An information leak in youmart-tokunaga v13.6.1 allows attackers to obtain the channel access token and send crafted messages.

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Search code, repositories, users, issues, pull requests...**

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

CVE-2023-39049: CVE-reports/CVE-2023-39049.md at main · syz913/CVE-reports

An information leak in TonTon-Tei_waiting Line v13.6.1 allows attackers to obtain the channel access token and send crafted messages.

CVE-2023-39046: CVE-reports/CVE-2023-39046.md at main · syz913/CVE-reports

A remote command execution (RCE) vulnerability in the /api/runscript endpoint of FUXA 1.1.13 allows attackers to execute arbitrary commands via a crafted POST request.

**A remote command execution (RCE) vulnerability in the /api/runscript endpoint of FUXA**

High severity GitHub Reviewed Published Sep 18, 2023 to the GitHub Advisory Database • Updated Sep 19, 2023

GHSA-r87q-fq37-pvr6: A remote command execution (RCE) vulnerability in the /api/runscript endpoint of FUXA

Vyper is a Pythonic Smart Contract Language for the Ethereum Virtual Machine (EVM). Starting in version 0.2.9 and prior to version 0.3.10, locks of the type `@nonreentrant("")` or `@nonreentrant('')` do not produce reentrancy checks at runtime. This issue is fixed in version 0.3.10. As a workaround, ensure the lock name is a non-empty string.

Skip to content

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Affected versions**

\>=v0.2.9, <0.3.10

**Description**

**Impact**

Locks of the type @nonreentrant("") or @nonreentrant('') do not produce reentrancy checks at runtime.

@nonreentrant("") \# unprotected
@external
def bar():
    pass

@nonreentrant("lock") \# protected
@external
def foo():
    pass

**Patches**

Patched in #3605

**Workarounds**

The lock name should be a non-empty string.

**References**

_Are there any links users can visit to find out more?_

CVE-2023-42441: incorrect re-entrancy lock when key is empty string

An information leak in THE_B_members card v13.6.1 allows attackers to obtain the channel access token and send crafted messages.

CVE-2023-39058: CVE-reports/CVE-2023-39058.md at main · syz913/CVE-reports

An information leak in YKC Tokushima_awayokocho Line v13.6.1 allows attackers to obtain the channel access token and send crafted messages.

*   Home
*   Services
    *   Home Internet
    *   Voice Services
    *   Home Security
*   Our Story
    *   Our Mission
    *   Community Involvement
    *   Scholarship & Grants
*   Careers
*   Support
    *   Understanding Your Bill
    *   Tech Glossary
    *   Wi-Fi 101 Videos
*   Blog
*   Contact Us

Menu

*   Home
*   Services
    *   Home Internet
    *   Voice Services
    *   Home Security
*   Our Story
    *   Our Mission
    *   Community Involvement
    *   Scholarship & Grants
*   Careers
*   Support
    *   Understanding Your Bill
    *   Tech Glossary
    *   Wi-Fi 101 Videos
*   Blog
*   Contact Us

Menu

**Ready to Get Connected?**

Find out which of our services are available in your area.

**A Proud Rural Service Provider**

**DRIVEN TO BE THE BEST**

YK Communications strives to provide superior communications technologies to the homes and businesses in our service areas.

We deliver an exceptional level of local customer care with personal attention, prompt responses, and strong working relationships.

Our owners, management team, and employees all live in, work in, and enthusiastically support the communities we serve.

**A Customizable Experience**

With Whole-Home Wi-Fi and a CommandIQ app, you have complete control over things like parental controls and cybersecurity!

**Speeds Up To 1 GIG**

We’ve got fiber, yes we do. So whether you are busy gaming, streaming, downloading, or re-spawning – you can leave the lag behind.

**24/7 Technical Support**

YK Communications makes it a priority to keep you connected. Technical support is available 24 hours a day, 7 days a week.

