This Week In Security: Curl Reveal, Rapid Reset DDoS, And Libcue hackaday.com - get the latest breaking news, showbiz & celebrity photos, sport news & rumours, viral videos and top stories from hackaday.com Daily Mail and Mail on Sunday newspapers.
Advisory: Session Token Enumeration in RWS WorldServerSession tokens in RWS WorldServer have a low entropy and can beenumerated, leading to unauthorised access to user sessions.Details=======Product: WorldServerAffected Versions: 11.7.3 and earlier versionsFixed Version: 11.8.0Vulnerability Type: Session Token EnumerationSecurity Risk: highVendor URL: https://www.rws.com/localization/products/additional-solutions/Vendor Status: fixed version releasedAdvisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2023-001Advisory Status: publishedCVE: CVE-2023-38357CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38357Introduction============"WorldServer offers a flexible,
This Week In Security: Minecraft Fractureiser, MOVEit, And Triangulation hackaday.com - get the latest breaking news, showbiz & celebrity photos, sport news & rumours, viral videos and top stories from hackaday.com Daily Mail and Mail on Sunday newspapers.
Advisory: STARFACE: Authentication with Password Hash PossibleRedTeam Pentesting discovered that the web interface of STARFACE as wellas its REST API allows authentication using the SHA512 hash of thepassword instead of the cleartext password. While storing passwordhashes instead of cleartext passwords in an application's databasegenerally has become best practice to protect users' passwords in caseof a
Advisory: Pydio Cells: Cross-Site Scripting via File DownloadPydio Cells implements the download of files using presigned URLs whichare generated using the Amazon AWS SDK for JavaScript [1]. The secretsused to sign these URLs are hardcoded and exposed through the JavaScriptfiles of the web application. Therefore, it is possible to generatevalid signatures for arbitrary download URLs.