Security
Headlines
HeadlinesLatestCVEs

Tag

#vulnerability

Actively Exploited Zero-Day, Critical RCEs Lead Microsoft Patch Tuesday

The zero-day (CVE-2024-49138), plus a worryingly critical unauthenticated RCE security vulnerability (CVE-2024-49112), are unwanted gifts for security admins this season.

DARKReading
#vulnerability#mac#windows#microsoft#rce#perl#ldap#auth#zero_day
GHSA-gg6x-448q-pqqm: Avenwu Whistle Cross-Site Request Forgery (CSRF)

Cross-Site Request Forgery (CSRF) in Avenwu Whistle v.2.9.90 and before allows attackers to perform malicious API calls, resulting in the execution of arbitrary code on the victim's machine.

'Termite' Ransomware Likely Behind Cleo Zero-Day Attacks

The threat actor group recently took credit for a similar attack on Blue Yonder that affected multiple organizations, including Starbucks.

Microsoft Patch Tuesday for December 2024 contains four critical vulnerabilities

The Patch Tuesday for December of 2024 includes 72 vulnerabilities, including four that Microsoft marked as “critical.” The remaining vulnerabilities listed are classified as “important.”

Dell Urges Immediate Update to Fix Critical Power Manager Vulnerability

A critical security flaw in Dell Power Manager has been discovered that could allow attackers to compromise your systems and execute arbitrary code.

Cybercrime Gangs Abscond With Thousands of AWS Credentials

The Nemesis and ShinyHunters attackers scanned millions of IP addresses to find exploitable cloud-based flaws, though their operation ironically was discovered due to a cloud misconfiguration of their own doing.

Cleo File Transfer Vulnerability Under Exploitation – Patch Pending, Mitigation Urged

Users of Cleo-managed file transfer software are being urged to ensure that their instances are not exposed to the internet following reports of mass exploitation of a vulnerability affecting fully patched systems. Cybersecurity company Huntress said it discovered evidence of threat actors exploiting the issue en masse on December 3, 2024. The vulnerability, which impacts Cleo's LexiCom,

GHSA-f626-677r-j5vq: Nette Database SQL injection

Nette Database through 3.2.4 allows SQL injection in certain situations involving an untrusted filter that is directly passed to the where method.

Lessons From the Largest Software Supply Chain Incidents

The software supply chain is a growing target, and organizations need to take special care to safeguard it.

ABB Cylon Aspect 3.08.02 (tscConfiguration.php) Authenticated Reflected XSS

The ABB BMS/BAS controller suffers from an authenticated reflected cross-site scripting vulnerability. Input passed to the GET parameter 'port' is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML/JS code in a user's browser session in context of an affected site.