#apple

Casdoor before v1.126.1 was discovered to contain an arbitrary file deletion vulnerability via the uploadFile function.

TensorFlow is an open source platform for machine learning. The function MakeGrapplerFunctionItem takes arguments that determine the sizes of inputs and outputs. If the inputs given are greater than or equal to the sizes of the outputs, an out-of-bounds memory read or a crash is triggered. We have patched the issue in GitHub commit a65411a1d69edfb16b25907ffb8f73556ce36bb7. The fix will be included in TensorFlow 2.11.0. We will also cherrypick this commit on TensorFlow 2.8.4, 2.9.3, and 2.10.1.

An XML external entity (XXE) injection vulnerability in Kwoksys Kwok Information Server before v2.9.5.SP31 allows remote authenticated users to conduct server-side request forgery (SSRF) attacks.

Senayan Library Management System version 9.5.1 suffers from a remote SQL injection vulnerability.

By Deeba Ahmed The infamous North Korean state-backed Lazarus hacking group is using AppleJeus malware to steal crypto funds from Windows users. This is a post from HackRead.com Read the original post: Fake Windows Crypto Apps Spreading AppleJeus Malware

ConcreteCMS v9.1.3 was discovered to be vulnerable to Xpath injection attacks. This vulnerability allows attackers to access sensitive XML data via a crafted payload injected into the URL path folder "3".

A cross-site scripting (XSS) vulnerability in the component /signup_script.php of Ecommerce-Website v1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the eMail parameter.

A cross-site scripting (XSS) vulnerability in ClicShopping_V3 v3.402 allows attackers to execute arbitrary web scripts or HTML via a crafted URL parameter.

Rukovoditel v3.2.1 was discovered to contain a DOM-based cross-site scripting (XSS) vulnerability in the component /rukovoditel/index.php?module=users/login. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted GET request.

Categories: News Categories: Threats Tags: Lazarus Tags: APT38 Tags: AppleJeus Tags: sideloading Tags: BloxHolder Researchers have found a new Lazarus campaign, once again targeting cryptocurrency users and organizations by deploying a fake website and malicious documents. (Read more...) The post Lazarus group uses fake cryptocurrency apps to plant AppleJeus malware appeared first on Malwarebytes Labs.