Security
Headlines
HeadlinesLatestCVEs

Tag

#web

Cisco Warns of Massive Surge in Password-Spraying Attacks on VPNs

Attackers are indiscriminately targeting VPNs from Cisco and several other vendors in what may be a reconnaissance effort, the vendor says.

DARKReading
Open in Source
#vulnerability#web#cisco#dos#auth#ssh
GPT-4 Can Exploit Most Vulns Just by Reading Threat Advisories

Existing AI technology can allow hackers to automate exploits for public vulnerabilities in minutes flat. Very soon, diligent patching will no longer be optional.

Law enforcement reels in phishing-as-a-service whopper

A major international law enforcement effort has disrupted the notorious LabHost phishing-as-a-service platform.

CVE-2024-3847: Chromium: CVE-2024-3847 Insufficient policy enforcement in WebUI

**Why is this Chrome CVE included in the Security Update Guide?** The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. **How can I see the version of the browser?** 1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window 2. Click on **Help and Feedback** 3. Click on **About Microsoft Edge**

CVE-2024-3833: Chromium: CVE-2024-3833 Object corruption in WebAssembly

**Why is this Chrome CVE included in the Security Update Guide?** The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable. **How can I see the version of the browser?** 1. In your Microsoft Edge browser, click on the 3 dots (...) on the very right-hand side of the window 2. Click on **Help and Feedback** 3. Click on **About Microsoft Edge**

GHSA-7947-48q7-cp5m: Dolibarr Application Home Page has HTML injection vulnerability

### Summary Observed a HTML Injection vulnerbaility in the Home page of Dolibarr Application. This vulnerability allows an attacker to inject arbitrary HTML tags and manipulate the rendered content in the application's response. Specifically, I was able to successfully inject a new HTML tag into the returned document and, as a result, was able to comment out some part of the Dolibarr App Home page HTML code. This behavior can be exploited to perform various attacks like Cross-Site Scripting (XSS). ### Details 1. Navigate to the login page of Dolibarr application. 2. Submit a login request with the following payload in an arbitrarily supplied body parameter: "**u70ea%22%3e%3c!--HTML_Injection_By_Sai"=1** **HTTP Post Request:** POST /dolibarr/index.php?mainmenu=home HTTP/1.1 Host: 192.168.37.129 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept...

Debian Security Advisory 5665-1

Debian Linux Security Advisory 5665-1 - Several security vulnerabilities have been discovered in the Tomcat servlet and JSP engine.

Debian Security Advisory 5664-1

Debian Linux Security Advisory 5664-1 - Jetty 9 is a Java based web server and servlet engine. It was discovered that remote attackers may leave many HTTP/2 connections in ESTABLISHED state (not closed), TCP congested and idle. Eventually the server will stop accepting new connections from valid clients which can cause a denial of service.

Elber Wayber Analog/Digital Audio STL 4.00 Insecure Direct Object Reference

Elber Wayber Analog/Digital Audio STL version 4.00 suffers from an unauthenticated device configuration and client-side hidden functionality disclosure vulnerability.