#windows

ConcreteCMS v9.1.3 was discovered to be vulnerable to Xpath injection attacks. This vulnerability allows attackers to access sensitive XML data via a crafted payload injected into the URL path folder "3".

A cross-site scripting (XSS) vulnerability in the component /signup_script.php of Ecommerce-Website v1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the eMail parameter.

A cross-site scripting (XSS) vulnerability in ClicShopping_V3 v3.402 allows attackers to execute arbitrary web scripts or HTML via a crafted URL parameter.

Rukovoditel v3.2.1 was discovered to contain a DOM-based cross-site scripting (XSS) vulnerability in the component /rukovoditel/index.php?module=users/login. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted GET request.

Categories: News Categories: Threats Tags: Lazarus Tags: APT38 Tags: AppleJeus Tags: sideloading Tags: BloxHolder Researchers have found a new Lazarus campaign, once again targeting cryptocurrency users and organizations by deploying a fake website and malicious documents. (Read more...) The post Lazarus group uses fake cryptocurrency apps to plant AppleJeus malware appeared first on Malwarebytes Labs.

Categories: Exploits and vulnerabilities Categories: News Tags: V8 Tags: V8 JavaScript Engine Tags: Google Chrome Tags: Chrome Tags: CVE-2022-4262 Tags: 108.0.5359.94 Tags: 108.0.5359.95 Tags: Chrome V8 flaw Tags: type confusion Google has rolled out an out-of-band patch for an actively exploited zero-day vulnerability in its V8 JavaScript engine. Make sure you're using the latest version. (Read more...) The post Update now! Emergency fix for Google Chrome's V8 JavaScript engine zero-day flaw released appeared first on Malwarebytes Labs.

Path resolution in `hyper-staticfile` didn't correctly validate Windows paths, meaning paths like `/foo/bar/c:/windows/web/screen/img101.png` would be allowed and respond with the contents of `c:/windows/web/screen/img101.png`. Thus users could potentially read files anywhere on the filesystem. This only impacts Windows. Linux and other unix likes are not impacted by this.

A Firewall Rule which allows all incoming TCP connections to all programs from any source and to all ports is created in Windows Firewall after Zabbix agent installation (MSI)

The Cap'n Proto library and capnp Rust package are vulnerable to out-of-bounds read due to logic error handling list-of-list. If a message consumer expects data of type "list of pointers", and if the consumer performs certain specific actions on such data, then a message producer can cause the consumer to read out-of-bounds memory. This could trigger a process crash in the consumer, or in some cases could allow exfiltration of private in-memory data. Impact ====== - Remotely segfault a peer by sending it a malicious message, if the victim performs certain actions on a list-of-pointer type. - Possible exfiltration of memory, if the victim performs additional certain actions on a list-of-pointer type. - To be vulnerable, an application must perform a specific sequence of actions, described below. At present, **we are not aware of any vulnerable application**, but we advise updating regardless. Fixed in ======== Unfortunately, the bug is present in inlined code, therefore the fix will...

Categories: Podcast This week on Lock and Code, we explore why security advisories—which businesses rely on to inform them about security patches—are falling short of their intended goals. (Read more...) The post Security advisories are falling short. Here's why, with Dustin Childs: Lock and Code S03E25 appeared first on Malwarebytes Labs.