**BUILD YOUR CUSTOM EXPERIENCE**

Our experience-enhancing add-ons allow you to build the service that works best for you and your household. Contact a specialist today for a free service consultation by calling 

(361) 771-3334.

**Click To Learn More About:**

**WAYS TO SAVE**

**on Services you Need**

YK Communications works to offer exceptional services without cutting corners – but sometimes we can help you cut down on extra costs through promotions. Check out the options below for details.

**Your Neighbors Are**

**OUR HAPPY CUSTOMERS**

“Great customer service, and very helpful with everything! We use them for all our security, phone, internet, website, and more! So glad we can shop local! YKC has always supported our local community which gives you more reasons to shop local! When is the last time the mall or Apple has supported the local 4H, Boy/Girl Scouts, the school, Volunteer Fire Department, and more? Thank you Ganado Telephone and YKC for all you do for our personal and public needs.”

**Seth Brezina**

**Read What’s Happening On**

**THE YK BLOG**

**Troubleshooting Your Wi-Fi: What Else Causes Internet Connectivity Issues?**

As a YK Communications internet service customer, you rely on your Wi-Fi connection for everything from streaming movies and playing games to online shopping and staying connected with family and friends. So, when something goes wrong, it can be frustrating and even stressful. However, before you call our 24/7 support team, there are a few things you can try to

Read More

**Beware of Summer Security Scams: Stay Protected with YK Communications**

With the onset of summer and the increasing temperatures, many of us look forward to spending more time outdoors. However, this delightful season also brings along a less pleasant annual tradition – the influx of door-to-door salesmen, often peddling home security systems. While some represent legitimate companies, others exploit the summer spike in sales activity to blend in and prey

Read More

**We're Social!**

Like and follow us online @ykcomms

Next To You. Ahead Of Technology. We’re a local provider of residential and business-class InternetA global wide area network (WAN), also described as a networ… More, Voice, Video and Security services in Texas.

**Quick Links**

**Give Us A Call**

**to get connected or upgrade!**

**Visit Us**

All rights reserved. Copyrighted 2023 by YK Communications.

CVE-2023-39043: Home - YK Communications

An information leak in Cheese Cafe Line v13.6.1 allows attackers to obtain the channel access token and send crafted messages.

CVE-2023-39040: CVE-reports/CVE-2023-39040.md at main · syz913/CVE-reports

### Impact

Locks of the type `@nonreentrant("")` or `@nonreentrant('')` do not produce reentrancy checks at runtime.

```Vyper
@nonreentrant("") # unprotected
@external
def bar():
    pass

@nonreentrant("lock") # protected
@external
def foo():
    pass
```
### Patches

Patched in #3605

### Workarounds

The lock name should be a non-empty string.


Skip to content

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2023-42441

**Vyper has incorrect re-entrancy lock when key is empty string**

Moderate severity GitHub Reviewed Published Sep 15, 2023 in vyperlang/vyper • Updated Sep 18, 2023

**Affected versions**

\>= 0.2.9, < 0.3.10

**Description**

**Impact**

Locks of the type @nonreentrant("") or @nonreentrant('') do not produce reentrancy checks at runtime.

@nonreentrant("") \# unprotected
@external
def bar():
    pass

@nonreentrant("lock") \# protected
@external
def foo():
    pass

**Patches**

Patched in #3605

**Workarounds**

The lock name should be a non-empty string.

**References**

*   GHSA-3hg2-r75x-g69m
*   vyperlang/vyper#3605
*   vyperlang/vyper@0b74028

Published to the GitHub Advisory Database

Sep 18, 2023

Last updated

Sep 18, 2023

GHSA-3hg2-r75x-g69m: Vyper has incorrect re-entrancy lock when key is empty string

By Waqas
Another day, another data security incident at Microsoft.
This is a post from HackRead.com Read the original post: Microsoft AI Researchers Expose 38TB of Top Sensitive Data

**KEY FINDINGS**

*   **Microsoft AI researchers accidentally exposed 38 terabytes of private data, including a disk backup of two employees’ workstations, while publishing a bucket of open-source training data on GitHub.**

