Security
Headlines
HeadlinesLatestCVEs

Tag

#web

CVE-2024-29992: Azure Identity Library for .NET Information Disclosure Vulnerability

**What type of information could be disclosed by this vulnerability?** The type of information that could be disclosed if an attacker successfully exploited this vulnerability is data inside the targeted website like IDs, tokens, nonces, and other sensitive information. **Which credential types provided by the Azure Identity client library are affected?** The vulnerability exists in the following credential types: 1. DefaultAzureCredential 2. ManagedIdentityCredential

Microsoft Security Response Center
Open in Source
#vulnerability#web#Azure SDK#Security Vulnerability
CVE-2024-21322: Microsoft Defender for IoT Remote Code Execution Vulnerability

**According to the CVSS metric, privileges required is high (PR:H). What does that mean for this vulnerability?** Successful exploitation of this vulnerability requires the attacker to be an administrator of the web application. As is best practice, regular validation and audits of administrative groups should be conducted.

CVE-2024-26232: Microsoft Message Queuing (MSMQ) Remote Code Execution Vulnerability

**According to the CVSS metric, the attack vector is local (AV:L). Why does the CVE title indicate that this is a remote code execution?** The word **Remote** in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally. For example, when the score indicates that the **Attack Vector** is **Local** and **User Interaction** is **Required**, this could describe an exploit in which an attacker, through social engineering, convinces a victim to download and open a specially crafted file from a website which leads to a local attack on their computer.

Home Depot Hammered by Supply Chain Data Breach

SaaS vendor to blame for exposing employee data that was ultimately leaked on Dark Web forum, according to the home improvement retailer.

Porn panic imperils privacy online, with Alec Muffett (re-air): Lock and Code S05E08

This week on the Lock and Code podcast, we re-air an episode with guest Alec Muffett about online age verification.

UP-RESULT 0.1 2024 SQL Injection

UP-RESULT version 0.1 2024 suffers from a remote SQL injection vulnerability.

Trojan.Win32.Razy.abc MVID-2024-0678 Insecure Permissions

Trojan.Win32.Razy.abc malware suffers from an insecure permissions vulnerability.

Google Chrome Adds V8 Sandbox - A New Defense Against Browser Attacks

Google has announced support for what's called a V8 Sandbox in the Chrome web browser in an effort to address memory corruption issues. The sandbox, according to V8 Security technical lead Samuel Groß, aims to prevent "memory corruption in V8 from spreading within the host process." The search behemoth has described V8 Sandbox as a lightweight, in-process sandbox