Web Application Security | Breaking Cybersecurity News | The Hacker News

Not every security vulnerability is high risk on its own - but in the hands of an advanced attacker, even small weaknesses can escalate into major breaches. These five real vulnerabilities, uncovered by Intruder's bug-hunting team, reveal how attackers turn overlooked flaws into serious security incidents. 1. Stealing AWS Credentials with a Redirect Server-Side Request Forgery (SSRF) is a common vulnerability that can have a significant impact, especially in cloud-hosted applications. If a web application fetches resources from user-supplied URLs, care should be taken to ensure attackers can't manipulate requests to access unintended resources. While assessing a home-moving app running in AWS, our team tested common SSRF bypass techniques. The attack chain was as follows: the app sent a webhook request to the attacker's web server, which responded with a 302 redirect to AWS's metadata service. The app followed the redirect and logged the response, which exposed sensitive metadat...

Threat actors have been observed exploiting two newly disclosed critical security flaws in Craft CMS in zero-day attacks to breach servers and gain unauthorized access. The attacks, first observed by Orange Cyberdefense SensePost on February 14, 2025, involve chaining the below vulnerabilities - CVE-2024-58136 (CVSS score: 9.0) - An improper protection of alternate path flaw in the Yii PHP framework used by Craft CMS that could be exploited to access restricted functionality or resources (A regression of CVE-2024-4990 ) CVE-2025-32432 (CVSS score: 10.0) - A remote code execution (RCE) vulnerability in Craft CMS (Patched in versions 3.9.15, 4.14.15, and 5.6.17) According to the cybersecurity company, CVE-2025-32432 resides in a built-in image transformation feature that allows site administrators to keep images to a certain format. "CVE-2025-32432 relies on the fact that an unauthenticated user could send a POST request to the endpoint responsible for the image transf...

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday added a critical security flaw impacting Gladinet CentreStack to its Known Exploited Vulnerabilities ( KEV ) catalog, citing evidence of active exploitation in the wild. The vulnerability, tracked as CVE-2025-30406 (CVSS score: 9.0), concerns a case of a hard-coded cryptographic key that could be abused to achieve remote code execution. It has been addressed in version 16.4.10315.56368 released on April 3, 2025. "Gladinet CentreStack contains a use of hard-coded cryptographic key vulnerability in the way that the application manages keys used for ViewState integrity verification," CISA said. "Successful exploitation allows an attacker to forge ViewState payloads for server-side deserialization, allowing for remote code execution." Specifically, the shortcoming is rooted in the use of a hard-code "machineKey" in the IIS web.config file, which enables threat actors with knowl...

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two six-year-old security flaws impacting Sitecore CMS and Experience Platform (XP) to its Known Exploited Vulnerabilities ( KEV ) catalog, based on evidence of active exploitation. The vulnerabilities are listed below - CVE-2019-9874 (CVSS score: 9.8) - A deserialization vulnerability in the Sitecore.Security.AntiCSRF module that allows an unauthenticated attacker to execute arbitrary code by sending a serialized .NET object in the HTTP POST parameter __CSRFTOKEN CVE-2019-9875 (CVSS score: 8.8) - A deserialization vulnerability in the Sitecore.Security.AntiCSRF module that allows an authenticated attacker to execute arbitrary code by sending a serialized .NET object in the HTTP POST parameter __CSRFTOKEN There are currently no details on how the flaws are being weaponized in the wild and by whom, although SiteCore, in an update shared on March 30, 2020, said it became "aware of active exploit...

Cybersecurity researchers have disclosed a critical security flaw in the LiteSpeed Cache plugin for WordPress that could permit unauthenticated users to gain administrator privileges. "The plugin suffers from an unauthenticated privilege escalation vulnerability which allows any unauthenticated visitor to gain Administrator level access after which malicious plugins could be uploaded and installed," Patchstack's Rafie Muhammad said in a Wednesday report. The vulnerability, tracked as CVE-2024-28000 (CVSS score: 9.8), has been patched in version 6.4 of the plugin released on August 13, 2024. It impacts all versions of the plugin, including and prior to 6.3.0.1. LiteSpeed Cache is one of the most widely used caching plugins in WordPress with over five million active installations. In a nutshell, CVE-2024-28000 makes it possible for an unauthenticated attacker to spoof their user ID and register as an administrative-level user, effectively granting them privileges to...

