Security
Headlines
HeadlinesLatestCVEs

Tag

#intel

CVE-2022-31642: HP PC BIOS August 2022 Security Updates for Potential SMM and TOCTOU Vulnerabilities

Potential vulnerabilities have been identified in the system BIOS of certain HP PC products, which might allow arbitrary code execution, escalation of privilege, denial of service, and information disclosure.

CVE
Open in Source
#vulnerability#ios#microsoft#dos#intel#bios
Chinese Hackers Exploit VMware Zero-Day to Backdoor Windows and Linux Systems

The Chinese state-sponsored group known as UNC3886 has been found to exploit a zero-day flaw in VMware ESXi hosts to backdoor Windows and Linux systems. The VMware Tools authentication bypass vulnerability, tracked as CVE-2023-20867 (CVSS score: 3.9), "enabled the execution of privileged commands across Windows, Linux, and PhotonOS (vCenter) guest VMs without authentication of guest credentials

Insights Into Nation-State Tactics: Lessons From Russia's Hybrid War In Ukraine

By paying attention to emerging threat intelligence, security leaders can be better prepared to defend against similar attack vectors in the future.

Where from, Where to — The Evolution of Network Security

For the better part of the 90s and early aughts, the sysadmin handbook said, "Filter your incoming traffic, not everyone is nice out there" (later coined by Gandalf as "You shall not pass"). So CIOs started to supercharge their network fences with every appliance they could get to protect against inbound (aka INGRESS) traffic. In the wake of the first mass phishing campaigns in the early 2010s,

CVE-2023-34000: Vulnerability in WooCommerce Stripe Gateway Plugin - Patchstack

Unauth. IDOR vulnerability leading to PII Disclosure in WooCommerce Stripe Payment Gateway plugin <= 7.4.0 versions.

CVE-2023-3203: MStore API <= 3.9.6 - Cross-Site Request Forgery to Product Limit Update — Wordfence Intelligence

The MStore API plugin for WordPress is vulnerable to Cross-Site Request Forgery due to missing nonce validation on the mstore_update_limit_product function. This makes it possible for unauthenticated attackers to update limit the number of product per category to use cache data in home screen via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CVE-2023-3198: MStore API <= 3.9.6 - Cross-Site Request Forgery to Order Status Update — Wordfence Intelligence

The MStore API plugin for WordPress is vulnerable to Cross-Site Request Forgery due to missing nonce validation on the mstore_update_status_order_message function. This makes it possible for unauthenticated attackers to update status order message via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Analysis: Social Engineering Drives BEC Losses to $50B Globally

Threat actors have grown increasingly sophisticated in applying social engineering tactics against their victims, which is key to this oft-underrated cybercriminal scam's success.

Popular Apparel, Clothing Brands Being Used in Massive Phishing Scam

Threat actors have created over 3,000 domains, some as old as two years, to lure in customers to false, name brand websites for personal financial gain.

CVE-2022-31635: HP PC BIOS November 2022 Security Updates for Potential TOCTOU Vulnerabilities

Potential time-of-check to time-of-use (TOCTOU) vulnerabilities have been identified in the BIOS for certain HP PC products, which might allow arbitrary code execution, escalation of privilege, denial of service, and information disclosure.