#ios

TYPO3 is a free and open source Content Management Framework released under the GNU General Public License. In affected versions the TYPO3 core component `GeneralUtility::getIndpEnv()` uses the unfiltered server environment variable `PATH_INFO`, which allows attackers to inject malicious content. In combination with the TypoScript setting `config.absRefPrefix=auto`, attackers can inject malicious HTML code to pages that have not been rendered and cached, yet. As a result, injected values would be cached and delivered to other website visitors (persisted cross-site scripting). Individual code which relies on the resolved value of `GeneralUtility::getIndpEnv('SCRIPT_NAME')` and corresponding usages (as shown below) are vulnerable as well. Additional investigations confirmed that at least Apache web server deployments using CGI (FPM, FCGI/FastCGI, and similar) are affected. However, there still might be the risk that other scenarios like nginx, IIS, or Apache/mod_php are vulnerable. The u...

By Habiba Rashid Google's CEO, Sundar Pichai, described the ChatGPT rival, Bard, as an "experimental conversational AI service" powered by LaMDA. This is a post from HackRead.com Read the original post: Google Introduces Bard: New ChatGPT Rival

Categories: Business See how our new offering Malwarebytes Security for Business helps you crush mobile malware and phishing attacks. (Read more...) The post Introducing Malwarebytes Mobile Security for Business: How to find malware and stop phishing attacks on smartphones and ChromeOS appeared first on Malwarebytes Labs.

BTicino Door Entry HOMETOUCH for iOS 1.4.2 was discovered to be missing an SSL certificate.

In Boa, there is a possible escalation of privilege due to a stack buffer overflow. This could lead to remote escalation of privilege from a proximal attacker with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: A20210008; Issue ID: OSBNB00123241.

The components wfshbr64.sys and wfshbr32.sys in Another Eden before v3.0.20 and before v2.14.200 allows attackers to perform privilege escalation via a crafted payload.

Categories: News Tags: week in security Tags: blog roundup Tags: Roomba Tags: Facebook Tags: Eileen Gun Tags: Lock and Code Tags: data wiper Tags: LearnPress Tags: Riot Games Tags: League of Legends Tags: malvertising Tags: dark patterns Tags: supply chain attacks Tags: GitHub Tags: ransomware monthly Tags: ransomware Tags: AV-TEST top product Tags: multi-threat ransomware Tags: CISA Tags: BEC Tags: business email compromise The most interesting security related news from the week of January 30 - February 5. (Read more...) The post A week in security (January 30 - February 5) appeared first on Malwarebytes Labs.

A new Android banking trojan has set its eyes on Brazilian financial institutions to commit fraud by leveraging the PIX payments platform. Italian cybersecurity company Cleafy, which discovered the malware between the end of 2022 and the beginning of 2023, is tracking it under the name PixPirate. "PixPirate belongs to the newest generation of Android banking trojan, as it can perform ATS (

In Progress WS_FTP Server before 8.8, it is possible for a host administrator to elevate their privileges via the administrative interface due to insufficient authorization controls applied on user modification workflows.

** UNSUPPORTED WHEN ASSIGNED ** Cross Site Scripting (XSS) vulnerability in Teradek Bond, Bond 2 and Bond Pro firmware version 7.3.x and earlier allows remote attackers to run arbitrary code via the Friendly Name field in System Information Settings. NOTE: Vedor states the product has reached End of Life and will not be receiving any firmware updates to address this issue.