Security
Headlines
HeadlinesLatestCVEs

Tag

#dos

ABB Cylon FLXeon 9.3.4 (wsConnect.js) WebSocket Command Spawning PoC

The ABB Cylon FLXeon BACnet controller is vulnerable to an unauthenticated WebSocket implementation that allows an attacker to execute the tcpdump command. This command captures network traffic and filters it on serial ports 4855 and 4851, which are relevant to the device's services. The vulnerability can be exploited in a loop to start multiple instances of tcpdump, leading to resource exhaustion, denial of service (DoS) conditions, and potential data exfiltration. The lack of authentication on the WebSocket interface allows unauthorized users to continuously spawn new tcpdump processes, amplifying the attack's impact.

Zero Science Lab
Open in Source
#vulnerability#web#linux#dos#nodejs#js#intel#pdf#auth
GHSA-2hjh-495w-hmxc: Sylius allows unrestricted brute-force attacks on user accounts

A rate limiting issue in Sylius v2.0.2 allows a remote attacker to perform unrestricted brute-force attacks on user accounts, significantly increasing the risk of account compromise and denial of service for legitimate users.

GHSA-56jp-w6vw-j3jw: Apache James vulnerable to denial of service through the use of IMAP literals

Similarly to CVE-2024-34055, Apache James is vulnerable to denial of service through the abuse of IMAP literals from both authenticated and unauthenticated users, which could be used to cause unbounded memory allocation and very long computations Version 3.7.6 and 3.8.2 restrict such illegitimate use of IMAP literals.

GHSA-57m2-h3fw-rxhw: Apache James vulnerable to denial of service through JMAP HTML to text conversion

Apache James server JMAP HTML to text plain implementation in versions below 3.8.2 and 3.7.6 is subject to unbounded memory consumption that can result in a denial of service. Users are recommended to upgrade to version 3.7.6 and 3.8.2, which fix this issue.

DOGE Teen Owns ‘Tesla.Sexy LLC’ and Worked at Startup That Has Hired Convicted Hackers

Experts question whether Edward Coristine, a DOGE staffer who has gone by “Big Balls” online, would pass the background check typically required for access to sensitive US government systems.

GHSA-7qgg-vw88-cc99: utils-extend Prototype Pollution

The latest version of utils-extend (1.0.8) is vulnerable to Prototype Pollution through the entry function(s) lib.extend. An attacker can supply a payload with Object.prototype setter to introduce or modify properties within the global prototype chain, causing denial of service (DoS) a the minimum consequence.

GHSA-pc47-g7gv-4gpw: @rpldy/uploader prototype pollution

A prototype pollution in the lib.createUploader function of @rpldy/uploader v1.8.1 allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload.

GHSA-fg4m-w35q-vfg2: @zag-js/core prototype pollution

A prototype pollution in the lib.deepMerge function of @zag-js/core v0.50.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload.

GHSA-89fp-f5mx-748x: vxe-table prototype pollution

A prototype pollution in the lib.install function of vxe-table v4.8.10 allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload.

GHSA-r7jx-5m6m-cpg9: eazy-logger prototype pollution

A prototype pollution in the lib.Logger function of eazy-logger v4.0.1 allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload.