Security
Headlines
HeadlinesLatestCVEs

Tag

#pdf

Fake Etsy invoice scam tricks sellers into sharing credit card information 

Etsy sellers are being targeted by scammers that use a legitimate Etsy domain to host their dodgy PDFs.

Malwarebytes
#web#git#pdf#auth
ABB Cylon FLXeon 9.3.4 Limited Cross-Site Request Forgery (RCE)

A CSRF vulnerability has been identified in the ABB Cylon FLXeon series. However, exploitation is limited to specific conditions due to the server's CORS configuration (Access-Control-Allow-Origin: * without Access-Control-Allow-Credentials: true). The vulnerability can only be exploited under the following scenarios: Same Domain: The attacker must host the malicious page on the same domain as the target server. Man-in-the-Middle (MitM): The attacker can intercept and modify traffic between the user and the server (e.g., on an unsecured network). Local Area Network (LAN) Access: The attacker must have access to the same network as the target server. Subdomains: The attacker can host the malicious page on a subdomain if the server allows it. Misconfigured CORS: The server’s CORS policy is misconfigured to allow certain origins or headers. Reflected XSS: The attacker can exploit a reflected XSS vulnerability to execute JavaScript in the context of the target origin.

OmniGPT AI Chatbot Alleged Breach: Hacker Leaks User Data, 34M Messages

Hacker claims to have breached OmniGPT, leaking over 30,000 user email address, phone numbers, and 34 million lines of chat messages. Data includes API keys, credentials, and file links.

How These Decentralized AI Solutions Secure Their Services in a Disruptive Industry

This article looks at the measures AI solutions take to secure their offering with insights from platforms like OORT and Filecoin who are creating new security models for their AI infrastructure.

AI’s Role in Cutting Costs and Cybersecurity Threats in Logistics

Supply chains are under immense pressure. Fuel costs are skyrocketing, delays are becoming the norm, and cybersecurity threats…

Teen on Musk’s DOGE Team Graduated from ‘The Com’

Wired reported this week that a 19-year-old working for Elon Musk's so-called Department of Government Efficiency (DOGE) was given access to sensitive US government systems even though his past association with cybercrime communities should have precluded him from gaining the necessary security clearances to do so. As today's story explores, the DOGE teen is a former denizen of 'The Com,' an archipelago of Discord and Telegram chat channels that function as a kind of distributed cybercriminal social network for facilitating instant collaboration.

ABB Cylon FLXeon 9.3.4 (wsConnect.js) WebSocket Command Spawning PoC

The ABB Cylon FLXeon BACnet controller is vulnerable to an unauthenticated WebSocket implementation that allows an attacker to execute the tcpdump command. This command captures network traffic and filters it on serial ports 4855 and 4851, which are relevant to the device's services. The vulnerability can be exploited in a loop to start multiple instances of tcpdump, leading to resource exhaustion, denial of service (DoS) conditions, and potential data exfiltration. The lack of authentication on the WebSocket interface allows unauthorized users to continuously spawn new tcpdump processes, amplifying the attack's impact.

ABB Cylon FLXeon 9.3.4 (runtimeSetup.sh) Hidden Backdoor Account

The application has a hidden administrative account 'cxpro' that has write access permissions to the device.

Ukraine’s largest bank PrivatBank Targeted with SmokeLoader malware

UAC-0006, a financially motivated threat actor, targets PrivatBank customers with advanced phishing attacks. CloudSEK’s research reveals malicious emails…

Schneider Electric EcoStruxure Power Monitoring Expert (PME)

View CSAF 1. EXECUTIVE SUMMARY CVSS v3 7.1 ATTENTION: Exploitable remotely Vendor: Schneider Electric Equipment: EcoStruxure Power Monitoring Expert (PME) Vulnerability: Deserialization of Untrusted Data 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker to remotely execute code. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS Schneider Electric reports that the following products are affected: EcoStruxure Power Monitoring Expert (PME): Versions 2022 and prior 3.2 VULNERABILITY OVERVIEW 3.2.1 DESERIALIZATION OF UNTRUSTED DATA CWE-502 A deserialization of untrusted data vulnerability exists which could allow code to be remotely executed on the server when unsafely deserialized data is posted to the web server. CVE-2024-9005 has been assigned to this vulnerability. A CVSS v3 base score of 7.1 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H). 3.3 BACKGROUND CRITICAL INFRASTRUCTURE SECTORS: Commercial Facilities, C...