#web

Malwarebytes researchers have discovered a prolific campaign of fraudulent energy ads shown to users via Google searches.

By Owais Sultan February 15, 2024 – Nexo, the leading institution for digital assets, announced a partnership with Sift, the Leader… This is a post from HackRead.com Read the original post: Nexo Teams Up with Sift for Enhanced Digital Security and User Experience

### Impact When you send a request with the `Authorization` header to one domain, and the response asks to redirect to a different domain, Scrapy’s built-in redirect middleware creates a follow-up redirect request that keeps the original `Authorization` header, leaking its content to that second domain. The [right behavior](https://fetch.spec.whatwg.org/#ref-for-cors-non-wildcard-request-header-name) would be to drop the `Authorization` header instead, in this scenario. ### Patches Upgrade to Scrapy 2.11.1. If you are using Scrapy 1.8 or a lower version, and upgrading to Scrapy 2.11.1 is not an option, you may upgrade to Scrapy 1.8.4 instead. ### Workarounds If you cannot upgrade, make sure that you are not using the `Authentication` header, either directly or through some third-party plugin. If you need to use that header in some requests, add `"dont_redirect": True` to the `request.meta` dictionary of those requests to disable following redirects for them. If you need to kee...

The 44CON 2024 Call For Papers has been announced. 44CON is the UK's largest combined annual Security Conference and Training event. The event takes place September 18th through the 20th, 2024 at the Novotel London West near Hammersmith, London.

Metabase version 0.46.6 pre-authentication remote code execution exploit.

By Deeba Ahmed This is the first instance of an iOS trojan that has been found stealing facial data from victims. This is a post from HackRead.com Read the original post: New iOS Trojan “GoldPickaxe” Steals Facial Recognition Data

This new backdoor we’re calling “TinyTurla-NG” (TTNG) is similar to Turla’s previously disclosed implant, TinyTurla, in coding style and functionality implementation.

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens' ProductCERT Security Advisories (CERT Services | Services | Siemens Global).  View CSAF 1. EXECUTIVE SUMMARY CVSS v4 7.1 ATTENTION: Exploitable from adjacent network/low attack complexity Vendor: Siemens Equipment: SIMATIC, OpenPCS Vulnerabilities: NULL Pointer Dereference 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow an attacker to cause a persistent denial-of-service condition in the RPC Server of these products. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following products of Siemens, are affected: OpenPCS 7 V9.1: All versions SIMATIC BATCH V9.1: All versions SIMATIC PCS 7 V9.1: All versions SIMATIC Route Control V9.1: All versions SIMATIC WinCC Runtime Professional V18: All versions SIMATIC WinCC Runtime Profes...

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens' ProductCERT Security Advisories (CERT Services | Services | Siemens Global).  View CSAF 1. EXECUTIVE SUMMARY CVSS v3 9.8 ATTENTION: Exploitable remotely/low attack complexity Vendor: Siemens Equipment: SINEC NMS Vulnerabilities: Out-of-bounds Read, Inadequate Encryption Strength, Double Free, Use After Free, NULL Pointer Dereference, Improper Input Validation, Missing Encryption of Sensitive Data, Allocation of Resources Without Limits or Throttling, Improper Authentication, Inefficient Regular Expression Complexity, Excessive Iteration, HTTP Request/Response Smuggling, Injection, Path Traversal, Race Condition, Improper Certificate Validation, Off-by-one Error, Missing Authorization, Use of Insufficiently Random Values, Buffer Underflow, Incorrect Per...

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens' ProductCERT Security Advisories (CERT Services | Services | Siemens Global).  View CSAF 1. EXECUTIVE SUMMARY CVSS v3 7.8 ATTENTION: Low Attack Complexity Vendor: Siemens Equipment: Parasolid Vulnerabilities: Out-of-bounds Read, NULL Pointer Dereference 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow an attacker to leverage the vulnerability to perform remote code execution in the context of the current process. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following products of Siemens are affected: Parasolid V35.0: all versions prior to V35.0.263 Parasolid V35.0: all versions prior to V35.0.251 Parasolid V35.1: all versions prior to V35.1.252 Parasolid V35.1: all versions prior to V35.1.170 Parasolid V36.0: all version...