Security
Headlines
HeadlinesLatestCVEs

Tag

#ios

catdoc zero-day, NVIDIA, High-Logic FontCreator and Parallel vulnerabilities

Cisco Talos’ Vulnerability Discovery & Research team recently disclosed three zero-day vulnerabilities in catdoc, as well as vulnerabilities in Parallel, NVIDIA and High-Logic FontCreator 15.

TALOS
Open in Source
#vulnerability#web#ios#mac#windows#microsoft#debian#cisco#git#intel#buffer_overflow#zero_day
GHSA-9wj4-8h85-pgrw: OctoPrint Vulnerable to Denial of Service through malformed HTTP request in OctoPrint

### Impact OctoPrint versions up until and including 1.11.1 contain a vulnerability that allows any unauthenticated attacker to send a manipulated broken `multipart/form-data` request to OctoPrint and through that make the web server component become unresponsive. This could be used to effectively run a denial of service attack on the OctoPrint server. ### Patches The vulnerability has been patched in version 1.11.2. ### Workaround OctoPrint administrators are once more reminded to not make OctoPrint available on hostile networks (e.g. the internet), regardless of whether this vulnerability is patched or not. ### Details The issue can be triggered by a broken `multipart/form-data` request lacking an end boundary to any of OctoPrint's endpoints implemented through the `octoprint.server.util.tornado.UploadStorageFallbackHandler` request handler. The request handler will get stuck in an endless busy loop, looking for a part of the request that will never come. As Tornado is single-...

GHSA-m9jh-jf9h-x3h2: OctoPrint vulnerable to possible file extraction via upload endpoints

### Impact OctoPrint versions up until and including 1.11.1 contain a vulnerability that allows an attacker with the `FILE_UPLOAD` permission to exfiltrate files from the host that OctoPrint has read access to, by moving them into the upload folder where they then can be downloaded from. The primary risk lies in the potential exfiltration of secrets stored inside OctoPrint's config, or further system files. By removing important runtime files, this could also be used to impact the availability of the host. Given that the attacker requires a user account with file upload permissions, the actual impact of this should however hopefully be minimal in most cases. ### Patches The vulnerability has been patched in version 1.11.2. ### Details A specially crafted HTTP Request to an affected upload endpoint that contains some form inputs only supposed to be used internally can be used to make OctoPrint move a file that it thinks is a freshly uploaded temporary one into its upload folder. ...

44% of people encounter a mobile scam every single day, Malwarebytes finds

A mobile scam finds most people at least once a week, new Malwarebytes research reveals. The financial and emotional consequences are dire.

Chinese-Linked Hackers Targeted 70+ Global Organizations, SentinelLABS

SentinelLABS uncovers widespread China-linked cyber espionage targeting over 70 global organizations and cybersecurity firms between July 2024 and…

The Mystery of iPhone Crashes That Apple Denies Are Linked to Chinese Hacking

Plus: A 22-year-old former intern gets put in charge of a key anti-terrorism program, threat intelligence firms finally wrangle their confusing names for hacker groups, and more.

How to update Chrome on every operating system

How to update Chrome on every Operating System (Windows, Mac, Linux, Chrome OS, Android, iOS)

NICKNAME: Zero-Click iMessage Exploit Targeted Key Figures in US, EU

iVerify’s NICKNAME discovery reveals a zero-click iMessage flaw exploited in targeted attacks on US & EU high-value individuals…

Pornhub, RedTube, and YouPorn block access in France, VPN use set to soar

Major porn sites have blocked access in France in response to age verification demands.