Security
Headlines
HeadlinesLatestCVEs

Tag

#mac

CVE-2023-47016: heap-buffer-overflow at /radare2/libr/include/r_endian.h:194:17 in r_read_le32 · Issue #22349 · radareorg/radare2

radare2 5.8.9 has an out-of-bounds read in r_bin_object_set_items in libr/bin/bobj.c, causing a crash in r_read_le32 in libr/include/r_endian.h.

CVE
Open in Source
#mac#ubuntu#linux#git
Nothing Chats pulled from Google Play

Nothing's new message app Chats has been pulled from Google Play after harsh criticism about security issues.

How to stop fake System notifications on macOS

Browser push notifications are becoming a problem on macOS. Learn how to remove them.

GHSA-h73m-pcfw-25h2: Download to arbitrary folder can lead to RCE

### Summary A web UI user can store files anywhere on the pyLoad server and gain command execution by abusing scripts. ### Details When a user creates a new package, a subdirectory is created within the /downloads folder to store files. This new directory name is derived from the package name, except a filter is applied to make sure it can't traverse directories and stays within /downloads. src/pyload/core/api/__init__.py::add_package::L432 ```python folder = ( folder.replace("http://", "") .replace("https://", "") .replace(":", "") .replace("/", "_") .replace("\\", "_") ) ``` So if a package were created with the name ```"../"``` the application would instead create the folder ```"/downloads/.._/"``` However, when editing packages there is no prevention in place and a user can just pick any arbitrary directory in the filesystem. src/pyload/webui/app/blueprints/json_blueprint.py::edit_package::L195 ```python id = int(flask.request.form["pack...

CVE-2023-48299: TorchServe ZipSlip

TorchServe is a tool for serving and scaling PyTorch models in production. Starting in version 0.1.0 and prior to version 0.9.0, using the model/workflow management API, there is a chance of uploading potentially harmful archives that contain files that are extracted to any location on the filesystem that is within the process permissions. Leveraging this issue could aid third-party actors in hiding harmful code in open-source/public models, which can be downloaded from the internet, and take advantage of machines running Torchserve. The ZipSlip issue in TorchServe has been fixed by validating the paths of files contained within a zip archive before extracting them. TorchServe release 0.9.0 includes fixes to address the ZipSlip vulnerability.

Atomic Stealer distributed to Mac users via fake browser updates

Compromised websites are being used to redirect to fake browser updates and deliver malware onto Mac users.

Konni RAT Exploiting Word Docs to Steal Data from Windows

By Deeba Ahmed Konni RAT is back! This is a post from HackRead.com Read the original post: Konni RAT Exploiting Word Docs to Steal Data from Windows

Europol Busts Major Online CSAM Racket in Western Balkans

By Deeba Ahmed The initiative was carried out under the banner of Operation MOZAIK 2023. This is a post from HackRead.com Read the original post: Europol Busts Major Online CSAM Racket in Western Balkans

How Multi-Stage Phishing Attacks Exploit QRs, CAPTCHAs, and Steganography

Phishing attacks are steadily becoming more sophisticated, with cybercriminals investing in new ways of deceiving victims into revealing sensitive information or installing malicious software. One of the latest trends in phishing is the use of QR codes, CAPTCHAs, and steganography. See how they are carried out and learn to detect them. Quishing Quishing, a phishing technique resulting from the

Malicious Apps Disguised as Banks and Government Agencies Targeting Indian Android Users

Android smartphone users in India are the target of a new malware campaign that employs social engineering lures to install fraudulent apps that are capable of harvesting sensitive data. “Using social media platforms like WhatsApp and Telegram, attackers are sending messages designed to lure users into installing a malicious app on their mobile device by impersonating legitimate organizations,