#vulnerability

A security issue was identified in the NanoProxy project related to the `golang.org/x/crypto` dependency. The project was using an outdated version of this dependency, which potentially exposed the system to security vulnerabilities that have been addressed in subsequent updates. Impact: The specific vulnerabilities in the outdated version of `golang.org/x/crypto` could include authorization bypasses, data breaches, or other security risks. These vulnerabilities can be exploited by attackers to compromise the integrity, confidentiality, or availability of the system. Resolution: The issue has been fixed in NanoProxy by upgrading the `golang.org/x/crypto` dependency to version 0.31.0. Users are strongly encouraged to update their instances of NanoProxy to include this fix and ensure they are using the latest secure version of all dependencies. Fixed Version: * `golang.org/x/crypto` upgraded to version 0.31.0.

The rules necessary to secure US communications have already been in place for 30 years, argues Sen. Wyden, the FCC just hasn't enforced them. It's unclear if they will help.

Improper Authorization vulnerability in Apache Superset. On Postgres analytic databases an attacker with SQLLab access can craft a specially designed SQL DML statement that is Incorrectly identified as a read-only query, enabling its execution. Non postgres analytics database connections and postgres analytics database connections set with a readonly user (advised) are not vulnerable.  This issue affects Apache Superset: before 4.1.0. Users are recommended to upgrade to version 4.1.0, which fixes the issue.

Apple has released security patches for most of its operating systems, including iOS, Mac, iPadOS, Safari, and visionOS.

Security isn't just about tools — it's about understanding how the enemy thinks and why they make certain choices.

The ABB BMS/BAS controller suffers from an unauthenticated blind OS command injection vulnerability. This can be exploited to inject and execute arbitrary shell commands through the 'portValue' HTTP GET parameter called by obtainPorts.php script.

The obtainPorts.php script is accessible without authentication, allowing unauthorized users to retrieve and manipulate configuration parameters. This includes the ability to modify critical settings such as port values, potentially disrupting system functionality or enabling further exploitation.

The portQueueAjax.php endpoint on ABB Cylon Aspect BMS/BAS controller is accessible without authentication, potentially exposing sensitive port statistics and network activity metrics. An attacker could leverage this information to map the network, identify critical systems, and plan further attacks.

The ABB BMS/BAS controller suffers from an unauthenticated blind OS command injection vulnerability. This can be exploited to inject and execute arbitrary shell commands through the 'portValue' HTTP GET parameter called by obtainPorts.php script.

Details have emerged about a now-patched security vulnerability in Apple's iOS and macOS that, if successfully exploited, could sidestep the Transparency, Consent, and Control (TCC) framework and result in unauthorized access to sensitive information. The flaw, tracked as CVE-2024-44131 (CVSS score: 5.3), resides in the FileProvider component, per Apple, and has been addressed with improved