Security
Headlines
HeadlinesLatestCVEs

Tag

#ios

CVE-2022-3337: Lock WARP switch bypass by removing VPN profile on iOS mobile client

It was possible for a user to delete a VPN profile from WARP mobile client on iOS platform despite the Lock WARP switch https://developers.cloudflare.com/cloudflare-one/connections/connect-devices/warp/warp-settings/#lock-warp-switch feature being enabled on Zero Trust Platform. This led to bypassing policies and restrictions enforced for enrolled devices by the Zero Trust platform.

CVE
Open in Source
#ios
CVE-2022-3322: Lock WARP switch bypass on WARP mobile client using iOS quick action

Lock Warp switch is a feature of Zero Trust platform which, when enabled, prevents users of enrolled devices from disabling WARP client. Due to insufficient policy verification by WARP iOS client, this feature could be bypassed by using the "Disable WARP" quick action.

CVE-2022-3321

It was possible to bypass Lock WARP switch feature https://developers.cloudflare.com/cloudflare-one/connections/connect-devices/warp/warp-settings/#lock-warp-switch on the WARP iOS mobile client by enabling both "Disable for cellular networks" and "Disable for Wi-Fi networks" switches at once in the application settings. Such configuration caused the WARP client to disconnect and allowed the user to bypass restrictions and policies enforced by the Zero Trust platform.

Apple Launches New Security Research Hub

Apple engineers share technical details about the team's work on memory safety features on the new Apple Security Research site.

CVE-2022-39978: bug_report/RCE-1.md at main · z1pwn/bug_report

Online Pet Shop We App v1.0 was discovered to contain an arbitrary file upload vulnerability via the Editing function in the Product List module. This vulnerability allows attackers to execute arbitrary code via a crafted PHP file uploaded through the picture upload point.

CVE-2022-0072: openlitespeed/httpserver.cpp at v1.7.16 · litespeedtech/openlitespeed

Directory Traversal vulnerability in LiteSpeed Technologies OpenLiteSpeed Web Server Dashboard allows Path Traversal. This affects versions from 1.5.11 through 1.5.12, from 1.6.5 through 1.6.20.1, from 1.7.0 before 1.7.16.1

iOS Bug Lets Apps Record Siri Conversations

Without even asking for permissions, the newly discovered 'SiriSpy' flaw in Apple's iOS Bluetooth access could allow someone to access user interactions with Siri and keyboard-dictation audio.

CVE-2022-42055: GL.iNET MT300N-V2 Vulnerabilities and Hardware Teardown

Multiple command injection vulnerabilities in GL.iNet GoodCloud IoT Device Management System Version 1.00.220412.00 via the ping and traceroute tools allow attackers to read arbitrary files on the system.

Threat Source newsletter (Oct. 27, 2022): I thought we were already aware of supply chain attacks?

Supply chain attacks were all the rage in 2020 after SolarWinds, but we seem to have forgotten how important they are.

New streaming ad technology plays hide-and-seek with gamers

Categories: News Tags: Amazon Tags: Twitch Tags: Prime Tags: streaming Tags: gamer Tags: gaming Tags: advert Tags: advertising Tags: in-game We take a look at new form of ad tech for Twitch streaming viewers, but not players. How does it work? Can it even be successful? (Read more...) The post New streaming ad technology plays hide-and-seek with gamers appeared first on Malwarebytes Labs.