MODX’s Post

🚨 High Risk Alert! FOLIO mod-data-export-spring has a critical vulnerability (CVE-2024-23687) 🚨. Unauthenticated users can access critical APIs, modify user data, and configurations due to hard-coded credentials. This highlights the importance of API security and the risks of Cryptographic Failures. Stay safe! #FOLIO #APIsecurity #OWASP #CVE202423687 https://lnkd.in/esqTqJmw

🚨High Vulnerability Alert! 🚨: CVE-2024-1879 A Cross-Site Request Forgery (CSRF) vulnerability in significant-gravitas/autogpt version v0.5.0 allows attackers to execute arbitrary commands on the AutoGPT server. The vulnerability stems from the lack of protections on the API endpoint receiving instructions, enabling an attacker to direct a user running AutoGPT in their local network to a malicious website. This site can then send crafted requests to the AutoGPT server, leading to command execution. The issue is exacerbated by CORS being enabled for arbitrary origins by default, allowing the attacker to read the response of all cross-site queries. This vulnerability was addressed in version 5.1. CVSSv3.1 Base Score: 8.8 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N) #autogpt #apisecurity #owasp https://lnkd.in/dnhxydEP

Today's mission: cracking a login using brute-forcing techniques for TCM Security's PJWT. First stop: Burp Suite! We tried brute-forcing the username with Burp, but the free version can be a bit slow, even with throttling. Enter ffuf: This nifty command-line fuzzing tool proved to be a much faster alternative. Here's the trick: We captured login attempts in Burp, focusing on the header details for successful and failed logins (especially packet size). Saved the header details to a text file. Used ffuf to target the password field, pointing it at the text file and filtering responses based on the packet size associated with incorrect passwords. 🪄 This significantly reduced the number of responses to analyze! Fufuf! ffuf proved to be a real time-saver. While I'm comfortable with the process now, I'll definitely be revisiting the tool to solidify my understanding. #webapptesting #bugbounty

CVSS: 9.1 (CRITICAL) Improper Authentication vulnerability in Progress MOVEit Transfer (SFTP module) can lead to Authentication Bypass. Affects: This issue affects MOVEit Transfer: from 2023.0.0 before 2023.0.11, from 2023.1.0 before 2023.1.6, from 2024.0.0 before 2024.0.2. https://lnkd.in/d5Vy6H3R https://lnkd.in/d6q2vx7W #security #vulnerability #moveit CVE-2024-5806

Blueshift has been alerted to a novel exploit associated with ScreenConnect. This exploit has the ability to execute remote code and add/remove ScreenConnect users. This particular exploit does not require the user to perform multi-factor authentication (MFA). A link to the security advisory can be located on the ConnectWise URL here: https://bit.ly/42RYxB5 . We recommend checking and validating all current users with ScreenConnect access and applying the latest security patch as soon as possible. A link to the applicable patch can be found at the bottom of the link provided above, or you can follow this link here: https://bit.ly/49tnZ2i

🔑 Passwords are dead - long live passkeys 🔑 Passwords are a liability. They are knowledge-based, a constant challenge to remember, and are often reused for multiple services. Passwords are easily phished, stolen, and abused. That’s why passwordless authentication is needed. Keep reading to explore the future of passwordless authentication and the added value that passkeys bring in terms of security and usability. In this article, we evaluate the role of passkeys in modernising security practices for organisations without going into too many technicalities, acronyms, and terminologies, such as FIDO U2F, Fido2, etc. Here is what you need to know about passkeys.

🔑 Passwords are dead - long live passkeys 🔑 Passwords are a liability. They are knowledge-based, a constant challenge to remember, and are often reused for multiple services. Passwords are easily phished, stolen, and abused. That’s why passwordless authentication is needed. Keep reading to explore the future of passwordless authentication and the added value that passkeys bring in terms of security and usability. In this article, we evaluate the role of passkeys in modernising security practices for organisations without going into too many technicalities, acronyms, and terminologies, such as FIDO U2F, Fido2, etc. Here is what you need to know about passkeys.

🔑 Passwords are dead - long live passkeys 🔑 Passwords are a liability. They are knowledge-based, a constant challenge to remember, and are often reused for multiple services. Passwords are easily phished, stolen, and abused. That’s why passwordless authentication is needed. Keep reading to explore the future of passwordless authentication and the added value that passkeys bring in terms of security and usability. In this article, we evaluate the role of passkeys in modernising security practices for organisations without going into too many technicalities, acronyms, and terminologies, such as FIDO U2F, Fido2, etc. Here is what you need to know about passkeys.

Preventing credential leaks from infostealers is not easy but achieveable. Infostealers capture keystrokes, revealing passwords regardless of complexity! Implement these 3 steps to better prevent credential stuffing or at least reduce the damage 👇 1️⃣ Ensure AV and web protection tools are installed & correctly configured. This includes device software like AV, web protection, DLP to sniff/block outgoing traffic to known malicious C&C servers using threat intel. 2️⃣ Embed an organization password manager to reduce password reuse, limiting potential breach to single service. 3️⃣ Embed two-factor authentication (2FA) for all service logins to reduce chance of access if device is compromised & credentials leaked.

🔑 Passwords are dead - long live passkeys 🔑 Passwords are a liability. They are knowledge-based, a constant challenge to remember, and are often reused for multiple services. Passwords are easily phished, stolen, and abused. That’s why passwordless authentication is needed. Keep reading to explore the future of passwordless authentication and the added value that passkeys bring in terms of security and usability. In this article, we evaluate the role of passkeys in modernising security practices for organisations without going into too many technicalities, acronyms, and terminologies, such as FIDO U2F, Fido2, etc. Here is what you need to know about passkeys.