#web

Cross site scripting vulnerability in web portal in Snow Software License Manager from version 9.0.0 up to and including 9.30.1 on Windows allows an authenticated user with high privileges to trigger cross site scripting attack via the web browser

By Waqas The new study has identified a cybersecurity training gap and an alarming lack of preparedness in countering emerging threats. This is a post from HackRead.com Read the original post: Email Hacking Reigns as Top Cybersecurity Threat, Indusface Study

Categories: News Tags: YouTube Tags: shorts Tags: video Tags: spam Tags: scam Tags: comments Tags: replies Tags: block Tags: remove YouTube is making drastic changes to combat a a growing tide of spam comments on the Shorts video category. (Read more...) The post YouTube makes sweeping changes to tackle spam on Shorts videos appeared first on Malwarebytes Labs.

Categories: News Categories: Privacy Tags: Google Tags: Chrome Tags: Incognito Tags: private mode Tags: fingerprinting Tags: cookies Tags: tracking Private browsing is not what users expect it to be (Read more...) The post Google’s “browse privately” is nothing more than a word play, lawyers say appeared first on Malwarebytes Labs.

EmpowerID before 7.205.0.1 allows an attacker to bypass an MFA (multi factor authentication) requirement if the first factor (username and password) is known, because the first factor is sufficient to change an account's email address, and the product would then send MFA codes to the new email address (which may be attacker-controlled). NOTE: this is different from CVE-2023-4177, which claims to be about "some unknown processing of the component Multi-Factor Authentication Code Handler" and thus cannot be correlated with other vulnerability information.

If certain App Transport Security (ATS) settings are set in a certain manner, insecure loading of web content can be achieved.

Categories: Threat Intelligence July saw one of the highest number of ransomware attacks in 2023 at 441. At the forefront of these attacks is, once again, Cl0p. (Read more...) The post Ransomware review: August 2023 appeared first on Malwarebytes Labs.

HAProxy through 2.0.32, 2.1.x and 2.2.x through 2.2.30, 2.3.x and 2.4.x through 2.4.23, 2.5.x and 2.6.x before 2.6.15, 2.7.x before 2.7.10, and 2.8.x before 2.8.2 forwards empty Content-Length headers, violating RFC 9110 section 8.6. In uncommon cases, an HTTP/1 server behind HAProxy may interpret the payload as an extra request.

OpenZeppelin Contracts is a library for secure smart contract development. Starting in version 4.0.0 and prior to version 4.9.3, contracts using `ERC2771Context` along with a custom trusted forwarder may see `_msgSender` return `address(0)` in calls that originate from the forwarder with calldata shorter than 20 bytes. This combination of circumstances does not appear to be common, in particular it is not the case for `MinimalForwarder` from OpenZeppelin Contracts, or any deployed forwarder the team is aware of, given that the signer address is appended to all calls that originate from these forwarders. The problem has been patched in v4.9.3.

A stored cross-site scripting (XSS) vulnerability in Netbox v3.4.7 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Custom Link templates.