#web

In Jenkins WSO2 Oauth Plugin 1.0 and earlier, authentication claims are accepted without validation by the "WSO2 Oauth" security realm, allowing unauthenticated attackers to log in to controllers using this security realm using any username and any password, including usernames that do not exist.

Jenkins DingTalk Plugin 2.7.3 and earlier unconditionally disables SSL/TLS certificate and hostname validation for connections to the configured DingTalk webhooks.

Improper Restriction of XML External Entity Reference vulnerability in bonigarcia webdrivermanager on Windows, MacOS, Linux (XML parsing components modules) allows Data Serialization External Entities Blowup. This vulnerability is associated with program files src/main/java/io/github/bonigarcia/wdm/WebDriverManager.java. This issue affects webdrivermanager: from 1.0.0 before 6.1.0.

The state of Texas reached a mammoth financial agreement with Google last week, securing $1.375 billion in payments to settle two lawsuits concerning the use of consumers' data.

Following a WIRED inquiry, Telegram banned thousands of accounts used for crypto-scam money laundering, including those of Haowang Guarantee, a black market that enabled over $27 billion in transactions.

There is a lot of money in cyberattacks like ransomware, and unfortunately for organizations of all sizes, the…

Russell Vought, acting director of the Consumer Financial Protection Bureau, has canceled plans to more tightly regulate the sale of Americans’ sensitive personal data.

Flashpoint uncovers how North Korean hackers used fake identities to secure remote IT jobs in the US, siphoning…

### Impact This vulnerability allows an attacker who controls content on the target site, or on a subdomain of the target site (either via XSS, or otherwise) to bypass Cross-Site Request Forgery checks and issue requests on user's behalf. ### Details Due to misuse of the Go `net/http` library, nosurf categorizes all incoming requests as plain-text HTTP requests, in which case the `Referer` header is not checked to have the same origin as the target webpage. If the attacker has control over HTML contents on either the target website (e.g. `example.com`), or on a website hosted on a subdomain of the target (e.g. `attacker.example.com`), they will also be able to manipulate cookies set for the target website. By acquiring the secret CSRF token from the cookie, or overriding the cookie with a new token known to the attacker, `attacker.example.com` is able to craft cross-site requests to `example.com`. ### Patches A patch for the issue was released in nosurf 1.2.0. ### Workarounds ...

Exposure of Sensitive Information to an Unauthorized Actor, Insertion of Sensitive Information into Log File vulnerability in Apache IoTDB JDBC driver. This issue affects iotdb-jdbc: from 0.10.0 through 1.3.3, from 2.0.1-beta before 2.0.2. Users are recommended to upgrade to version 2.0.2 and 1.3.4, which fix the issue.