EUVD-2018-3161

Malware in sbrugna...

CVE-2024-37051

GitHub access token could be exposed to third-party sites in JetBrains IDEs after version 2023.1 and less than: IntelliJ IDEA 2023.1.7, 2023.2.7, 2023.3.7, 2024.1.3, 2024.2 EAP3; Aqua 2024.1.2; CLion 2023.1.7, 2023.2.4, 2023.3.5, 2024.1.3, 2024.2 EAP2; DataGrip 2023.1.3, 2023.2.4, 2023.3.5,...

MTN Group: Unauthorized access to PII leads to Administrator account Takeover

The vulnerability arises from insufficient restrictions placed on the list of post authors, which could be exploited by remote attackers to obtain sensitive information through wp/v2/users/15 requests. The sensitive information, including email addresses, could be obtained and used in further...

Publitas: CORS Misconfiguration on █████

A cross-origin resource sharing misconfiguration was found that could allow an attacker to steal sensitive user information or force unwanted actions. The misconfiguration allowed credentials and enabled CORS for external domains. A proof of concept was shown that could exploit this to exfiltrate...

CVE-2023-45143

Undici is an HTTP/1.1 client written from scratch for Node.js. Prior to version 5.26.2, Undici already cleared Authorization headers on cross-origin redirects, but did not clear Cookie headers. By design, cookie headers are forbidden request headers, disallowing them to be set in...

Radancy: Cross-origin resource sharing: arbitrary origin trusted

referred from CWE-942: Permissive Cross-domain Policy with Untrusted Domains Issue detail The application implements an HTML5 cross-origin resource sharing CORS policy for this request that allows access from any domain. The application allowed access from the requested origin https://example.com...

Server side request forgery (ssrf)

The Craw Data WordPress plugin through 1.0.0 does not implement nonce checks, which could allow attackers to make a logged in admin change the url value performing unwanted crawls on third-party sites SSRF...

CVE-2022-2912 Craw Data <= 1.0.0 - Server Side Request Forgery

The Craw Data WordPress plugin through 1.0.0 does not implement nonce checks, which could allow attackers to make a logged in admin change the url value performing unwanted crawls on third-party sites SSRF...

Roblox Beamers steal items from kids

Roblox gamers are once again being warned to be on their guard against scammers plundering valuable digital items. Most multiplayer titles are all about customization. You won’t find many popular games where digital items aren’t up for grabs. Some games lock the items, such as outfits, weapons, o...

Facebook Is Down

Facebook -- along with Instagram and WhatsApp -- went down globally today. Basically, someone deleted their BGP records, which made their DNS fall apart. …at approximately 11:39 a.m. ET today 15:39 UTC, someone at Facebook caused an update to be made to the companys Border Gateway Protocol BGP...

Open Redirection

notebook is vulnerable to open redirection. An attacker may send a malicious link to a notebook server resulting in a redirection of users to third-party sites...

WordPress iOS App Bug Leaked Secret Access Tokens to Third-Party Sites

If you have a "private" blog with WordPress.com and are using its official iOS app to create or edit posts and pages, the secret authentication token for your admin account might have accidentally been leaked to third-party websites. WordPress has recently patched a severe vulnerability in its iO...

Eobot: Secure Pages Include Mixed Content Issue

Description The page includes mixed content, that is content accessed via HTTP instead of HTTPS. Steps 1 Enter these two URLs https://www.eobot.com/fee https://www.eobot.com/ad 2 Open Source Code viewer You will note and Mixed Content Error. http://bitcoin.sipa.be/speed-small-lin.png Fix A page...

5 Best Game Hacking Apps for Android

By Uzair Amir Note: This article discusses apps that belong to third-party sites This is a post from HackRead.com Read the original post: 5 Best Game Hacking Apps for Android...

Consumer Groups Urge FTC to Halt Facebook Data Collection Program

A collection of privacy and consumer groups from the United States and Europe has asked the Federal Trade Commission to force Facebook to suspend a recently installed program that mines information on sites that users’ visit around the Web in order to serve them interest-based ads. The groups say...

Senate Committee to Discuss Do Not Track at Key Hearing

The dram surrounding the Do Not Track specification and its implementation by browser manufacturers is set to continue on Thursday when the Senate Commerce Committee will hold a hearing to discuss whether the proposed specification is strong enough or has been weakened by the digital advertising...

TimThumb Cache Directory 'src' Parameter Arbitrary PHP File Upload

The version of TimThumb hosted on the remote web server allows an unauthenticated, remote attacker to upload arbitrary PHP files as specified by input to the 'src' parameter and retrieved from third- party sites to its cache directory. It's likely that these files can then be executed by requesti...

Chrome Password Manager Cross Origin Weakness &#40;CVE-2010-0556&#41;

Virtual Security Research, LLC. http://www.vsecurity.com/ Security Advisory -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Advisory Name: Chrome Password Manager Cross Origin Weakness Release Date: 2010-02-15 Application: Google Chrome Web Browser Versions:...

Adgregate ShopAd widget validation is vulnerable to replay attack

Adgregate is a "TechCrunch 50" startup that recently signed a distribution deal with Google/DoubleClick 1. As a service, they offer a "viral widget" intended to be hosted on untrusted third-party sites through which consumers can enter their credit card information. According to their website, th...