#web

A mobile scam finds most people at least once a week, new Malwarebytes research reveals. The financial and emotional consequences are dire.

Google has fixed a vulnerability in its account recovery flow which could have allowed attackers to find linked phone numbers.

View CSAF 1. EXECUTIVE SUMMARY CVSS v4 8.2 ATTENTION: Exploitable remotely Vendor: Hitachi Energy Equipment: Relion 670, 650, SAM600-IO Series Vulnerability: Observable Discrepancy 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker to decrypt application data in transit. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS Hitachi Energy reports that the following products are affected: Relion 670: Version 2.2.0 Relion 670: Version 2.2.1 Relion 650: Version 2.2.0 Relion 650: Version 2.2.1 Relion 670: Versions 2.2.2.0 through 2.2.2.5 Relion 670: Versions 2.2.3.0 through 2.2.3.6 Relion 670: Versions 2.2.4.0 through 2.2.4.3 Relion 650: Versions 2.2.4.0 through 2.2.4.3 Relion 670: Versions 2.2.5.0 through 2.2.5.5 Relion 650: Versions 2.2.5.0 through 2.2.5.5 SAM600-IO: Version 2.2.1 SAM600-IO: Versions from 2.2.5.0 up to but not including, 2.2.5.5 3.2 VULNERABILITY OVERVIEW 3.2.1 OBSERVABLE DISCREPANCY CWE-203 A timing-based side channel exists in the OpenSSL RSA...

View CSAF 1. EXECUTIVE SUMMARY CVSS v4 8.8 ATTENTION: Exploitable remotely/Low attack complexity Vendor: SinoTrack Equipment: All Known SinoTrack Devices Vulnerabilities: Weak Authentication, Observable Response Discrepency 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow an attacker to access device profiles without authorization through the common web management interface. Access to the device profile may allow an attacker to perform some remote functions on connected vehicles such as tracking the vehicle location and disconnecting power to the fuel pump where supported. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following SinoTrack products are affected: SinoTrack IOT PC Platform: All versions 3.2 VULNERABILITY OVERVIEW 3.2.1 WEAK AUTHENTICATION CWE-1390 A username and password are required to authenticate to the central SinoTrack device management interface. The username for all devices is an identifier printed on the receiver. The default passwor...

Getty Images accuses Stability AI of illegally using its content to train AI models in a high-stakes London…

External control of file name or path in WebDAV allows an unauthorized attacker to execute code over a network.

A vulnerability was found in tarojs taro up to 4.1.1. It has been declared as problematic. This vulnerability affects unknown code of the file taro/packages/css-to-react-native/src/index.js. The manipulation leads to inefficient regular expression complexity. The attack can be initiated remotely. Upgrading to version 4.1.2 is able to address this issue. The name of the patch is c2e321a8b6fc873427c466c69f41ed0b5e8814bf. It is recommended to upgrade the affected component.

A vulnerability was found in vuejs vue-cli up to 5.0.8. It has been rated as problematic. This issue affects the function HtmlPwaPlugin of the file packages/@vue/cli-plugin-pwa/lib/HtmlPwaPlugin.js of the component Markdown Code Handler. The manipulation leads to inefficient regular expression complexity. The attack may be initiated remotely.

A vulnerability was found in juliangruber brace-expansion up to 1.1.11. It has been rated as problematic. Affected by this issue is the function expand of the file index.js. The manipulation leads to inefficient regular expression complexity. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. The name of the patch is a5b98a4f30d7813266b221435e1eaaf25a1b0ac5. It is recommended to apply a patch to fix this issue.

A vulnerability classified as problematic was found in Unitech pm2 up to 6.0.6. This vulnerability affects unknown code of the file /lib/tools/Config.js. The manipulation leads to inefficient regular expression complexity. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.