#vulnerability

Red Hat Security Advisory 2024-5522-03 - An update for kpatch-patch-4_18_0-553 is now available for Red Hat Enterprise Linux 8. Issues addressed include code execution and use-after-free vulnerabilities.

A previously undocumented backdoor named Msupedge has been put to use against a cyber attack targeting an unnamed university in Taiwan. "The most notable feature of this backdoor is that it communicates with a command-and-control (C&C) server via DNS traffic," the Symantec Threat Hunter Team, part of Broadcom, said in a report shared with The Hacker News. The origins of the backdoor are

In today's rapidly evolving cyber threat landscape, organizations face increasingly sophisticated attacks targeting their applications. Understanding these threats and the technologies designed to combat them is crucial. This article delves into the mechanics of a common application attack, using the infamous Log4Shell vulnerability as an example, and demonstrates how Application Detection and

Cybersecurity researchers have disclosed a security flaw impacting Microsoft Azure Kubernetes Services that, if successfully exploited, could allow an attacker to escalate their privileges and access credentials for services used by the cluster. "An attacker with command execution in a Pod running within an affected Azure Kubernetes Services cluster could download the configuration used to

Exposure of Remote Code Execution in Apache Dolphinscheduler. This issue affects Apache DolphinScheduler: before 3.2.2. We recommend users to upgrade Apache DolphinScheduler to version 3.2.2, which fixes the issue.

**According to the CVSS metrics, successful exploitation of this vulnerability could lead to major loss of confidentiality (C:H) and major loss of integrity (I:H) but have no effect on availability (A:N). What does that mean for this vulnerability?** Exploiting this vulnerability allows an attacker to view highly sensitive resource information (C:H) and results in a total loss of protection for that data (I:H), but does not provide the capability to impact resource availability.

Missing Authorization When Using @AuthorizeReturnObject in Spring Security 6.3.0 and 6.3.1 allows attacker to render security annotations inaffective.

Cybersecurity researchers are warning about the discovery of thousands of externally-facing Oracle NetSuite e-commerce sites that have been found susceptible to leaking sensitive customer information. "A potential issue in NetSuite's SuiteCommerce platform could allow attackers to access sensitive data due to misconfigured access controls on custom record types (CRTs)," AppOmni's Aaron Costello

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical security flaw impacting Jenkins to its Known Exploited Vulnerabilities (KEV) catalog, following its exploitation in ransomware attacks. The vulnerability, tracked as CVE-2024-23897 (CVSS score: 9.8), is a path traversal flaw that could lead to code execution. "Jenkins Command Line Interface (CLI) contains a

### Impact A user without script/programming right can trick a user with elevated rights to edit a content with a malicious payload using a WYSIWYG editor. The user with elevated rights is not warned beforehand that they are going to edit possibly dangerous content. The payload is executed at edit time. ### Patches This vulnerability has been patched in XWiki 15.10RC1. ### Workarounds No workaround. It is advised to upgrade to XWiki 15.10+. ### References * https://jira.xwiki.org/browse/XWIKI-20331 * https://jira.xwiki.org/browse/XWIKI-21311 * https://jira.xwiki.org/browse/XWIKI-21481 * https://jira.xwiki.org/browse/XWIKI-21482 * https://jira.xwiki.org/browse/XWIKI-21483 * https://jira.xwiki.org/browse/XWIKI-21484 * https://jira.xwiki.org/browse/XWIKI-21485 * https://jira.xwiki.org/browse/XWIKI-21486 * https://jira.xwiki.org/browse/XWIKI-21487 * https://jira.xwiki.org/browse/XWIKI-21488 * https://jira.xwiki.org/browse/XWIKI-21489 * https://jira.xwiki.org/browse/XWIKI-21490 ### ...