Security
Headlines
HeadlinesLatestCVEs

Tag

#web

Membership Management System 1.0 SQL Injection / Shell Upload

Membership Management System version 1.0 suffers from remote shell upload and remote SQL injection vulnerabilities.

Packet Storm
Open in Source
#sql#vulnerability#web#git#php#rce#auth
The LockBit story: Why the ransomware affiliate model can turn takedowns into disruptions

Talos explores the recent law enforcement takedown of LockBit, a prolific ransomware group that claimed to resume their operations 7 days later.

AI-Powered Scams, Human Trafficking Fuel Global Cybercrime Surge: INTERPOL

By Waqas New INTERPOL Financial Fraud assessment reveals how cybercrime is being fueled by the abuse of AI and other technologies. This is a post from HackRead.com Read the original post: AI-Powered Scams, Human Trafficking Fuel Global Cybercrime Surge: INTERPOL

GHSA-qmgx-j96g-4428: SSRF vulnerability using the Aegis DataBinding in Apache CXF

A SSRF vulnerability using the Aegis DataBinding in versions of Apache CXF before 4.0.4, 3.6.3 and 3.5.8 allows an attacker to perform SSRF style attacks on webservices that take at least one parameter of any type. Users of other data bindings (including the default databinding) are not impacted.

Massive Data Breach Exposes Info of 43 Million French Workers

By Deeba Ahmed Another day, another massive data breach! This is a post from HackRead.com Read the original post: Massive Data Breach Exposes Info of 43 Million French Workers

CEO of Data Privacy Company Onerep.com Founded Dozens of People-Search Firms

The data privacy company Onerep.com bills itself as a Virginia-based service for helping people remove their personal information from almost 200 people-search websites. However, an investigation into the history of onerep.com finds this company is operating out of Belarus and Cyprus, and that its founder has launched dozens of people-search services over the years.

GHSA-phg6-44m7-hx3h: Whoogle Search Cross-site Scripting vulnerability

Whoogle Search is a self-hosted metasearch engine. In versions 0.8.3 and prior, the `element` method in `app/routes.py` does not validate the user-controlled `src_type` and `element_url` variables and passes them to the `send` method which sends a `GET` request on lines 339-343 in `requests.py`. The returned contents of the URL are then passed to and reflected back to the user in the `send_file` function on line 484, together with the user-controlled `src_type`, which allows the attacker to control the HTTP response content type leading to a cross-site scripting vulnerability. An attacker could craft a special URL to point to a malicious website and send the link to a victim. The fact that the link would contain a trusted domain (e.g. from one of public Whoogle instances) could be used to trick the user into clicking the link.The malicious website could, for example, be a copy of a real website, meant to steal a person’s credentials to the website, or trick that person in another way. ...

Webinar recap: 6 critical cyberthreats in 2024 and how to counter them

Get expert insights on the six most critical cyberthreats of 2024.

Checkmk Agent 2.0.0 / 2.1.0 / 2.2.0 Local Privilege Escalation

Checkmk Agent versions 2.0.0, 2.1.0, and 2.2.0 suffer from a local privilege escalation vulnerability.