#dos

Elon Musk said a “massive cyberattack” disrupted X on Monday and pointed to “IP addresses originating in the Ukraine area” as the source of the attack. Security experts say that's not how it works.

View CSAF 1. EXECUTIVE SUMMARY CVSS v4 6.8 ATTENTION: Low attack complexity Vendor: Schneider Electric Equipment: Uni-Telway Driver Vulnerability: Improper Input Validation 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker to perform a denial of service. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS Schneider Electric reports the following products are affected: Schneider Electric Uni-Telway Driver: All versions Schneider Electric Uni-Telway Driver installed on Control Expert: All versions Schneider Electric Uni-Telway Driver installed on Process Expert: All versions Schneider Electric Uni-Telway Driver installed on Process Expert for AVEVA System Platform: All versions Schneider Electric Uni-Telway Driver installed on OPC Factory Server: All versions 3.2 VULNERABILITY OVERVIEW 3.2.1 IMPROPER INPUT VALIDATION CWE-20 Schneider Electric Uni-Telway Driver is vulnerable to an improper input validation vulnerability that could cause denial-of-service of e...

Elon Musk has confirmed a massive cyberattack on his social media platform, X (once Twitter), causing widespread technical…

**According to the CVSS metric, privileges required is high (PR:H). What does that mean for this vulnerability?** Successful exploitation of this vulnerability requires an attacker to compromise admin credentials on the device.

In the early morning hours of March 10, thousands of users on X (formerly Twitter) began having trouble logging into the...

## Description The LocalS3 project contains an XML External Entity (XXE) Injection vulnerability in its bucket operations that process XML data. Specifically, the vulnerability exists in the bucket ACL and bucket tagging operations. The application processes XML input without properly disabling external entity resolution, allowing an attacker to read arbitrary files from the server's filesystem. The vulnerability occurs because the XML parser used by the application processes DOCTYPE declarations and allows external entity references. When processing bucket ACL or tagging operations, the application includes the content of external entities in its response, effectively exposing sensitive files from the server. This type of vulnerability can be exploited to read sensitive files, perform server-side request forgery (SSRF), or potentially achieve denial of service through various XXE attack vectors. ## Steps to Reproduce 1. Create a test bucket using PUT request to http://[server]/[b...

**Nature of issue:** Crash (Denial of Service) **Source of issue:** Dependent package (ring) **Affected versions of qcp:** 0.1.0-0.3.2 **Recommendation:** Upgrade to qcp 0.3.3 or later ### Who is affected All versions of qcp from 0.1.0 to 0.3.2 are affected, but **only if built with runtime overflow checks.** * Released qcp binaries do not enable runtime overflow checks by default. **If you use an official released qcp binary download, you are not affected.** * If you built qcp yourself in debug mode, you are affected unless your debug configuration explicitly disables overflow checks. * If you built qcp yourself in release mode, you are only affected if you explicitly requested runtime overflow checks at build time by setting the appropriate `RUSTFLAGS`, or in your Cargo.toml profile. ### What to do if you are affected **We recommend you upgrade to qcp 0.3.3 or later.** Users upgrading from versions prior to 0.3.0 should note that an incompatible protocol change was introduced in...

**Vulnerability type:** Prototype Pollution **Vulnerability Location(s):** ```js # v9.1 node_modules/@intlify/message-resolver/index.js # v9.2 or later node_modules/@intlify/vue-i18n-core/index.js ``` **Description:** The latest version of `@intlify/message-resolver (9.1)` and `@intlify/vue-i18n-core (9.2 or later)`, (previous versions might also affected), is vulnerable to Prototype Pollution through the entry function(s) `handleFlatJson`. An attacker can supply a payload with Object.prototype setter to introduce or modify properties within the global prototype chain, causing denial of service (DoS) a the minimum consequence. Moreover, the consequences of this vulnerability can escalate to other injection-based attacks, depending on how the library integrates within the application. For instance, if the polluted property propagates to sensitive Node.js APIs (e.g., exec, eval), it could enable an attacker to execute arbitrary commands within the application's context. **PoC:** ...

Eleven11bot infects webcams and video recorders, with a large concentration in the US.

### Impact _What kind of vulnerability is it? Who is impacted?_ A vulnerability in `OpenTelemetry.Api` package `1.10.0` to `1.11.1` could cause a [Denial of Service (DoS) when a tracestate and traceparent header is received](https://github.com/open-telemetry/opentelemetry-dotnet/security/advisories/GHSA-8785-wc3w-h8q6). These versions are used in OpenTelemetry .NET Automatic Instrumentation `1.10.0-beta.1` and `1.10.0`. Even if an application does not explicitly use trace context propagation, receiving these headers can still trigger high CPU usage. This issue impacts any application accessible over the web or backend services that process HTTP requests containing a tracestate header. Application may experience excessive resource consumption, leading to increased latency, degraded performance, or downtime. ### Patches _Has the problem been patched? What versions should users upgrade to?_ This issue has been resolved in `OpenTelemetry.Api` `1.11.2` by reverting the change that intro...