Tag
#vulnerability
In an effort to blend in and make their malicious traffic tougher to block, hosting firms catering to cybercriminals in China and Russia increasingly are funneling their operations through major U.S. cloud providers. Research published this week on one such outfit -- a sprawling network tied to Chinese organized crime gangs and aptly named "Funnull" -- highlights a persistent whac-a-mole problem facing cloud services.
Whether by intercepting its traffic or just giving it a little nudge, GitHub's AI assistant can be made to do malicious things it isn't supposed to.
DevDojo Voyager through version 1.8.0 is vulnerable to reflected XSS via /admin/compass. By manipulating an authenticated user to click on a link, arbitrary Javascript can be executed.
DevDojo Voyager through 1.8.0 is vulnerable to path traversal at the /admin/compass.
A flaw was found in the Wildfly Server Role Based Access Control (RBAC) provider. When authorization to control management operations is secured using the Role Based Access Control provider, a user without the required privileges can suspend or resume the server. A user with a Monitor or Auditor role is supposed to have only read access permissions and should not be able to suspend the server. The vulnerability is caused by the Suspend and Resume handlers not performing authorization checks to validate whether the current user has the required permissions to proceed with the action.
The rate of evolution has been glacial, but tools now understand cloud environments and can target Web applications.
The addition of Solvo CSPM to CYE Hyver aims to address the need for multicloud vulnerability monitoring and risk assessment.
Cybersecurity researchers have disclosed a critical security flaw in the Lightning AI Studio development platform that, if successfully exploited, could allow for remote code execution. The vulnerability, rated a CVSS score of 9.4, enables "attackers to potentially execute arbitrary commands with root privileges" by exploiting a hidden URL parameter, application security firm Noma said in a
View CSAF 1. EXECUTIVE SUMMARY CVSS v3 9.8 ATTENTION: Exploitable remotely/low attack complexity Vendor: Schneider Electric Equipment: Harmony Industrial PC, Pro-face Industrial PC Vulnerability: Exposure of Sensitive Information to an Unauthorized Actor 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker to access sensitive information. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS Schneider Electric reports that the following products are affected: System Monitor application in Harmony Industrial PC: All versions System Monitor application in Pro-face Industrial PC: All versions 3.2 Vulnerability Overview 3.2.1 EXPOSURE OF SENSITIVE INFORMATION TO AN UNAUTHORIZED ACTOR CWE-200 An information exposure vulnerability exists that could cause exposure of credentials when attacker has access to application on network over HTTP. CVE-2024-8884 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been assigned; the CVSS vector string is (C...
View CSAF 1. EXECUTIVE SUMMARY CVSS v3 7.5 ATTENTION: Exploitable remotely/low attack complexity Vendor: Rockwell Automation Equipment: KEPServer Vulnerability: Uncontrolled Resource Consumption 2. RISK EVALUATION Successful exploitation of this vulnerability could cause the device to crash. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following versions of Rockwell Automation's KEPServer are affected: KEPServer: Versions 6.0 to 6.14.263 3.2 Vulnerability Overview 3.2.1 Uncontrolled Resource Consumption CWE-400 KEPServerEX Versions 6.0 to 6.14.263 are vulnerable to being made to read a recursively defined object that leads to uncontrolled resource consumption. KEPServerEX uses OPC UA, a protocol which defines various object types that can be nested to create complex arrays. It does not implement a check to see if such an object is recursively defined, so an attack could send a maliciously created message that the decoder would try to decode until the stack overflowed and the device c...