Security
Headlines
HeadlinesLatestCVEs

Tag

#web

CFPB Quietly Kills Rule to Shield Americans From Data Brokers

Russell Vought, acting director of the Consumer Financial Protection Bureau, has canceled plans to more tightly regulate the sale of Americans’ sensitive personal data.

Wired
#web#google#intel#auth#sap#ssl
North Korean Hackers Stole $88M by Posing as US Tech Workers

Flashpoint uncovers how North Korean hackers used fake identities to secure remote IT jobs in the US, siphoning…

GHSA-w9hf-35q4-vcjw: nosurf vulnerable to CSRF due to non-functional same-origin request checks

### Impact This vulnerability allows an attacker who controls content on the target site, or on a subdomain of the target site (either via XSS, or otherwise) to bypass Cross-Site Request Forgery checks and issue requests on user's behalf. ### Details Due to misuse of the Go `net/http` library, nosurf categorizes all incoming requests as plain-text HTTP requests, in which case the `Referer` header is not checked to have the same origin as the target webpage. If the attacker has control over HTML contents on either the target website (e.g. `example.com`), or on a website hosted on a subdomain of the target (e.g. `attacker.example.com`), they will also be able to manipulate cookies set for the target website. By acquiring the secret CSRF token from the cookie, or overriding the cookie with a new token known to the attacker, `attacker.example.com` is able to craft cross-site requests to `example.com`. ### Patches A patch for the issue was released in nosurf 1.2.0. ### Workarounds ...

GHSA-gp98-hfvm-2r4x: Apache IoTDB JDBC Driver Discloses Sensitive Information via Log Files

Exposure of Sensitive Information to an Unauthorized Actor, Insertion of Sensitive Information into Log File vulnerability in Apache IoTDB JDBC driver. This issue affects iotdb-jdbc: from 0.10.0 through 1.3.3, from 2.0.1-beta before 2.0.2. Users are recommended to upgrade to version 2.0.2 and 1.3.4, which fix the issue.

GHSA-5fc3-pqf2-57cx: Apache IoTDB Discloses Sensitive Information via Log Files

Exposure of Sensitive Information to an Unauthorized Actor, Insertion of Sensitive Information into Log File vulnerability in the OpenIdAuthorizer of Apache IoTDB. This issue affects Apache IoTDB: from 0.10.0 through 1.3.3, from 2.0.1-beta before 2.0.2. Users are recommended to upgrade to version 1.3.4 and 2.0.2, which fix the issue.

Apple to Pay $95 Million in Siri Snooping Lawsuit – Here’s How to Apply

Did Siri record you? Apple is paying $95 million over Siri snooping allegations. Find out if you’re eligible…

I checked out the European vulnerability database, EUVD, which was officially launched yesterday

I checked out the European vulnerability database, EUVD, which was officially launched yesterday. Its usefulness is questionable for now. 🤷‍♂️ 🔹 Basically, they pull data from public sources (MITRE CVE DB, CISA KEV, GHSA, EPSS, and a few others), map it under their own EUVD identifier (everything is mapped by CVE 😉), and provide a […]

North Korean IT Workers Are Being Exposed on a Massive Scale

Security researchers are publishing 1,000 email addresses they claim are linked to North Korean IT worker scams that infiltrated Western companies—along with photos of men allegedly involved in the schemes.

Job Seekers Targeted as Scammers Pose as Government Agencies on WhatsApp

Scammers impersonate government agencies on WhatsApp to target job seekers with fake offers, phishing sites, and identity theft…

GHSA-w443-5h3j-jqcp: Duplicate Advisory: crossbeam-channel Vulnerable to Double Free on Drop

### Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-pg9f-39pc-qf8g. This link is maintained to preserve external references. ### Original Description In crossbeam-channel rust crate, the internal `Channel` type's `Drop` method has a race condition which could, in some circumstances, lead to a double-free that could result in memory corruption.