SecurityWeek reports that threat actors could leverage critical vulnerabilities impacting open-source file-sharing software ownCloud to facilitate sensitive data exposure and authentication and validation compromise.
Most serious of the identified flaws is a maximum severity bug affecting the graphapi app, which could prompt the compromise of phpinfo data, including ownCloud admin passwords, license keys, mail server credentials, and other webserver environment variables, according to an advisory from ownCloud, which noted that remediating the issue requires updating the admin password, Object-Store/S3 access key, and mail server and database credentials.
On the other hand, exploitation of the second flaw, an authentication bypass bug in WebDAV API, could facilitate file access, alteration, or removal without any authentication, while the third could be leveraged to enable subdomain validation evasion.
"Within the oauth2 app an attacker is able to pass in a specially crafted redirect-URL which bypasses the validation code and thus allows the attacker to redirect callbacks to a TLD controlled by the attacker," said ownCloud.
Several new features have been added by DevOps security firm Cycode to its application security posture management platform led by the inclusion of generative artificial intelligence into its Risk Intelligence Graph, reports SiliconAngle.
Incident response firm BreachQuest has been purchased for an undisclosed amount by cyber risk management provider Resilience to facilitate more efficient cyber incident response efforts, SiliconAngle reports.