Tag
The top-level domain for the United States -- .US -- is home to thousands of newly-registered domains tied to a malicious link shortening service that facilitates malware and phishing scams, new research suggests. The findings come close on the heels of a report that identified .US domains as among the most prevalent in phishing attacks over the past year.
In the ever-evolving cybersecurity landscape, the game-changers are those who adapt and innovate swiftly. Pen test solutions not only supercharge productivity but also provide a crucial layer of objectivity, ensuring efficiency and exceptional accuracy. The synergy between a skilled penetration tester and the precision of pen testing solutions are crucial for staying on top of today’s high
Since April 2022, Cisco Talos has been tracking a malicious campaign operated by the espionage-motivated Arid Viper advanced persistent threat (APT) group targeting Arabic-speaking Android users.
Plus: Major vulnerability fixes are now available for a number of enterprise giants, including Cisco, VMWare, Citrix, and SAP.
MuPDF v1.21.1 was discovered to contain an infinite recursion in the component pdf_mark_list_push. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted PDF file.
An issue discovered in Govee LED Strip v3.00.42 allows attackers to cause a denial of service via crafted Move and MoveWithOnoff commands.
# Description The laters version of Kimai is found to be vulnerable to a critical Server-Side Template Injection (SSTI) which can be escalated to Remote Code Execution (RCE). The vulnerability arises when a malicious user uploads a specially crafted Twig file, exploiting the software's PDF and HTML rendering functionalities. Snippet of Vulnerable Code: ```php public function render(array $timesheets, TimesheetQuery $query): Response { ... $content = $this->twig->render($this->getTemplate(), array_merge([ 'entries' => $timesheets, 'query' => $query, ... ], $this->getOptions($query))); ... $content = $this->converter->convertToPdf($content, $pdfOptions); ... return $this->createPdfResponse($content, $context); } ``` The vulnerability is triggered when the software attempts to render invoices, allowing the attacker to execute arbitrary code on the server. In below, you can find the docker-compose file was used for this testing: ``...
Improper Input Validation in GitHub repository mintplex-labs/anything-llm prior to 0.1.0.
By Deeba Ahmed What happens in iLeakage attacks is that the CPU is tricked into executing speculative code that reads sensitive data from memory. This is a post from HackRead.com Read the original post: iLeakage Attack: Theft of Sensitive Data from Apple’s Safari Browser
### Impact ESAPI 2.5.2.0 and later addressed the DoS vulnerability described in CVE-2023-24998, which Apache Commons FileUpload 1.5 attempted to remediate. But while writing up a new security bulletin regarding the impact on the affected ESAPI `HTTPUtilities.getFileUploads` methods (or more specifically those methods in the `DefaultHTTPUtilities` implementation class), I realized that a DoS vulnerability still persists in ESAPI and for that matter in Apache Commons FileUpload as well. ### Related to CVE-2023-24998 ### Patches ESAPI 2.5.2.0 or later. ### Workarounds - See the 'Solutions' section of Security Bulletin 11, in the References section. If you are not using ESAPI file uploads, see also the 'Workarounds' section. - Deploy an external WAF or other suitable DoS protection. - Add additional defenses to your code using HTTPUtilities.getFileUpload, such as requiring prior authentication, restricting how many / much content can be uploaded per user per day or per hour, etc. (It i...