#web

### Impact Umbraco have an endpoint that is vulnerable to open redirects. The endpoint is protected so it requires the user to be signed into backoffice, before the vulnerability is exposed. ### Affected Version \>= 8.18.5, >= 10.5.0, >= 12.0.0, >= 13.0.0 ### Patches 8.18.14, 10.8.6, 12.3.10, 13.3.1

By Waqas Memcyco Inc., a provider of digital trust technology designed to protect companies and their customers from digital impersonation… This is a post from HackRead.com Read the original post: Memcyco Report: Just 6% of Brands Guard Against Digital Impersonation Fraud

View CSAF 1. EXECUTIVE SUMMARY CVSS v4 8.5 ATTENTION: Low attack complexity Vendor: LCDS - Leão Consultoria e Desenvolvimento de Sistemas Ltda ME Equipment: LAquis SCADA Vulnerabilities: Path Traversal 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker to read and write files outside of their own directory. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following versions of LAquis SCADA, an HMI program, are affected: LAquis SCADA: Versions 4.7.1.7 and prior 3.2 Vulnerability Overview 3.2.1 Path Traversal CWE-22 There are multiple ways in LAquis SCADA for an attacker to access locations outside of their own directory. CVE-2024-5040 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H). A CVSS v4 score has also been calculated for CVE-2024-5040. A base score of 8.5 has been calculated; the CVSS vector string is (CVSS4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H...

By Deeba Ahmed Check Point researchers have detailed a new Iranian state-sponsored hacker group called Void Manticore, partnering with Scarred Manticore, another threat group based in Iran's Ministry of Intelligence and Security. This is a post from HackRead.com Read the original post: Iranian State Hackers Partner Up for Large-Scale Attacks, Report

A WIRED investigation found thousands of Eventbrite posts selling escort services and drugs like Xanax and oxycodone—some of which the company’s algorithm recommended alongside addiction recovery events.

The Kentik Collection is now Red Hat Ansible Certified Content, and is available on Ansible automation hub. The highlight of this is Event-Driven Ansible, an event source plugin from Kentik to accept alert notification JSON. This works in conjunction with Event-Driven Ansible Rulebooks to allow users to automate changes to their environment.Event-Driven Ansible offers a scalable and adaptable automation solution that integrates with monitoring tools from various software vendors. These tools oversee IT infrastructures, detecting events and automatically executing predefined changes or response

The PHP file view/about.php is vulnerable to an XSS issue due to no sanitization of the user agent. At line [53], the website gets the user-agent from the headers through $_SERVER['HTTP_USER_AGENT'] and echo it without any sanitization. In PHP, echo a user generated statement, here the User-Agent Header, without any sanitization allows an attacker to inject malicious scripts into the output of a web page, which are then executed in the browser of anyone viewing that page.

By Deeba Ahmed Multiple independent hacktivist groups are targeting India's elections with influence campaigns, Resecurity reports. The campaigns are designed to sway voters' opinions and undermine trust in the democratic process. Learn more about the tactics being used and how to protect yourself from disinformation. This is a post from HackRead.com Read the original post: Hacktivist Groups Target Indian Elections, Leak Personal Data, Says Report

### Description An administrator can craft a user with a malicious first name and last name, using a payload such as ``` <svg onload="confirm(document.domain)">'); ?></svg> ``` The user will then receive the invitation email and click on the setup link. The setup start page served by the server will fire the XSS. ### Impact of issue An administrator could use this exploit to edit the setup start page for a given user, for example, trick the user into installing another extension. Even though the severity of this issue in itself is high, the likelihood is low because the exploit will be visible in clear by the user in the email notification, and also requires an action from a malicious administrator. ### Fix Sanitize the firstname and lastname in the page that is used to trigger the extension setup process. Additionally since v2.11 some default CSP are inserted in the server response headers to prevent inline-scripts or 3rd party domain scripts on pages served by the passbolt API. Th...

This week on Lock and Code, we talk about what people lose when they let AI services make choices for dinners, reservations, and even dating.