*   **The backup includes secrets, private keys, passwords, and over 30,000 internal Microsoft Teams messages.**

*   **The data was exposed due to a misconfigured Shared Access Signature (SAS) token.**

*   **SAS tokens can be a security risk if not used properly, as they can grant high levels of access to Azure Storage data.**

*   **Organizations should carefully consider their security needs before using SAS tokens.**

As part of their ongoing work on accidental exposure of cloud-hosted data, the Wiz Research Team scanned the internet for misconfigured storage containers. In this process, they found a GitHub repository under the Microsoft organization named robust-models-transfer. The repository belonged to Microsoft’s AI research division, whose purpose is to provide open-source code and AI models for image recognition.

After further digging, it was revealed that Microsoft AI researchers accidentally exposed 38 terabytes of private data, including a disk backup of two employees’ workstations, while publishing a bucket of open-source training data on GitHub. The backup included secrets, private keys, passwords, and over 30,000 internal Microsoft Teams messages.

However, the URL for the repository allowed access to more than just open-source models. It was configured to grant permissions on the entire storage account, exposing additional private data by mistake.

The Wiz scan showed that this account contained 38 terabytes of additional data, including Microsoft employees’ personal computer backups. The backups contained sensitive personal data, including passwords to Microsoft services, secret keys, and over 30,000 internal Microsoft Teams messages from 359 Microsoft employees.

In the hands of threat actors, this data could have been devastating for the technology giant, especially considering the current circumstances. Microsoft has **recently revealed** how malicious elements are eager to exploit Microsoft Teams to facilitate ransomware attacks.

The exposed URL, MS Team Chats and more (Credit: WIZ)

According to Wiz’s **blog post**, in addition to the overly permissive access scope, the token was also misconfigured to allow “full control” permissions instead of read-only. This means that not only could an attacker view all the files in the storage account, but they could delete and overwrite existing files as well.

This is particularly interesting considering the repository’s original purpose: providing AI models for use in training code. The repository instructs users to download a model data file from the SAS link and feed it into a script.

The file’s format was ckpt, a format produced by the TensorFlow library. It’s formatted using Python’s pickle formatter, which is prone to arbitrary code execution by design. This means that an attacker could have injected malicious code into all the AI models in this storage account, and every user who trusts Microsoft’s GitHub repository would’ve been infected by it.

In response to the news, **Andrew Whaley**, Senior Technical Director at the Norwegian cybersecurity firm **Promon** said: “Microsoft may be one of the frontrunners in the AI race, but it’s hard to believe this is the case when it comes to cybersecurity. The tech titan has taken great technological strides in recent years; however, this incident serves as a reminder that even the best-intentioned projects can inadvertently expose sensitive information.”

“Shared Access Signatures (SAS) are a significant cybersecurity risk if not managed with the utmost care. Although they’re undeniably a valuable tool for collaboration and sharing data, they can also become a double-edged sword when misconfigured or mishandled. When overly permissive SAS tokens are issued or when they are exposed unintentionally, it’s like willingly handing over the keys to your front door to a burglar,” Andrew warned.

He emphasised that “Microsoft may well have been able to prevent this breach if they implemented stricter access controls, regularly audited and revoked unused tokens, and thoroughly educated their employees on the importance of safeguarding these credentials. Additionally, continuous monitoring and automated tools to detect overly permissive SAS tokens could have also averted this blunder.”

This is not the first instance of Microsoft exposing such sensitive data. **In July 2020**, the Microsoft Bing server inadvertently exposed user search queries and location data, including distressing search terms related to murder and child abuse content.”

Nevertheless, Wiz researchers informed Microsoft about the data leak on June 22, 2023, and the tech giant secured it by August 16, 2023. The researchers published their report earlier today, once they were assured that all security aspects of the exposed servers had been addressed.

