Security
Headlines
HeadlinesLatestCVEs

Tag

#web

Journyx 11.5.4 Unauthenticated Password Reset Bruteforce

Journyx version 11.5.4 suffers from an issue where password reset tokens are generated using an insecure source of randomness. Attackers who know the username of the Journyx installation user can bruteforce the password reset and change the administrator password.

Packet Storm
Open in Source
#vulnerability#web#linux#pdf#auth
CVE-2024-7535: Chromium: CVE-2024-7536 Use after free in WebAudio

**What is the version information for this release?** Microsoft Edge Channel Microsoft Edge Version Based on Chromium Version Date Released Stable 127.0.2651.98 127.0.6533.99/.100 8/8/2024

Open WebUI 0.1.105 File Upload / Path Traversal

Open WebUI version 0.1.105 suffers from arbitrary file upload and path traversal vulnerabilities.

Open WebUI 0.1.105 Persistent Cross Site Scripting

Open WebUI version 0.1.105 suffers from a persistent cross site scripting vulnerability.

University Professors Targeted by North Korean Cyber Espionage Group

The North Korea-linked threat actor known as Kimsuky has been linked to a new set of attacks targeting university staff, researchers, and professors for intelligence gathering purposes. Cybersecurity firm Resilience said it identified the activity in late July 2024 after it observed an operation security (OPSEC) error made by the hackers. Kimsuky, also known by the names APT43, ARCHIPELAGO,

USPS Text Scammers Duped His Wife, So He Hacked Their Operation

The Smishing Triad network sends up to 100,000 scam texts per day globally. One of those messages went to Grant Smith, who infiltrated their systems and exposed them to US authorities.

0.0.0.0 Day: 18-Year-Old Browser Vulnerability Impacts MacOS and Linux Devices

Cybersecurity researchers have discovered a new "0.0.0.0 Day" impacting all major web browsers that malicious websites could take advantage of to breach local networks. The critical vulnerability "exposes a fundamental flaw in how browsers handle network requests, potentially granting malicious actors access to sensitive services running on local devices," Oligo Security researcher Avi Lumelsky

SaaS Apps Present an Abbreviated Kill Chain for Attackers

Black Hat presentation reveals adversaries don't need to complete all seven stages of a traditional kill chain to achieve their objectives.

Dorsett Controls InfoScan

View CSAF 1. EXECUTIVE SUMMARY CVSS v4 6.9 ATTENTION: Exploitable remotely/low attack complexity Vendor: Dorsett Controls Equipment: InfoScan Vulnerabilities: Exposure of Sensitive Information To An Unauthorized Actor, Path Traversal 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow an attacker to expose sensitive information, resulting in data theft and misuse of credentials. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following Dorsett Controls products are affected: InfoScan: v1.32, v1.33, and v1.35 3.2 Vulnerability Overview 3.2.1 EXPOSURE OF SENSITIVE INFORMATION TO AN UNAUTHORIZED ACTOR CWE-200 Dorsett Controls InfoScan is vulnerable due to a leak of possible sensitive information through the response headers and the rendered JavaScript prior to user login. CVE-2024-42493 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N). A CVSS v4 score has a...

Critical AWS Vulnerabilities Allow S3 Attack Bonanza

Researchers at Aqua Security discovered the "Shadow Resource" attack vector and the "Bucket Monopoly" problem, where threat actors can guess the name of S3 buckets based on their public account IDs.