zend framework | Breaking Cybersecurity News | The Hacker News

It's time to update your Drupal websites. Drupal, the popular open-source content management system, has released a new version of its software to patch a security bypass vulnerability that could allow a remote attacker to take control of the affected websites. The vulnerability, tracked as CVE-2018-14773, resides in a component of a third-party library, called Symfony HttpFoundation component , which is being used in Drupal Core and affects Drupal 8.x versions before 8.5.6. Since Symfony—a web application framework with a set of PHP components—is being used by a lot of projects, the vulnerability could potentially put many web applications at risk of hacking. Symfony Component Vulnerability According to an advisory released by Symfony, the security bypass vulnerability originates due to Symfony's support for legacy and risky HTTP headers. "Support for a (legacy) IIS header that lets users override the path in the request URL via the X-Original-URL or X-Rew

A security researcher recently reported a critical vulnerability in one of the most popular open source PHP libraries used to send emails that allowed a remote attacker to execute arbitrary code in the context of the web server and compromise a web application. Disclosed by Polish security researcher Dawid Golunski of Legal Hackers, the issue ( CVE-2016-10033 ) in PHPMailer used by more than 9 Million users worldwide was thought to be fixed with the release of version 5.2.18. However, Golunski managed to bypass the patched version of PHPMailer that was given a new CVE ( CVE-2016-10045 ), which once again put millions of websites and popular open source web apps, including WordPress, Drupal, 1CRM, SugarCRM, Yii, and Joomla, at risk of remote code execution attack. PHPMailer eventually fixed the issue with an update, version 5.2.20 . All versions of PHPMailer before this critical release are affected, so web administrators and developers are strongly recommended to update to t

Compromising the browser is a high-return target for adversaries. Browser extensions, which are small software modules that are added to the browser and can enhance browsing experiences, have become a popular browser attack vector. This is because they are widely adopted among users and can easily turn malicious through developer actions or attacks on legitimate extensions. Recent incidents like  DataSpii  and the  Nigelthorn  malware attack have exposed the extent of damage that malicious extensions can inflict. In both cases, users innocently installed extensions that compromised their privacy and security. The underlying issue lies in the permissions granted to extensions. These permissions, often excessive and lacking granularity, allow attackers to exploit them. What can organizations do to protect themselves from the risks of browser extensions without barring them from use altogether (an act that would be nearly impossible to enforce)?  A new report by LayerX, "Unveiling the