Security
Headlines
HeadlinesLatestCVEs

Tag

#web

How to Get Facebook Without Ads—if It’s Available for You

Meta now offers users an ad-free option, but it’s only available in Europe for those who can afford the €10-a-month subscription.

Wired
Open in Source
#web
CVE-2023-36688: WordPress Simple Site Verify plugin <= 1.0.7 - Cross Site Scripting (XSS) vulnerability - Patchstack

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Michael Mann Simple Site Verify plugin <= 1.0.7 versions.

GHSA-xfm3-hjcc-gv78: Any value can be changed in the configuration table by an employee having access to block reassurance module

### Impact An ajax function in module blockreassurance allows modifying any value in the configuration table ### Patches v5.1.4 ### Workarounds no workaround available ### References

CVE-2023-43791: Hardcoded Django `SECRET_KEY` that can be Abused to Forge Session Tokens

Label Studio is a multi-type data labeling and annotation tool with standardized output format. There is a vulnerability that can be chained within the ORM Leak vulnerability to impersonate any account on Label Studio. An attacker could exploit these vulnerabilities to escalate their privileges from a low privilege user to a Django Super Administrator user. The vulnerability was found to affect versions before `1.8.2`, where a patch was introduced.

GHSA-f475-x83m-rx5m: Label Studio has Hardcoded Django `SECRET_KEY` that can be Abused to Forge Session Tokens

# Introduction This write-up describes a vulnerability found in [Label Studio](https://github.com/HumanSignal/label-studio), a popular open source data labeling tool. The vulnerability was found to affect versions before `1.8.2`, where a patch was introduced. # Overview In [Label Studio version 1.8.1](https://github.com/HumanSignal/label-studio/tree/1.8.1), a hard coded Django `SECRET_KEY` was set in the application settings. The Django `SECRET_KEY` is used for signing session tokens by the web application framework, and should never be shared with unauthorised parties. However, the Django framework inserts a `_auth_user_hash` claim in the session token that is a HMAC hash of the account's password hash. That claim would normally prevent forging a valid Django session token without knowing the password hash of the account. However, any authenticated user can exploit an Object Relational Mapper (ORM) Leak vulnerability in Label Studio to leak the password hash of any account on the ...

ChatGPT Down? OpenAI Blames Outages on DDoS Attacks

By Waqas OpenAI and ChatGPT began experiencing service outages on November 8th, and the company is actively working to restore full service. This is a post from HackRead.com Read the original post: ChatGPT Down? OpenAI Blames Outages on DDoS Attacks

Nude “before and after” photos stolen from plastic surgeon, posted online, and sent to victims&#8217; family and friends

The FBI is investigating a data breach where cybercriminals were able to steal patients’ records from a Las Vegas plastic surgeon's office and then publish them online.

New Malvertising Campaign Uses Fake Windows News Portal to Distribute Malicious Installers

A new malvertising campaign has been found to employ fake sites that masquerade as legitimate Windows news portal to propagate a malicious installer for a popular system profiling tool called CPU-Z. "This incident is a part of a larger malvertising campaign that targets other utilities like Notepad++, Citrix, and VNC Viewer as seen in its infrastructure (domain names) and cloaking templates used

Spammers abuse Google Forms’ quiz to deliver scams

Cisco Talos has recently observed an increase in spam messages abusing a feature of quizzes created within Google Forms.