CVE-2024-21643

IdentityModel Extensions for .NET provide assemblies for web developers that wish to use federated identity providers for establishing the caller's identity. Anyone leveraging the SignedHttpRequestprotocol or the SignedHttpRequestValidatoris vulnerable. Microsoft.IdentityModel trusts the jkuclaim...

CVE-2024-21643

The CVE-2024-21643 issue affects IdentityModel Extensions for .NET (Microsoft.IdentityModel.Protocols.SignedHttpRequest) where the SignedHttpRequest protocol/validator trusts the jku claim by default, enabling remote/local HTTP GET requests. Multiple sources confirm this vulnerability and identif...

[SECURITY] Fedora 39 Update: libwebp-1.3.1-3.fc39

WebP is an image format that does lossy compression of digital photographic images. WebP consists of a codec based on VP8, and a container based on RIFF. Webmasters, web developers and browser developers can use WebP to compress, archive and distribute digital images more efficiently...

Important: libwebp security update

The libwebp packages provide a library and tools for the WebP graphics format. WebP is an image format with a lossy compression of digital photographic images. WebP consists of a codec based on the VP8 format, and a container based on the Resource Interchange File Format RIFF. Webmasters, web...

[SECURITY] Fedora 36 Update: libwebp-1.2.2-4.fc36

WebP is an image format that does lossy compression of digital photographic images. WebP consists of a codec based on VP8, and a container based on RIFF. Webmasters, web developers and browser developers can use WebP to compress, archive and distribute digital images more efficiently...

PaquitoSoftware Notimoo Cross-Site Scripting Vulnerability

Notimoo is a method for web developers to display notifications to users. PaquitoSoftware Notimoo suffers from a cross-site scripting vulnerability that can be exploited by attackers to execute arbitrary web script or HTML via a carefully crafted header or message in a notification...

Tennessee Valley Authority: Rate limit missing sign-in page

Vulnerability description not provided...

Important: Red Hat Security Advisory: libwebp security update

An update for libwebp is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from t...

Over a Dozen Chrome Extensions Caught Hijacking Google Search Results for Millions

New details have emerged about a vast network of rogue extensions for Chrome and Edge browsers that were found to hijack clicks to links in search results pages to arbitrary URLs, including phishing sites and ads. Collectively called "CacheFlow" by Avast, the 28 extensions in question — including...

How to browse the Internet safely at work

This Safer Internet Day, we teamed up with ethical hacking and web application security company Detectify to provide security tips for both workplace Internet users and web developers. This article is aimed at employees of all levels. If you’re a programmer looking to create secure websites, visi...

Commix v2.7 - Automated All-in-One OS Command Injection And Exploitation Tool

Commix short for command injection exploiter is an automated tool written by Anastasios Stasinopoulos @ancst that can be used from web developers, penetration testers or even security researchers in order to test web-based applications with the view to find bugs, errors or vulnerabilities related...

Open .Git Directories Leave 390K Websites Vulnerable

A scan of more than 230 million web domains worldwide has uncovered 390,000 web pages with open .git directories – a worrying state of affairs that can expose a range of sensitive information. Researcher Vladimír Smitka at Lynt Services performed the scan, starting first in his native Czech...

Sandcat Browser 6.0 - Pentest And Developer-Oriented Web Browser

Sandcat is a lightweight multi-tabbed web browser that combines the speed and power of Chromium and Lua. Sandcat comes with built-in live headers, an extensible user interface and command line console, resource viewer, and many other features that are useful for web developers and pen-testers and...

DVWA - Damn Vulnerable Web Application

Damn Vulnerable Web Application DVWA is a PHP/MySQL web application that is damn vulnerable. Its main goal is to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and to aid...

Commix 1.6 - Automated All-In-One OS Command Injection And Exploitation Tool

Commix short for comm and i njection e x ploiter is an automated tool written by Anastasios Stasinopoulos @ancst that can be used from web developers, penetration testers or even security researchers in order to test web-based applications with the view to find bugs, errors or vulnerabilities...

[SECURITY] Fedora 25 Update: mingw-libwebp-0.5.1-2.fc25

WebP is an image format that does lossy compression of digital photographic images. WebP consists of a codec based on VP8, and a container based on RIFF. Webmasters, web developers and browser developers can use WebP to compress, archive and distribute digital images more efficiently...

[SECURITY] Fedora 24 Update: mingw-libwebp-0.5.1-2.fc24

WebP is an image format that does lossy compression of digital photographic images. WebP consists of a codec based on VP8, and a container based on RIFF. Webmasters, web developers and browser developers can use WebP to compress, archive and distribute digital images more efficiently...

Damn Vulnerable Node Application: DVNA

Damn Vulnerable Node Application DVNA is a node.js web application that is damn vulnerable. Its main goal is to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and to aid...

Damn Vulnerable Web App - PHP/MySQL Training Web Application that is Damn Vulnerable

Damn Vulnerable Web App DVWA is a PHP/MySQL web application that is damn vulnerable. Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and aid...

Second jQuery Hack of Week Reported

Update A day after a compromise of the jQuery website was disclosed, the open source JavaScript library is dealing with a second attack. JQuery Foundation board member Ralph Whitbeck confirmed via email to Threatpost that a new compromise was under way and the organization was taking steps to...