A flaw was found in WordPress 5.1. “X-Forwarded-For” is a HTTP header used to carry the client’s original IP address. However, because these headers may very well be added by the client to the requests, if the systems/devices use IP addresses which decelerate at X-Forwarded-For header instead of original IP, various issues may be faced. If the data originating from these fields is trusted by the application developers and processed, any authorization checks originating IP address logging could be manipulated.
Yearly Archives: 2022
CVE-2019-14841
A flaw was found in the RHDM, where an authenticated attacker can change their assigned role in the response header. This flaw allows an attacker to gain admin privileges in the Business Central Console.
CVE-2019-14840
A flaw was found in the RHDM, where sensitive HTML form fields like Password has auto-complete enabled which may lead to leak of credentials.
CVE-2017-7517
An input validation vulnerability exists in Openshift Enterprise due to a 1:1 mapping of tenants in Hawkular Metrics and projects/namespaces in OpenShift. If a user creates a project called “MyProject”, and then later deletes it another user can then create a project called “MyProject” and access the metrics stored from the original “MyProject” instance.
Amazon Customers Receive Smishing Warning After Receiving Fake Texts
Which? said it has reported the fake URLs to the National Cyber Security Centre
Hacking Automobile Keyless Entry Systems
Suspected members of a European car-theft ring have been arrested:
The criminals targeted vehicles with keyless entry and start systems, exploiting the technology to get into the car and drive away.
As a result of a coordinated action carried out on 10 October in the three countries involved, 31 suspects were arrested. A total of 22 locations were searched, and over EUR 1 098 500 in criminal assets seized.
The criminals targeted keyless vehicles from two French car manufacturers. A fraudulent tool—marketed as an automotive diagnostic solution, was used to replace the original software of the vehicles, allowing the doors to be opened and the ignition to be started without the actual key fob.
Among those arrested feature the software developers, its resellers and the car thieves who used this tool to steal vehicles.
The article doesn’t say how the hacking tool got installed into cars. Were there crooked auto mechanics, dealers, or something else?
strongswan-5.9.8-1.fc36
FEDORA-2022-11bf2b2597
Packages in this update:
strongswan-5.9.8-1.fc36
Update description:
Resolves CVE-2022-40617
Ransom Cartel Linked to Russia-Based REvil Ransomware Group
The collection became increasingly clear through the tools used by both threat actors
Fine for Shein! Fashion site hit with $1.9 million bill after lying about data breach
The parent company of women’s fashion site Shein has been fined $1.9 million after being accused of lying about the extent of data breach, and notifying “only a fraction” of affected customers.
Read more in my article on the Hot for Security blog.
strongswan-5.9.8-1.fc37
FEDORA-2022-525510c815
Packages in this update:
strongswan-5.9.8-1.fc37
Update description:
Resolves CVE-2022-40617