Security
Headlines
HeadlinesLatestCVEs

Latest News

CVE-2024-12694: Chromium: CVE-2024-12694 Use after free in Compositing

**What is the version information for this release?** Microsoft Edge Version Date Released Based on Chromium Version 131.0.2903.112 12/19/2024 131.0.6778.205

Microsoft Security Response Center
#microsoft#chrome#Microsoft Edge (Chromium-based)#Security Vulnerability
CVE-2024-12693: Chromium: CVE-2024-12693 Out of bounds memory access in V8

**What is the version information for this release?** Microsoft Edge Version Date Released Based on Chromium Version 131.0.2903.112 12/19/2024 131.0.6778.205

CVE-2024-12692: Chromium: CVE-2024-12692 Type Confusion in V8

**What is the version information for this release?** Microsoft Edge Version Date Released Based on Chromium Version 131.0.2903.112 12/19/2024 131.0.6778.205

Welcome to the party, pal!

In the last newsletter of the year, Thorsten recalls his tech-savvy gift to his family and how we can all incorporate cybersecurity protections this holiday season.

Acrobat out-of-bounds and Foxit use-after-free PDF reader vulnerabilities found

Cisco Talos’ Vulnerability Research team recently disclosed three out-of-bounds read vulnerabilities in Adobe Acrobat Reader, and two use-after-free vulnerabilities in Foxit Reader.   These vulnerabilities exist in Adobe Acrobat Reader and Foxit Reader, two of the most popular and feature-rich PDF readers on the market.  The vulnerabilities

GHSA-g5vr-rgqm-vf78: Spring Framework Path Traversal vulnerability

Applications serving static resources through the functional web frameworks WebMvc.fn or WebFlux.fn are vulnerable to path traversal attacks. An attacker can craft malicious HTTP requests and obtain any file on the file system that is also accessible to the process in which the Spring application is running.

GHSA-6v67-2wr5-gvf4: QOS.CH logback-core Server-Side Request Forgery vulnerability

Server-Side Request Forgery (SSRF) in SaxEventRecorder by QOS.CH logback version 1.5.12 on the Java platform, allows an attacker to forge requests by compromising logback configuration files in XML. The attacks involves the modification of DOCTYPE declaration in  XML configuration files.

GHSA-pr98-23f8-jwxv: QOS.CH logback-core Expression Language Injection vulnerability

ACE vulnerability in JaninoEventEvaluator by QOS.CH logback-core up to and including version 1.5.12 in Java applications allows attackers to execute arbitrary code by compromising an existing logback configuration file or by injecting an environment variable before program execution. Malicious logback configuration files can allow the attacker to execute arbitrary code using the JaninoEventEvaluator extension. A successful attack requires the user to have write access to a configuration file. Alternatively, the attacker could inject a malicious environment variable pointing to a malicious configuration file. In both cases, the attack requires existing privilege.

Orgs Scramble to Fix Actively Exploited Bug in Apache Struts 2

A newly discovered vulnerability, CVE-2024-53677, in the aging Apache framework is going to cause major headaches for IT teams, since patching isn't enough to fix it.

TP-Link faces US national security probe, potential ban on devices

TP-Link is being investigated for alleged predatory pricing practices, which may be driven by ulterior motives.