Security
Headlines
HeadlinesLatestCVEs

Latest News

Microsoft’s AI Can Be Turned Into an Automated Phishing Machine

Attacks on Microsoft’s Copilot AI allow for answers to be manipulated, data extracted, and security protections bypassed, new research shows.

Wired
Open in Source
#vulnerability#web#mac#google#microsoft#git#perl
Microsoft on CISOs: Thriving Community Means Stronger Security

Microsoft execs detailed the company's reaction to the CrowdStrike incident and emphasized the value of a collective identity.

'0.0.0.0 Day' Flaw Puts Chrome, Firefox, Mozilla Browsers at RCE Risk

Attackers can use a seemingly innocuous IP address to exploit localhost APIs to conduct a range of malicious activity, including unauthorized access to user data and the delivery of malware.

GHSA-m3rh-cvr5-x6q4: CosmWasm wasmd has large address count in ValidateBasic

**Component:** wasmd **Criticality:** Low ([ACMv1](https://github.com/interchainio/security/blob/main/resources/CLASSIFICATION_MATRIX.md): I:Moderate; L:Unlikely) **Patched versions:** wasmd 0.52.0 In multiple wasmd message types it was possible to add a large number of addresses which might lead to unexpected resource consumption in ValidateBasic. See [CWA-2024-003](https://github.com/CosmWasm/advisories/blob/main/CWAs/CWA-2024-003.md) for more details.

GHSA-rg2q-2jh9-447q: Gas mispricing in cosmwasm-vm

**Component:** wasmvm **Criticality:** Medium ([ACMv1](https://github.com/interchainio/security/blob/main/resources/CLASSIFICATION_MATRIX.md): I:Moderate; L:Likely) **Patched versions:** wasmvm 1.5.4, 2.0.3, 2.1.2 Some Wasm operations take significantly more gas than our benchmarks indicated. This can lead to missing the [gas target](https://github.com/CosmWasm/cosmwasm/blob/e50490c4199a234200a497219b27f071c3409f58/docs/GAS.md#cosmwasm-gas-pricing) we defined by a factor of ~10x. This means a malicious contract could take 10 times as much time to execute as expected, which can be used to temporarily DoS a chain. See [CWA-2024-004](https://github.com/CosmWasm/advisories/blob/main/CWAs/CWA-2024-004.md) for more details.

Calibre 7.15.0 Python Code Injection

This Metasploit module exploits a Python code injection vulnerability in the Content Server component of Calibre version 6.9.0 through 7.15.0. Once enabled (disabled by default), it will listen in its default configuration on all network interfaces on TCP port 8080 for incoming traffic, and does not require any authentication. The injected payload will get executed in the same context under which Calibre is being executed.

Debian Security Advisory 5742-1

Debian Linux Security Advisory 5742-1 - A vulnerability was discovered in odoo, a suite of web based open source business apps. It could result in the execution of arbitrary code.

Journyx 11.5.4 XML Injection

Journyx version 11.5.4 has an issue where the soap_cgi.pyc API handler allows the XML body of SOAP requests to contain references to external entities. This allows an unauthenticated attacker to read local files, perform server-side request forgery, and overwhelm the web server resources.

Journyx 11.5.4 Cross Site Scripting

Journyx version 11.5.4 suffers from a cross site scripting vulnerability due to mishandling of the error_description during an active directory login flow.