A maximum-severity security flaw has been disclosed in the WordPress GiveWP donation and fundraising plugin that exposes more than 100,000 websites to remote code execution attacks. The flaw, tracked as CVE-2024-5932 (CVSS score: 10.0), impacts all versions of the plugin prior to version 3.14.2, which was released on August 7, 2024. A security researcher, who goes by the online alias villu164, has been credited with discovering and reporting the issue. The plugin is "vulnerable to PHP Object Injection in all versions up to, and including, 3.14.1 via deserialization of untrusted input from the 'give_title' parameter," Wordfence said in a report this week. "This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain allows attackers to execute code remotely, and to delete arbitrary files." The vulnerability is rooted in a function named "give_process_donation_form()," which is used to vali...

A large-scale extortion campaign has compromised various organizations by taking advantage of publicly accessible environment variable files (.env) that contain credentials associated with cloud and social media applications. "Multiple security missteps were present in the course of this campaign, including the following: Exposing environment variables, using long-lived credentials, and absence of least privilege architecture," Palo Alto Networks Unit 42 said in a Thursday report. The campaign is notable for setting up its attack infrastructure within the infected organizations' Amazon Web Services (AWS) environments and using them as a launchpad for scanning more than 230 million unique targets for sensitive data. With 110,000 domains targeted, the malicious activity is said to have netted over 90,000 unique variables in the .env files, out of which 7,000 belonged to organizations' cloud services and 1,500 variables are linked to social media accounts. "T...

Cybersecurity researchers have disclosed details of security flaws in the Roundcube webmail software that could be exploited to execute malicious JavaScript in a victim's web browser and steal sensitive information from their account under specific circumstances. "When a victim views a malicious email in Roundcube sent by an attacker, the attacker can execute arbitrary JavaScript in the victim's browser," cybersecurity company Sonar said in an analysis published this week. "Attackers can abuse the vulnerability to steal emails, contacts, and the victim's email password as well as send emails from the victim's account." Following responsible disclosure on June 18, 2024, the three vulnerabilities have been addressed in Roundcube versions 1.6.8 and 1.5.8 released on August 4, 2024. The list of vulnerabilities is as follows - CVE-2024-42008 - A cross-site scripting flaw via a malicious email attachment served with a dangerous Content-Type head...

Web Application Security consists of a myriad of security controls that ensure that a web application: Functions as expected. Cannot be exploited to operate out of bounds. Cannot initiate operations that it is not supposed to do. Web Applications have become ubiquitous after the expansion of Web 2.0, which Social Media Platforms, E-Commerce websites, and email clients saturating the internet spaces in recent years.  As the applications consume and store even more sensitive and comprehensive data, they become an ever more appealing target for attackers.  Common Attack Methods The three most common vulnerabilities that exist in this space are Injections (SQL, Remote Code), Cryptographic Failures (previously sensitive data exposure), and Broken Access Control (BAC). Today, we will focus on Injections and Broken Access Control.  Injections  SQL is the most common Database software that is used, and hosts a plethora of payment data, PII data, and internal busi...

Apache has released a security advisory warning of a critical security flaw in the Struts 2 open-source web application framework that could result in remote code execution. Tracked as  CVE-2023-50164 , the vulnerability is  rooted  in a flawed "file upload logic" that could enable unauthorized path traversal and could be exploited under the circumstances to upload a malicious file and achieve execution of arbitrary code. Struts is a Java framework that uses the Model-View-Controller ( MVC ) architecture for building enterprise-oriented web applications. Steven Seeley of Source Incite has been credited with discovering and reporting the flaw, which impacts the following versions of the software - Struts 2.3.37 (EOL) Struts 2.5.0 - Struts 2.5.32, and Struts 6.0.0 - Struts 6.3.0 Patches for the bug are available in versions 2.5.33 and 6.3.0.2 or greater. There are no workarounds that remediate the issue. "All developers are strongly advised to perform this upgr...

