Security
Headlines
HeadlinesLatestCVEs

Tag

#microsoft

GHSA-v42g-7q2x-cw32: Zendframework1 potential SQL injection vector using null byte for PDO (MsSql, SQLite)

The PDO adapters of Zend Framework 1 do not filter null bytes values in SQL statements. A PDO adapter can treat null bytes in a query as a string terminator, allowing an attacker to add arbitrary SQL following a null byte, and thus create a SQL injection. We tested and verified the null byte injection using pdo_dblib (FreeTDS) on a Linux environment to access a remote Microsoft SQL Server, and also tested against and noted the vector against pdo_sqlite.

ghsa
Open in Source
#sql#microsoft#linux#git
GHSA-4vf6-mq7w-3hp6: Zend_Filter_StripTags vulnerable to Cross-site Scripting when comments allowed

Zend_Filter_StripTags contained an optional setting to allow whitelisting HTML comments in filtered text. Microsoft Internet Explorer and several other browsers allow developers to create conditional functionality via HTML comments, including execution of script events and rendering of additional commented markup. By allowing whitelisting of HTML comments, a malicious user could potentially include XSS exploits within HTML comments that would then be rendered in the final output.

New Phishing Campaign Uses Stealthy JPGs to Drop Agent Tesla

Spanish speakers beware! A new campaign using the Agent Tesla RAT targets Spanish-speaking individuals. Learn how to protect…

Microsoft Will Switch Off Recall by Default After Security Backlash

After weeks of withering criticism and exposed security flaws, Microsoft has vastly scaled back its ambitions for Recall, its AI-enabled silent recording feature, and added new privacy features.

The AI Debate: Google's Guidelines, Meta's GDPR Dispute, Microsoft's Recall Backlash

Google is urging third-party Android app developers to incorporate generative artificial intelligence (GenAI) features in a responsible manner. The new guidance from the search and advertising giant is an effort to combat problematic content, including sexual content and hate speech, created through such tools. To that end, apps that generate content using AI must ensure they don't create

Microsoft’s Recall Feature Is Even More Hackable Than You Thought

A new discovery that the AI-enabled feature’s historical data can be accessed even by hackers without administrator privileges only contributes to the growing sense that the feature is a “dumpster fire.”

Crimson Palace: Chinese Hackers Steal Military Secrets Over 2 Years

Sophos uncovers “Operation Crimson Palace, a long-term cyberespionage effort targeting a Southeast Asian government. Learn how attackers used…

Microsoft Recall snapshots can be easily grabbed with TotalRecall tool

A worried researcher has created a tool to demonstrate exactly how much of a security backdoor Microsoft is creating with Recall.

Few But High-Profile TikTok Accounts Hacked Via Zero-Click Attack in DM

TikTok accounts are being hacked! Celebrities and brands targeted in zero-click attack. Learn more about this major security…