**RELATED ARTICLES**

1.  Leaky database exposes fake Amazon product reviews scam
2.  250 million Microsoft customer support records leaked in plain text
3.  Microsoft investigating Windows XP, Server 2003 source code leak
4.  38 million records exposed in Microsoft Power apps misconfiguration
5.  Sensitive source codes exposed in Microsoft Azure Blob account leak

Microsoft AI Researchers Expose 38TB of Top Sensitive Data

By Deeba Ahmed
The gang used satellite technology to get sports feed and predict match results before bookmakers.
This is a post from HackRead.com Read the original post: Crooks Exploited Satellite Live Feed Delay for Betting Advantage

INTERPOL, Europol, with the help of the Spanish Police, have dismantled a highly sophisticated and organized crime group that was using satellite technology for an unfair betting advantage.

**KEY FINDINGS**

*   **An international operation has dismantled an organized illegal betting and match-fixing syndicate.**

*   **The syndicate exploited satellite technology to obtain an unfair advantage over others while placing bets.**

*   **The gang used its knowledge of the time delay caused when HD feeds were transmitted from stadiums to television screens worldwide.**

*   **Investigators searched four houses and seized two properties, two large satellite dishes and signal receives, three luxury vehicles, 47 bank accounts, 80 cellphones, cash, and counterfeit banknotes worth around €13,000.**

*   **The syndicate bribed the athletes, including players from Romanian football teams, and fixed matches based on their deals.**

A large-scale international operation recently concluded with the dismantling of an organized illegal betting and match-fixing syndicate for exploiting satellite technology to obtain an unfair advantage over others while placing bets. At least 23 individuals have been arrested, including its masterminds and a person involved in manipulating international table tennis events.

The operation was launched in 2020 with the support of Europol, Interpol, Romanian and Spanish national police, and the Spanish tax agency. According to Europol, this criminal network exploited video signals from high-profile sporting events, such as the World Cup 2022, to get an edge in high-speed betting.

The gang used its knowledge of the time delay caused when HD feeds were transmitted from stadiums to television screens worldwide. This 20 to 30-second delay was enough to make monetary gains by making informed bets.

Interpol’s secretary-general, Jurgen Stock, said this was a crafty criminal gang as they benefitted from such a brief time delay.

> “Organized crime groups will exploit the tiniest of gaps given the opportunity. In this case, we’re talking about a 20 or 30-second advantage that led to significant gains.”
> 
> Jurgen Stock – INTERPOL

During the operation, investigators searched four houses and seized two properties, two large satellite dishes and signal receives, three luxury vehicles, 47 bank accounts, 80 cellphones, cash, and counterfeit banknotes worth around €13,000.  

Investigation began in 2020 when Spanish law enforcement agencies detected a gang, operating from Romania and Bulgaria, involved in deceptive betting activities. At that time, they believed the group targeted international table tennis events. They bribed the athletes, including players from Romanian football teams, and fixed matches based on their deals.

Later, investigators detected that the gang used satellite technology to get match results. They received live feeds from games before the information reached legit bookmakers and placed bets knowing what was going to happen next beforehand. 

The group exploited this knowledge and placed bets on almost every prominent sporting event, including South American and Asian football leagues, the UEFA Nations League, Bundesliga games, the 2022 Qatar World Cup, and ITF and ATP tennis tournaments. 

They avoided suspicions by hiring people who placed bets on their behalf and collected winnings for the gang. They also bribed a trader from one of the leading betting firms to ensure bets got validated every time without raising an alarm.

“Successful operations such as the one led by Spain only reaffirm our engagement in ensuring our entire suite of notices, databases and expert networks fully support the police in closing these gaps,” Stock stated.

**RELATED ARTICLES**

1.  Satellite Hacking: Star Wars Could be a Reality in the Near Future
2.  Satellite Internet connections can easily be intercepted by hackers
3.  Military Satellite Access Sold on Russian Hacker Forum for $15,000
4.  ALPHV Ransomware Used Vishing to Scam MGM Resorts Employee
5.  Researchers hack SpaceX Starlink satellite signal for GPS alternative

Tag

#git