Modern web app development relies on cloud infrastructure and containerization. These technologies scale on demand, handling millions of daily file transfers – it's almost impossible to imagine a world without them. However, they also introduce multiple attack vectors that exploit file uploads when working with public clouds, vulnerabilities in containers hosting web applications, and many other persistent threats. We surveyed organizations responsible for securing critical web applications used by healthcare, financial services, technology, and other critical infrastructure verticals to learn how they tackle the most destructive threats and summarized our findings in the OPSWAT 2023 State of Web Application Security Report. The survey report revealed that: 97% of organizations use or will deploy containers in their web hosting environments. 75% use cloud storage access solutions and want to prevent malware, secure sensitive data, and mitigate security compliance risks. 94% c...

The threat actor known as  Winter Vivern  has been observed exploiting a zero-day flaw in Roundcube webmail software on October 11, 2023, to harvest email messages from victims' accounts. "Winter Vivern has stepped up its operations by using a zero-day vulnerability in Roundcube," ESET security researcher Matthieu Faou  said  in a new report published today. Previously, it was using known vulnerabilities in Roundcube and Zimbra, for which proofs-of-concept are available online." Winter Vivern, also known as TA473 and UAC-0114, is an  adversarial collective  whose objectives align with that of Belarus and Russia. Over the past few months, it has been attributed to attacks against Ukraine and Poland, as well as government entities across Europe and India. The group is also assessed to have exploited another flaw Roundcube as recently as August and September (CVE-2020-35730), making it the  second nation-state group after APT28  to target the op...

Cybercriminals will be as busy as ever this year. Stay safe and protect your systems and data by focusing on these 4 key areas to secure your environment and ensure success in 2023, and make sure your business is only in the headlines when you WANT it to be.  1 — Web application weaknesses Web applications are at the core of what SaaS companies do and how they operate, and they can store some of your most sensitive information such as valuable customer data.  SaaS applications are often multi-tenanted, so your applications need to be secure against attacks where one customer could access the data of another customer, such as logic flaws, injection flaws, or access control weaknesses. These are easy to exploit by hackers, and easy mistakes to make when writing code.  Security testing with an automated vulnerability scanner in combination with regular pentesting can help you design and build secure web applications by integrating with your existing environment, catchin...

What is the OWASP Top 10, and – just as important – what is it not? In this review, we look at how you can make this critical risk report work for you and your organisation. What is OWASP? OWASP  is the Open Web Application Security Project, an international non-profit organization dedicated to improving web application security.  It operates on the core principle that all of its materials are freely available and easily accessible online, so that anyone anywhere can improve their own web app security. It offers a number of tools, videos, and forums to help you do this – but their best-known project is the OWASP Top 10. The top 10 risks The  OWASP Top 10  outlines the most critical risks to web application security. Put together by a team of security experts from all over the world, the list is designed to raise awareness of the current security landscape and offer developers and security professionals invaluable insights into the latest and most widespread sec...

With the growth in digital transformation, the API management market is set to grow  by more than 30%   by the year 2025 as more businesses build web APIs and consumers grow to rely on them for everything from mobile apps to customized digital services. As part of strategic business planning, an API helps generate revenue by allowing customers access to the functionality of a website or computer program through custom applications. As more and more businesses are implementing APIs, the risk of API attacks increases. By 2022, Gartner predicted that API (Application Programming Interface) attacks would become the most common attack vector for enterprise web applications. Cybercriminals are targeting APIs more aggressively than ever before, and businesses must take a proactive approach to  API security  to combat this new aggression. API and The Business World With integrating APIs into modern IT environments, businesses are becoming increasingly data-driven...