming its products would block online tracking. In addition, the company has been banned from selling or licensing any web browsing data for advertising purposes. It will also have to notify users whose browsing data was
### Impact An attacker able to submit many ciphertexts against a single private key, and to get responses in real-time, could recover the private key. This vulnerability has been named KyberSlash. CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N/E:F/RL:O/RC:C ### Patches Version 0.0.6.1 and newer of PyPQC is patched. ### Workarounds No workarounds have been reported. The 0.0.6 -> 0.0.6.1 upgrade should be a drop-in replacement; it has no known breaking changes. ### References 1. This was partially patched ("KyberSlash 1") in the reference implementation by Peter Schwabe on December 1st, 2023. https://www.github.com/pq-crystals/kyber/commit/dda29cc63af721981ee2c831cf00822e69be3220 2. This was reported as a security vulnerability by Daniel J. Bernstein on December 15th, 2023. https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/hWqFJCucuj4/m/-Z-jm_k9AAAJ 3. A webpage was stood up for authoritative reference about this by Daniel J. Bernstein on December 19th, 2023. htt...
The CORS middleware allows for insecure configurations that could potentially expose the application to multiple CORS-related vulnerabilities. Specifically, it allows setting the Access-Control-Allow-Origin header to a wildcard ("*") while also having the Access-Control-Allow-Credentials set to true, which goes against recommended security best practices. ## Impact The impact of this misconfiguration is high as it can lead to unauthorized access to sensitive user data and expose the system to various types of attacks listed in the PortSwigger article linked in the references. ## Proof of Concept The code in cors.go allows setting a wildcard in the AllowOrigins while having AllowCredentials set to true, which could lead to various vulnerabilities. ## Potential Solution Here is a potential solution to ensure the CORS configuration is secure: ```go func New(config ...Config) fiber.Handler { if cfg.AllowCredentials && cfg.AllowOrigins == "*" { panic("[CORS] Insecure setup, ...
By Waqas You are not alone, an AT&T outage is happening across the United States, and the company is working… This is a post from HackRead.com Read the original post: AT&T Outage Disrupts Service for Millions of Users Across US
By Waqas Another day, another Apple Security Vulnerability! This is a post from HackRead.com Read the original post: Apple Shortcuts Vulnerability Exposes Sensitive Data, Update Now!