Aggregator

A vulnerability has been found in SourceCodester Employee and Visitor Gate Pass Logging System 1.0 and classified as problematic. Affected by this vulnerability is the function save_users of the file Users.php. The manipulation leads to cross-site request forgery. This vulnerability is known as CVE-2024-6649. The attack can be launched remotely. Furthermore, there is an exploit available.

GitGuardian’s State of Secrets Sprawl 2025 report shows no progress in combating secrets sprawl, with 23.8 million secrets leaked on public GitHub repositories in 2024—a 25% year-over-year increase. Despite GitHub Push Protection’s efforts, secrets sprawl is accelerating, especially with generic secrets, which made up 58% of all leaked credentials. More troubling, 70% of secrets leaked in 2022 remain active, significantly expanding the attack surface for threat actors. The report makes one thing clear: secrets management … More →

The post Report: The State of Secrets Sprawl 2025 appeared first on Help Net Security.

Vanta announced a series of new features and capabilities to help security and GRC teams seamlessly collaborate across their organization and extended network. These releases—including team-based collaboration and granular user access, an integrated Vanta Exchange for vendor security reviews, enhanced audit capabilities and expanded security questionnaire automation—reduce manual processes and enable companies to manage trust as a team. With 65% of businesses reporting that customers, investors and suppliers increasingly require proof of compliance, maintaining a … More →

The post Vanta strengthens collaboration between security and GRC teams appeared first on Help Net Security.

The question is no longer "Are we compliant?" but "Are we truly resilient?"

A surge in browser-based phishing attacks has been recorded over the past year, with a 140% increase compared to 2023 according to Menlo Security

Через год десятка останется без защиты, а миллионы компьютеров рискуют оказаться в «мусорной корзине»

A vulnerability classified as very critical has been found in JupiterX Theme Plugin up to 3.0.0 on WordPress. This affects the function print_pane. The manipulation leads to file inclusion. This vulnerability is uniquely identified as CVE-2023-32110. It is possible to initiate the attack remotely. There is no exploit available.

A vulnerability has been found in JupiterX Core Premium Plugin up to 3.3.5 on WordPress and classified as critical. This vulnerability affects unknown code. The manipulation leads to unrestricted upload. This vulnerability was named CVE-2023-38388. The attack can be initiated remotely. There is no exploit available.

A vulnerability, which was classified as problematic, has been found in rankchecker Rankchecker.io Integration Plugin up to 1.0.9 on WordPress. Affected by this issue is some unknown functionality. The manipulation leads to cross-site request forgery. This vulnerability is handled as CVE-2025-28857. The attack may be launched remotely. There is no exploit available.

Malware analysis is a promising yet competitive career path, where education must be taken seriously to stand up against ever-evolving threats. The demand for such professionals has never been higher, but the requirements and expectations are not low either.   A specific mindset and a number of well-developed soft skills are no less vital than a […]

The post Decoding a Malware Analyst: Essential Skills and Expertise appeared first on ANY.RUN's Cybersecurity Blog.

The recently leaked trove of internal chat logs among members of the Black Basta ransomware operation has revealed possible connections between the e-crime gang and Russian authorities. The leak, containing over 200,000 messages from September 2023 to September 2024, was published by a Telegram user @ExploitWhispers last month. According to an analysis of the messages by cybersecurity company

A vulnerability classified as critical has been found in Apple tvOS up to 10.1. This affects an unknown part of the component WebKit. The manipulation leads to memory corruption. This vulnerability is uniquely identified as CVE-2017-2454. It is possible to initiate the attack remotely. Furthermore, there is an exploit available. It is recommended to upgrade the affected component.

State-sponsored threat actors and cybercrime groups from North Korea, Iran, Russia, and China have been exploiting a zero-day Windows vulnerability with no fix in sight for the last eight years, researchers with Trend Micro’s Zero Day Initiative have warned on Tuesday. The vulnerability, which doesn’t have a CVE number but is being tracked as ZDI-CAN-25373 by ZDI researchers, allowed attackers to surreptitiously execute malicious commands on a victim’s machine and deliver a variety of malware … More →

The post APTs have been using zero-day Windows shortcut exploit for eight years (ZDI-CAN-25373) appeared first on Help Net Security.

1Kosmos announced 1Kosmos 1Key for shared account login environments. With FIDO-compliant biometric authentication, 1Kosmos 1Key addresses the pressing need for security, accountability, and auditability in settings where multiple users access shared accounts, such as operational technology (OT) systems, hospitality services, and other collaborative workspaces. Shared accounts are commonly used in both IT and OT environments where many users interact with a single workstation or application. However, shared access can also lead to security vulnerabilities, accountability … More →

The post 1Kosmos 1Key secures shared login environments and OT systems appeared first on Help Net Security.

A vulnerability classified as critical has been found in Apple iOS up to 10.2. Affected is an unknown function of the component WebKit. The manipulation leads to memory corruption. This vulnerability is traded as CVE-2017-2454. It is possible to launch the attack remotely. Furthermore, there is an exploit available. It is recommended to upgrade the affected component.

A vulnerability, which was classified as critical, was found in Texas Imperial Software WFTPD 2.4.1/2.4.1 Rc11/2.34/2.40. This affects an unknown part of the component MLST Command Handler. The manipulation leads to denial of service. This vulnerability is uniquely identified as CVE-2000-0647. It is possible to initiate the attack remotely. Furthermore, there is an exploit available. It is recommended to upgrade the affected component.

A vulnerability was found in Exasol 24.2.0. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the component JDBC Driver. The manipulation leads to injection. This vulnerability is known as CVE-2024-55551. The attack can be launched remotely. There is no exploit available.

On Jan. 11, 2025, Verisign supported the Internet Corporation for Assigned Names and Numbers (ICANN) in taking a major step to ensure the continued security, stability, and resiliency of the Domain Name System (DNS). While imperceptible to most users, this action – specifically, the introduction of a new Domain Name System Security Extensions (DNSSEC) Key […]

The post The 2024-2026 Root Zone KSK Rollover: Initial Observations and Early Trends appeared first on Verisign Blog.

Elastic announced an expanded partnership with an integrated offering that includes Tines Workflow Automation and the Elastic Search AI Platform to simplify security and observability workflow automation. The partnership equips security teams with security orchestration, automation and response (SOAR) and AI-driven security analytics capabilities, while observability teams benefit from enhanced incident response automation. “We’re thrilled about the Elastic and Tines partnership—it’s been a game-changer for our team and our ability to protect our vast network … More →

The post Elastic expands partnership with Tines to scale security operations appeared first on Help Net Security.