GHSA-WV4W-6QV2-QQFG Python Social Auth - Django has unsafe account association

Impact Upon authentication, the user could be associated by e-mail even if the associatebyemail pipeline was not included. This could lead to account compromise when a third-party authentication service does not validate provided e-mail addresses or doesn't require unique e-mail addresses. Patche...

EUVD-2017-1254

Malware in sbrugna...

CVE-2018-20840

An unhandled exception vulnerability exists during Google Sign-In with Google API C++ Client before 2019-04-10. It potentially causes an outage of third-party services that were not designed to recover from exceptions. On the client, ID token handling can cause an unhandled exception because of...

DORA: Strengthening Digital Resilience Through API Security

The Digital Operational Resilience Act DORA is one of the most significant cybersecurity regulations for financial institutions in the European Union EU. Failure to comply can have massive consequences, including financial penalties and forced operational downtime, meaning achieving DORA complian...

DNS Dangling Record

Deploying web applications often require developers or system administrators to configure DNS records to target a third party service. Most common scenarios include to either configure a canonical name record CNAME or to declare specific name server records NS to delegate a specific DNS zone...

PCI DSS 4.0.1: New Clarifications on Client-Side Security – What You Need to Know

As a leading provider of web application and API security solutions, Imperva is committed to helping merchants, payment processors, and anyone seeking to comply with the latest PCI DSS requirements. We previously discussed the changes introduced in PCI DSS 4.0. This blog will cover the...

Act Now to Prepare for New NCUA Cyber Incident Reporting Requirements

We recently discussed the new SEC rule requiring all registered companies to report material cyber incidents within four 4 days. Now the National Credit Union Administration NCUA1 has updated their Cyber Incident Notification Rule, requiring all federally insured Credit Unions to notify the NCUA ...

Discord.io confirms theft of 760,000 members' data

Discord.io was/is a third party service that enables owners of Discord servers to create customized, personal Discord invites. After a preview of Discord.io's users database was posted on BreachForums, the owners have decided to shut down all Discord.io services "for the foreseeable future."...

Mars: subdomain takeover at █████████

A subdomain takeover vulnerability was discovered. The subdomain had been pointing to an inactive third-party resource, allowing an attacker to claim the resource and take control of the subdomain. The attacker was then able to serve arbitrary content on the subdomain...

Brightline breach hits at least 964,000 people, US records show

A pediatric behavioral health startup called Brightline informed its customers that their protected health data may have been stolen as part of a separate ransomware attack on a Brightline third-party service provider. "Based on the investigation, we identified a limited amount of protected healt...

The NBA tells fans about data breach

The National Basketball Association NBA has notified its fans they may be affected by a data breach in a third-party service the organization uses. For now, it is safe to assume that the attacker only obtained names and email addresses, but the NBA has hired the services of external cybersecurity...

GHSA-7P8M-22H4-9PJ7 scs-library-client may leak user credentials to third-party service via HTTP redirect

Impact When the scs-library-client is used to pull a container image, with authentication, the HTTP Authorization header sent by the client to the library service may be incorrectly leaked to an S3 backing storage provider. This occurs in a specific flow, where the library service redirects the...

GHSA-246W-56M2-5899 Cross-site scripting (XSS) vulnerability in the password reset endpoint

Impact The password reset endpoint served via Synapse was vulnerable to cross-site scripting XSS attacks. The impact depends on the configuration of the domain that Synapse is deployed on, but may allow access to cookies and other browser data, CSRF vulnerabilities, and access to other resources...

Major Gaming Companies Hit with Ransomware Linked to APT27

A recent slew of related ransomware attacks on top videogame companies has been associated with the notorious Chinese-linked APT27 threat group, suggesting that the advanced persistent threat APT is swapping up its historically espionage centralized tactics to adopt ransomware, a new report says...

CISA Updates Alert and Releases Supplemental Guidance on Emergency Directive for SolarWinds Orion Compromise

CISA has updated AA20-352A: Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations, originally released December 17. This update states that CISA has evidence of, and is currently investigating, initial access vectors in addition to...

CS Money: Отправка писем с произвольным текстом/кликабельными ссылками любому зарегистрированному пользователю с указанной почтой, зная только steamid

Using a third-party service GetResponse used on the project and the 2FA deactivation functionality combined, a hacker found a way to send arbitrary text to any user, knowing only the victim's SteamID. The vulnerability relied on: 1. Invalid cookie management in request; 1. No additional validatio...

Monsta FTP Server-Side Request Forgery Vulnerability

Monsta FTP is a lightweight file manager from Monsta New Zealand. It supports file transfer, file management and document editing. A server-side request forgery vulnerability exists in Monsta FTP 2.10.1 and earlier versions, which stems from the program's insufficient restriction of Web crawling...

Authentication flaw

This vulnerability was caused by an incomplete fix to CVE-2017-0911. Twitter Kit for iOS versions 3.0 to 3.4.0 is vulnerable to a callback verification flaw in the "Login with Twitter" component allowing an attacker to provide alternate credentials. In the final step of "Login with Twitter"...

Delta, Sears Breaches Blamed on Malware Attack Against a Third-Party Chat Service

Security researchers are pinning a recent data breach – that potentially exposed the credit card information of hundreds of thousands of Delta Air Lines and Sears Holdings customers – on weak third-party security policies. The cyberattack hit software service provider 247.ai, a company that...

Unspecified Vulnerability in Twitter Kit for iOS Login with Twitter Component

Twitter Kit for iOS is a set of open source native development kits for seamless interaction with Twitter on the iOS platform. login with Twitter component is one of the login components. A security vulnerability exists in the Login with Twitter component in Twitter Kit for iOS versions 3.0 throu...