Security
Headlines
HeadlinesLatestCVEs

Tag

#web

GHSA-pwm3-776c-8q7q: BoniGarcia WebDriverManager Affected By Improper Restriction of XML External Entity Reference

Improper Restriction of XML External Entity Reference vulnerability in bonigarcia webdrivermanager on Windows, MacOS, Linux (XML parsing components modules) allows Data Serialization External Entities Blowup. This vulnerability is associated with program files src/main/java/io/github/bonigarcia/wdm/WebDriverManager.java. This issue affects webdrivermanager: from 1.0.0 before 6.1.0.

ghsa
#vulnerability#web#mac#windows#linux#git#java#maven
Google to pay $1.38 billion over privacy violations

The state of Texas reached a mammoth financial agreement with Google last week, securing $1.375 billion in payments to settle two lawsuits concerning the use of consumers' data.

The Internet’s Biggest-Ever Black Market Just Shut Down Amid a Telegram Purge

Following a WIRED inquiry, Telegram banned thousands of accounts used for crypto-scam money laundering, including those of Haowang Guarantee, a black market that enabled over $27 billion in transactions.

RaaS Explained: How Cybercriminals Are Scaling Attacks Like Startups

There is a lot of money in cyberattacks like ransomware, and unfortunately for organizations of all sizes, the…

CFPB Quietly Kills Rule to Shield Americans From Data Brokers

Russell Vought, acting director of the Consumer Financial Protection Bureau, has canceled plans to more tightly regulate the sale of Americans’ sensitive personal data.

North Korean Hackers Stole $88M by Posing as US Tech Workers

Flashpoint uncovers how North Korean hackers used fake identities to secure remote IT jobs in the US, siphoning…

GHSA-w9hf-35q4-vcjw: nosurf vulnerable to CSRF due to non-functional same-origin request checks

### Impact This vulnerability allows an attacker who controls content on the target site, or on a subdomain of the target site (either via XSS, or otherwise) to bypass Cross-Site Request Forgery checks and issue requests on user's behalf. ### Details Due to misuse of the Go `net/http` library, nosurf categorizes all incoming requests as plain-text HTTP requests, in which case the `Referer` header is not checked to have the same origin as the target webpage. If the attacker has control over HTML contents on either the target website (e.g. `example.com`), or on a website hosted on a subdomain of the target (e.g. `attacker.example.com`), they will also be able to manipulate cookies set for the target website. By acquiring the secret CSRF token from the cookie, or overriding the cookie with a new token known to the attacker, `attacker.example.com` is able to craft cross-site requests to `example.com`. ### Patches A patch for the issue was released in nosurf 1.2.0. ### Workarounds ...

GHSA-gp98-hfvm-2r4x: Apache IoTDB JDBC Driver Discloses Sensitive Information via Log Files

Exposure of Sensitive Information to an Unauthorized Actor, Insertion of Sensitive Information into Log File vulnerability in Apache IoTDB JDBC driver. This issue affects iotdb-jdbc: from 0.10.0 through 1.3.3, from 2.0.1-beta before 2.0.2. Users are recommended to upgrade to version 2.0.2 and 1.3.4, which fix the issue.

GHSA-5fc3-pqf2-57cx: Apache IoTDB Discloses Sensitive Information via Log Files

Exposure of Sensitive Information to an Unauthorized Actor, Insertion of Sensitive Information into Log File vulnerability in the OpenIdAuthorizer of Apache IoTDB. This issue affects Apache IoTDB: from 0.10.0 through 1.3.3, from 2.0.1-beta before 2.0.2. Users are recommended to upgrade to version 1.3.4 and 2.0.2, which fix the issue.

Apple to Pay $95 Million in Siri Snooping Lawsuit – Here’s How to Apply

Did Siri record you? Apple is paying $95 million over Siri snooping allegations. Find out if you’re eligible…