Security
Headlines
HeadlinesLatestCVEs

Tag

#zero_day

CSRF flaw in csurf NPM package aimed at protecting against the same flaws

Serious security prompt developers to discontinue open source package

PortSwigger
Open in Source
#csrf#vulnerability#nodejs#js#java#zero_day
CVE-2022-36076: Bug Bounty Adventures: A NodeBB 0-day

NodeBB Forum Software is powered by Node.js and supports either Redis, MongoDB, or a PostgreSQL database. Due to an unnecessarily strict conditional in the code handling the first step of the SSO process, the pre-existing logic that added (and later checked) a nonce was inadvertently rendered opt-in instead of opt-out. This re-exposed a vulnerability in that a specially crafted Man-in-the-Middle (MITM) attack could theoretically take over another user account during the single sign-on process. The issue has been fully patched in version 1.17.2.

CVE-2022-2319: Fix CVE-2022-2319, CVE-2022-2320 (!938) · Merge requests · xorg / xserver · GitLab

A flaw was found in the Xorg-x11-server. An out-of-bounds access issue can occur in the ProcXkbSetGeometry function due to improper validation of the request length.

Skyrocketing IoT Bug Disclosures Put Pressure on Security Teams

The expanding Internet of Things ecosystem is seeing a startling rate of vulnerability disclosures, leaving companies with a greater need for visibility into and patching of IoT devices.

Apple releases security update for iPhones and iPads to address vulnerability

Categories: News Tags: Apple Tags: iOS 12.5.6 Tags: webkit Tags: CVE-2022-32893 Apple has released a security update for iOS 12.5.6 to patch a remotely exploitable WebKit vulnerability that allows attackers to execute arbitrary code on unpatched devices. (Read more...) The post Apple releases security update for iPhones and iPads to address vulnerability appeared first on Malwarebytes Labs.

Apple Quietly Releases Another Patch for Zero-Day RCE Bug

Apple continues a staged update process to address a WebKit vulnerability that allows attackers to craft malicious Web content to load malware on affected devices.

Malwarebytes receives highest rankings in recent third-party tests

Categories: Business Malwarebytes Endpoint Protection continues to receive outstanding results in third-party testing: We're proud to have been one of the top-ranked security solutions by two highly-regarded industry evaluations, MRG-Effitas and Info-Tech’s Data Quadrant Report. (Read more...) The post Malwarebytes receives highest rankings in recent third-party tests appeared first on Malwarebytes Labs.

European Spyware Vendor Intellexa Offering Android, iOS Device Exploits

By Deeba Ahmed The proposal documents were leaked on a Russian hacking forum showing Intellexa is offering remote data extraction from Android and iOS devices in exchange for $8 million. This is a post from HackRead.com Read the original post: European Spyware Vendor Intellexa Offering Android, iOS Device Exploits

Command injection vulnerability in GitHub Pages nets bug hunter $4k

Exploit involved duping developers into exposing repositories with social engineering techniques