#android

Improper validation of the cloud certificate chain in Mobile Connect allows man-in-the-middle attack to impersonate the legitimate Command Centre Server. This issue affects: Gallagher Command Centre Mobile Connect for Android 15 versions prior to 15.04.040; version 14 and prior versions.

In ape extractor, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS05561395; Issue ID: ALPS05561395.

CKEditor4 is an open source WYSIWYG HTML editor. In affected version a vulnerability has been discovered in the core HTML processing module and may affect all plugins used by CKEditor 4. The vulnerability allowed to inject malformed comments HTML bypassing content sanitization, which could result in executing JavaScript code. It affects all users using the CKEditor 4 at version < 4.17.0. The problem has been recognized and patched. The fix will be available in version 4.17.0.

CKEditor4 is an open source WYSIWYG HTML editor. In affected version a vulnerability has been discovered in the core HTML processing module and may affect all plugins used by CKEditor 4. The vulnerability allowed to inject malformed comments HTML bypassing content sanitization, which could result in executing JavaScript code. It affects all users using the CKEditor 4 at version < 4.17.0. The problem has been recognized and patched. The fix will be available in version 4.17.0.

Zoho Web mail version NA is affected by an incorrect access control vulnerability. Before a domain expires one needs to configure with Zoho web mail to send mails. Upon domain expiry, the person would still be able to send mail with that account, despite losing ownership of domain.

Possible buffer overflow due to lack of parameter length check during MBSSID scan IE parse in Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer Electronics Connectivity

The Keybase Client for Windows before version 5.7.0 contains a path traversal vulnerability when checking the name of a file uploaded to a team folder. A malicious user could upload a file to a shared folder with a specially crafted file name which could allow a user to execute an application which was not intended on their host machine. If a malicious user leveraged this issue with the public folder sharing feature of the Keybase client, this could lead to remote code execution.

Another Patch Tuesday has come around, and while it may seem as a calm one for a change, there is enough to patch and update. Categories: Exploits and vulnerabilities Tags: 3d viewer adobe Android Cisco citrix excel exchange server Intel microsoft Microsoft Defender patch tuesday rdp sap siemens vmware *( Read more... ( https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/11/patch-now-microsoft-plugs-actively-exploited-zero-days-and-other-updates/ ) )* The post Patch now! Microsoft plugs actively exploited zero-days and other updates appeared first on Malwarebytes Labs.

PhoneSpy already has stolen data and tracked the activity of targets in South Korea, disguising itself as legitimate lifestyle apps.

An ongoing mobile spyware campaign has been uncovered snooping on South Korean residents using a family of 23 malicious Android apps to siphon sensitive information and gain remote control of the devices. "With more than a thousand South Korean victims, the malicious group behind this invasive campaign has had access to all the data, communications, and services on their devices," Zimperium