Security
Headlines
HeadlinesLatestCVEs

Tag

#mac

What Kind of Data Gets Stolen When a Developer is Compromised?

What is the worst that can happen when a developer's machine is compromised? Depending on the developer's position, attackers gain access to nearly everything: SSH keys, credentials, access to CI/CD pipelines and production infrastructure, the works.

DARKReading
Open in Source
#mac#ssh
CVE-2022-46493: 🛡️ Nbnbk has any file upload Getshell · Issue #1 · Fanli2012/nbnbk

Default version of nbnbk was discovered to contain an arbitrary file upload vulnerability via the component /api/User/download_img.

CVE-2022-4662: [PATCH 5.4 053/108] USB: core: Prevent nested device-reset calls

A flaw incorrect access control in the Linux kernel USB core subsystem was found in the way user attaches usb device. A local user could use this flaw to crash the system.

CVE-2022-41838: TALOS-2022-1634 || Cisco Talos Intelligence Group

A code execution vulnerability exists in the DDS scanline parsing functionality of OpenImageIO Project OpenImageIO v2.4.4.2. A specially-crafted .dds can lead to a heap buffer overflow. An attacker can provide a malicious file to trigger this vulnerability.

CVE-2022-36354: TALOS-2022-1629 || Cisco Talos Intelligence Group

A heap out-of-bounds read vulnerability exists in the RLA format parser of OpenImageIO master-branch-9aeece7a and v2.3.19.0. More specifically, in the way run-length encoded byte spans are handled. A malformed RLA file can lead to an out-of-bounds read of heap metadata which can result in sensitive information leak. An attacker can provide a malicious file to trigger this vulnerability.

CVE-2022-41794: TALOS-2022-1626 || Cisco Talos Intelligence Group

A heap based buffer overflow vulnerability exists in the PSD thumbnail resource parsing code of OpenImageIO 2.3.19.0. A specially-crafted PSD file can lead to arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability.

Inside the Next-Level Fraud Ring Scamming Billions Off Holiday Retailers

"Largest attack of its kind": A potent Southeast Asian e-commerce fraud ring has declared war on US retailers, targeting billions in goods in just the past month and forcing mules into its scheme.

CVE-2022-45415: Security Vulnerabilities fixed in Firefox 107

When downloading an HTML file, if the title of the page was formatted as a filename with a malicious extension, Firefox may have saved the file with that extension, leading to possible system compromise if the downloaded file was later ran. This vulnerability affects Firefox < 107.

CVE-2022-46879: Security Vulnerabilities fixed in Firefox 108

Mozilla developers and community members Lukas Bernhard, Gabriele Svelto, Randell Jesup, and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 107. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 108.

CVE-2022-22749: Security Vulnerabilities fixed in Firefox 96

When scanning QR codes, Firefox for Android would have allowed navigation to some URLs that do not point to web content.<br>*This bug only affects Firefox for Android. Other operating systems are unaffected.*. This vulnerability affects Firefox < 96.