#web

Django REST Framework SimpleJWT versions 5.3.1 and below suffer from an information disclosure vulnerability.

The U.S. government is warning that smart locks securing entry to an estimated 50,000 dwellings nationwide contain hard-coded credentials that can be used to remotely open any of the locks. The lock's maker Chirp Systems remains unresponsive, even though it was first notified about the critical weakness in March 2021. Meanwhile, Chirp's parent company, RealPage, Inc., is being sued by multiple U.S. states for allegedly colluding with landlords to illegally raise rents.

A Russian-language cyberattack campaign impersonates legitimate game operations to spread various cross-platform infostealers.

By Waqas Firebird RAT, also known as Hive, crippled in an international sting operation. The FBI and AFP arrested the developer and marketer of this malicious remote access trojan. This is a post from HackRead.com Read the original post: FBI and AFP Arrest Alleged Developer, Marketer of Firebird/Hive RAT

By Owais Sultan Boost user engagement and SEO ranking with these key web development practices for media sites. Discover responsive design, page speed optimization, user-friendly CMS, SEO structure, and accessibility best practices. This is a post from HackRead.com Read the original post: Best Practices for Optimizing Web Development Standards for Media Sites

Plus: Apple warns iPhone users about spyware attacks, CISA issues an emergency directive about a Microsoft breach, and a ransomware hacker tangles with an unimpressed HR manager named Beth.

The Dusk plugin provides some special routes as part of its testing framework to allow a browser environment (such as headless Chrome) to act as a user in the Backend or User plugin without having to go through authentication. This route is `[[URL]]/_dusk/login/[[USER ID]]/[[MANAGER]]` - where `[[URL]]` is the base URL of the site, `[[USER ID]]` is the ID of the user account and `[[MANAGER]]` is the authentication manager (either `backend` for Backend, or `user` for the User plugin). If a configuration of a site using the Dusk plugin is set up in such a way that the Dusk plugin is available publicly and the test cases in Dusk are run with live data, this route may potentially be used to gain access to any user account in either the Backend or User plugin without authentication. As indicated in the [README](https://github.com/wintercms/wn-dusk-plugin/blob/main/README.md), this plugin should only be used in development and should *NOT* be used in a production instance. It is specifical...

NiceGUI is an easy-to-use, Python-based UI framework. A local file inclusion is present in the NiceUI leaflet component when requesting resource files under the `/_nicegui/{__version__}/resources/{key}/{path:path}` route. As a result any file on the backend filesystem which the web server has access to can be read by an attacker with access to the NiceUI leaflet website. This vulnerability has been addressed in version 1.4.21. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Akamai joins a growing list of security vendors aiming to strengthen companies' DNS defenses.

Change Healthcare ransomware hackers already received a $22 million payment. Now a second group is demanding money, and it has sent WIRED samples of what they claim is the company's stolen data.