Security
Headlines
HeadlinesLatestCVEs

Tag

#git

GHSA-4f8r-qqr9-fq8j: Incorrect delegation lookups can make go-tuf download the wrong artifact

During the ongoing work on the TUF conformance test suite, we have come across a test that reveals what we believe is a bug in go-tuf with security implications. The bug exists in go-tuf delegation tracing and could result in downloading the wrong artifact. We have come across this issue in the test in this PR: https://github.com/theupdateframework/tuf-conformance/pull/115. The test - `test_graph_traversal` - sets up a repository with a series of delegations, invokes the clients `refresh()` and then checks the order in which the client traced the delegations. The test shows that the go-tuf client inconsistently traces the delegations in a wrong way. For example, [during one CI run](https://github.com/theupdateframework/tuf-conformance/pull/115#issuecomment-2275625542), the `two-level-delegations` test case triggered a wrong order. The delegations in this look as such: ```python "two-level-delegations": DelegationsTestCase( delegations=[ DelegationTester("targets...

ghsa
#git
Cyberattackers Use HR Targets to Lay More_Eggs Backdoor

The FIN6 group is the likely culprit behind a spear-phishing campaign that demonstrates a shift in tactics, from targeting job seekers to going after those who hire.

AI-Powered Rhadamanthys Stealer Targets Crypto Wallets with Image Recognition

The threat actors behind the Rhadamanthys information stealer have added new advanced features to the malware, including using artificial intelligence (AI) for optical character recognition (OCR) as part of what's called "Seed Phrase Image Recognition." "This allows Rhadamanthys to extract cryptocurrency wallet seed phrases from images, making it a highly potent threat for anyone dealing in

Infrastructure vs. Runtime — Where Are Your Priorities?

Amid the noise of new solutions and buzzwords, understanding the balance between securing infrastructure and implementing runtime security is key to crafting an effective cloud strategy.

Android users targeted on Facebook and porn sites, served adware

ThreatDown research uncovered a campaign that spreads a annoying adware for Android devices through several methods

Nitro PDF Pro Local Privilege Escalation

The Nitro PDF Pro application uses a .msi installer file (embedded into an executable .exe installer file) for installation. The MSI installer uses custom actions in repair mode in an unsafe way. Attackers with low-privileged system access to a Windows system where Nitro PDF Pro is installed, can exploit the cached MSI installer's custom actions to effectively escalate privileges and get a command prompt running in context of NT AUTHORITY\SYSTEM. Versions prior to 14.26.1.0 and 13.70.8.82 and affected.

VICIdial Authenticated Remote Code Execution

An attacker with authenticated access to VICIdial as an "agent" can execute arbitrary shell commands as the "root" user. This attack can be chained with CVE-2024-8503 to execute arbitrary shell commands starting from an unauthenticated perspective.

Student Attendance Management System 1.0 Code Injection

Student Attendance Management System version 1.0 suffers from a PHP code injection vulnerability.

Mitsubishi Electric MELSEC iQ-F FX5-OPC

View CSAF 1. EXECUTIVE SUMMARY CVSS v3 7.5 ATTENTION: Exploitable remotely/low attack complexity Vendor: Mitsubishi Electric Equipment: MELSEC iQ-F FX5-OPC Vulnerability: NULL Pointer Dereference 2. RISK EVALUATION Successful exploitation of this vulnerability could allow a remote attacker to cause a Denial-of-Service (DoS) condition on the product by getting a legitimate user to import a specially crafted PKCS#12 format certificate. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following Mitsubishi Electric products are affected: MELSEC iQ-F FX5-OPC: All versions 3.2 Vulnerability Overview 3.2.1 NULL POINTER DEREFERENCE CWE-476 A Denial-of-Service (DoS) vulnerability due to NULL Pointer Dereference when processing PKCS#12 format certificate exists in OpenSSL installed on MELSEC iQ-F OPC UA Unit. Because OpenSSL does not correctly check if a certain field in the PKCS#12 format certificate is NULL, a NULL pointer dereference occurs when the field is NULL, causing the product to enter a...

Facebook and Instagram passwords were stored in plaintext, Meta fined

The Data Protection Commission has fined Meta $101M because 600 million Facebook and Instagram passwords were stored in plaintext.