#vulnerability

A free VPN app called Big Mama is selling access to people’s home internet networks. Kids are using it to cheat in a VR game while researchers warn of bigger security risks.

Fortinet has issued an advisory for a now-patched critical security flaw impacting Wireless LAN Manager (FortiWLM) that could lead to disclosure of sensitive information. The vulnerability, tracked as CVE-2023-34990, carries a CVSS score of 9.6 out of a maximum of 10.0. "A relative path traversal [CWE-23] in FortiWLM may allow a remote unauthenticated attacker to read sensitive files," the

The number of DDoS-related incidents targeting APIs have jumped by 30x compared with traditional Web assets, suggesting that attackers see the growing API landscape as the more attractive target.

An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service.

## Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-xrh7-2gfq-4rcq. This link is maintained to preserve external references. ## Original Description OpenCart 4.0.2.3 is vulnerable to Server-Side Template Injection (SSTI) via the Theme Editor Function.

KEY SUMMARY POINTS The FBI has issued a Private Industry Notification (PIN) to highlight new malware campaigns targeting…

KEY SUMMARY POINTS The FBI has issued a Private Industry Notification (PIN) to highlight new malware campaigns targeting…

A plugin name containing a path separator may allow an attacker to execute an arbitrary binary. Such a plugin name can be provided to the `rage` CLI through an attacker-controlled recipient or identity string, or to the following `age` APIs when the `plugin` feature flag is enabled: - [`age::plugin::Identity::from_str`](https://docs.rs/age/0.11.0/age/plugin/struct.Identity.html#impl-FromStr-for-Identity) (or equivalently [`str::parse::<age::plugin::Identity>()`](https://doc.rust-lang.org/stable/core/primitive.str.html#method.parse)) - [`age::plugin::Identity::default_for_plugin`](https://docs.rs/age/0.11.0/age/plugin/struct.Identity.html#method.default_for_plugin) - [`age::plugin::IdentityPluginV1::new`](https://docs.rs/age/0.11.0/age/plugin/struct.IdentityPluginV1.html#method.new) - [`age::plugin::Recipient::from_str`](https://docs.rs/age/0.11.0/age/plugin/struct.Recipient.html#impl-FromStr-for-Recipient) (or equivalently [`str::parse::<age::plugin::Recipient>()`](https://doc.rust-la...

### Impact <!-- _What kind of vulnerability is it? Who is impacted?_ --> **Impacted are the only ones who use [`hd_wallet::Slip10Like`](https://docs.rs/hd-wallet/0.5.1/hd_wallet/struct.Slip10Like.html) or [`slip_10`](https://docs.rs/slip-10/latest/slip_10/) derivation method instantiated with curves other than secp256k1 and secp256r1.** `hd_wallet` crate used to provide `Slip10Like` derivation method, which is also provided in `slip-10` crate as a default derivation method. It's based on [slip10](https://github.com/satoshilabs/slips/blob/master/slip-0010.md) method that searches for a valid child key in an infinite loop until it's found. Theoretically, this could be exploited by an attacker by finding a derivation path that would force someone to execute a lot of iterations of this loop to find a valid child key. This attack, however, requires the probability of getting an invalid scalar from random 32 bytes to be high. Slip10 is protected from this attack as it's only defined on se...