Security
Headlines
HeadlinesLatestCVEs

Tag

#windows

Zoom Patches ‘Zero-Click’ RCE Bug

The Google Project Zero researcher found a bug in XML parsing on the Zoom client and server.

Threatpost
Open in Source
#vulnerability#web#ios#android#mac#windows#google#linux#rce
Tails users warned not to launch bundled Tor Browser until security fix is released

Critical vulnerability has been fixed upstream, but Tails dev team ‘doesn’t have the capacity to publish an emergency release earlier’

Update now! Multiple vulnerabilities patched in Google Chrome

Google has issued an update for the Chrome browser to patch 32 security issues . One of the vulnerabilities is rated as critical, so install that update as soon as you can. The post Update now! Multiple vulnerabilities patched in Google Chrome appeared first on Malwarebytes Labs.

Proton Is Trying to Become Google—Without Your Data

The encrypted-email company, popular with security-conscious users, has a plan to go mainstream.

New Zoom Flaws Could Let Attackers Hack Victims Just by Sending them a Message

Popular video conferencing service Zoom has resolved as many as four security vulnerabilities, which could be exploited to compromise another user over chat by sending specially crafted Extensible Messaging and Presence Protocol (XMPP) messages and execute malicious code. Tracked from CVE-2022-22784 through CVE-2022-22787, the issues range between 5.9 and 8.1 in severity. Ivan Fratric of Google

Microsoft Elevation-of-Privilege Vulnerabilities Spiked Again in 2021

But there was a substantial drop in the overall number of critical vulnerabilities that the company disclosed last year, new analysis shows.

CVE-2022-22977: VMSA-2022-0015

VMware Tools for Windows(12.0.0, 11.x.y and 10.x.y) contains an XML External Entity (XXE) vulnerability. A malicious actor with non-administrative local user privileges in the Windows guest OS, where VMware Tools is installed, may exploit this issue leading to a denial-of-service condition or unintended information disclosure.

Zoom XMPP Stanza Smuggling Remote Code Execution

This report describes a vulnerability chain that enables a malicious user to compromise another user over Zoom chat. User interaction is not required for a successful attack. The only ability an attacker needs is to be able to send messages to the victim over Zoom chat over XMPP protocol. Initial vulnerability (labeled XMPP Stanza Smuggling) abuses parsing inconsistencies between XML parsers on Zoom's client and server in order to be able to "smuggle" arbitrary XMPP stanzas to the victim client. From there, by sending a specially crafted control stanza, the attacker can force the victim client to connect to a malicious server, thus turning this primitive into a man-in-the-middle attack. Finally, by intercepting/modifying client update requests/responses, the victim client downloads and executes a malicious update, resulting in arbitrary code execution. A client downgrade attack is utilized to bypass signature check on the update installer. This attack has been demonstrated against the ...

CVE-2022-30838: bug_report_CVE/sql.md at main · mikeccltt/bug_report_CVE

Covid-19 Travel Pass Management System v1.0 is vulnerable to SQL Injection via /ctpms/classes/Master.php?f=update_application_status

CVE-2022-30839: bug_report_CVE/xss.md at main · mikeccltt/bug_report_CVE

Room-rent-portal-site v1.0 is vulnerable to Cross Site Scripting (XSS) via /rrps/classes/Master.php?f=save_category, vehicle_name.