Craft CMS has Cloud Metadata SSRF Protection Bypass via DNS Rebinding

Summary The SSRF validation in Craft CMS’s GraphQL Asset mutation performs DNS resolution separately from the HTTP request. This Time-of-Check-Time-of-Use TOCTOU vulnerability enables DNS rebinding attacks, where an attacker’s DNS server returns different IP addresses for validation compared to t...

CVE-2021-4389

The WP Travel plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 4.4.6. This is due to missing or incorrect nonce validation on the savemetadata function. This makes it possible for unauthenticated attackers to save metadata for travel posts via a...

Interview with Signal’s New President

Long and interesting interview with Signals new president, Meredith Whittaker: WhatsApp uses the Signal encryption protocol to provide encryption for its messages. That was absolutely a visionary choice that Brian and his team led back in the day ­- and big props to them for doing that. But you...

CVE-2020-5228

CVE-2020-5228 affects Opencast versions prior to 7.6/8.1 where OAI-PMH publication was enabled by default, allowing unauthenticated public access to media and metadata. The root cause is the OAI-PMH endpoint being part of the default workflow and not protected by default. Mitigations implemented ...

Signal Secure Messaging App Now Encrypts Sender's Identity As Well

Signal, the popular end-to-end encrypted messaging app, is planning to roll out a new feature that aims to hide the sender's identity from potential attackers trying to intercept the communication. Although messages send via secure messaging services, like Signal, WhatsApp, and Telegram, are full...

Microsoft Office: Protect document metadata for rights managed Office Open XML Files

This test checks the setting for policy OpenVAS Vulnerability Test $Id: office2013protectrightsmanagedfilesmetadata.nasl 11843 2018-10-11 14:33:21Z emoss $ Check value for Protect document metadata for rights managed Office Open XML Files Authors: Emanuel Moss Copyright: Copyright c 2018 Greenbon...

CVE-2012-4382

MediaWiki before 1.18.5, and 1.19.x before 1.19.2 does not properly protect user block metadata, which allows remote administrators to read a user block reason via a reblock attempt...

TOR Mail Encrypted Server: OnionMail

TOR Mail Encrypted Server for Hidden Services OnionMail is an anonymous, encrypted mail server made to run on TOR network without losing the ability to communicate with the Internet. All OnionMail servers are configured as TOR hidden services and use SSL via STARTTLS. To use OnionMail all you nee...

Dark Internet Mail Environment: DIME

Internet electronic mail email was designed in the early days of the Internet, and so lacks any mechanism to protect the privacy of the sender and addressee. Several techniques have been used in an attempt to increase the privacy of email. These techniques have provided either modest increases in...

WhatsApp Encryption: A Good Start, but Far from a Security Panacea

WhatsApp’s addition of end-to-end encryption is a good start, but does not present users with a complete solution that protects against the prying eyes of intrusive governments and nosey third-parties. That’s the consensus among privacy and security experts that commend Facebook-owned WhatsApp fo...

Infosec A-Team to Launch NSA-Proof Invisible Messenger for Whistleblowers

If a whistleblower discloses an activity to the public, then there should be a trust-based mechanism that ensure the protection of truth-tellers on an international level by hiding their identities. In an effort to provide this kind of service and security, Security experts grouped together to...