Security
Headlines
HeadlinesLatestCVEs

Tag

#vulnerability

ABB Cylon Aspect 4.00.00 (factorySetSerialNum.php) Remote Code Execution

The ABB Cylon Aspect BMS/BAS controller suffers from an unauthenticated blind command injection vulnerability. Input passed to the serial and ManufactureDate POST parameters is not properly sanitized, allowing attackers to execute arbitrary shell commands on the system. While factory test scripts included in the upgrade bundle are typically deleted, a short window for exploitation exists when the device is in the manufacturing phase.

Zero Science Lab
Open in Source
#vulnerability#web#linux#apache#java#intel#php#rce#perl#auth
Chrome Extension Compromises Highlight Software Supply Challenges

The Christmas Eve compromise of data-security firm Cyberhaven's Chrome extension spotlights the challenges in shoring up third-party software supply chains.

NPM Package Disguised as an Ethereum Tool Deploys Quasar RAT

Researchers discovered a malicious package on the npm package registry that resembles a library for Ethereum smart contract vulnerabilities but actually drops an open-source remote access trojan called Quasar RAT onto developer systems.

LDAPNightmare PoC Exploit Crashes LSASS and Reboots Windows Domain Controllers

A proof-of-concept (PoC) exploit has been released for a now-patched security flaw impacting Windows Lightweight Directory Access Protocol (LDAP) that could trigger a denial-of-service (DoS) condition. The out-of-bounds reads vulnerability is tracked as CVE-2024-49113 (CVSS score: 7.5). It was addressed by Microsoft as part of Patch Tuesday updates for December 2024, alongside CVE-2024-49112 (

GHSA-ww33-jppq-qfrp: phpMyFAQ Vulnerable to Stored HTML Injection at FAQ

### Summary Due to insufficient validation on the content of new FAQ posts, it is possible for authenticated users to inject malicious HTML or JavaScript code that can impact other users viewing the FAQ. This vulnerability arises when user-provided inputs in FAQ entries are not sanitized or escaped before being rendered on the page. ### Details An attacker can inject malicious HTML content into the FAQ editor at http://localhost/admin/index.php?action=editentry, resulting in a complete disruption of the FAQ page's user interface. By injecting malformed HTML elements styled to cover the entire screen, an attacker can render the page unusable. This injection manipulates the page structure by introducing overlapping buttons, images, and iframes, breaking the intended layout and functionality. ### PoC 1. In the source code of a FAQ Q&A post, insert the likes of this snippet: ``` <p>&lt;--`<img src="&#96;"> --!&gt;</p> <div style="position: absolute; top: 0; left: 0; width: 100%; height...

GHSA-qq9f-q439-2574: Narayana deadlock via multiple join requests sent to LRA Coordinator

A security issue was discovered in the LRA Coordinator component of Narayana. When Cancel is called in LRA, an execution time of approximately 2 seconds occurs. If Join is called with the same LRA ID within that timeframe, the application may crash or hang indefinitely, leading to a denial of service.

Proposed HIPAA Amendments Will Close Healthcare Security Gaps

The changes to the healthcare privacy regulation with technical controls such as network segmentation, multi-factor authentication, and encryption. The changes would strengthen cybersecurity protections for electronic health information and address evolving threats against healthcare entities.

Unpatched Active Directory Flaw Can Crash Any Microsoft Server

Windows servers are vulnerable to a dangerous LDAP vulnerability that could be used to crash multiple servers at once and should be patched immediately.