βοΈ Phishing Domains Tanked After Meta Sued Freenom βοΈ
π Read
via "Krebs on Security".
The number of phishing websites tied to domain name registrar Freenom dropped precipitously in the months surrounding a recent lawsuit from social networking giant Meta, which alleged the free domain name provider has a long history of ignoring abuse complaints about phishing websites while monetizing traffic to those abusive domains.π Read
via "Krebs on Security".
Krebs on Security
Phishing Domains Tanked After Meta Sued Freenom
The number of phishing websites tied to domain name registrar Freenom dropped precipitously in the months surrounding a recent lawsuit from social networking giant Meta, which alleged the free domain name provider has a long history of ignoring abuse complaintsβ¦
π1
β S3 Ep136: Navigating a manic malware maelstrom β
π Read
via "Naked Security".
Latest episode - listen now. Full transcript inside...π Read
via "Naked Security".
Sophos News
Naked Security β Sophos News
π΄ Travel-Themed Phishing, BEC Campaigns Get Smarter as Summer Season Arrives π΄
π Read
via "Dark Reading".
Phishing campaigns targeting travelers have evolved from simple, easy-to-spot fraud attempts to highly sophisticated operations.π Read
via "Dark Reading".
Dark Reading
Travel-Themed Phishing, BEC Campaigns Get Smarter as Summer Season Arrives
Phishing campaigns targeting travelers have evolved from simple, easy-to-spot fraud attempts to highly sophisticated operations.
βΌ CVE-2023-33440 βΌ
π Read
via "National Vulnerability Database".
Sourcecodester Faculty Evaluation System v1.0 is vulnerable to arbitrary code execution via /eval/ajax.php?action=save_user.π Read
via "National Vulnerability Database".
βΌ CVE-2021-46882 βΌ
π Read
via "National Vulnerability Database".
The video framework has memory overwriting caused by addition overflow. Successful exploitation of this vulnerability may affect availability.π Read
via "National Vulnerability Database".
π1
βΌ CVE-2023-33720 βΌ
π Read
via "National Vulnerability Database".
mp4v2 v2.1.2 was discovered to contain a memory leak via the class MP4BytesProperty.π Read
via "National Vulnerability Database".
π΄ Tesla Whistleblower Leaks 100GB of Data, Revealing Safety Complaints π΄
π Read
via "Dark Reading".
Informants have released data that includes thousands of safety complaints the company has received about its self-driving capability, as well as sensitive information regarding current and past employees.π Read
via "Dark Reading".
Dark Reading
Tesla Whistleblower Leaks 100GB of Data, Revealing Safety Complaints
Informants have released data that includes thousands of safety complaints the company has received about its self-driving capability, as well as sensitive information regarding current and past employees.
π΄ 130K+ Patients' Social Security Numbers Leaked in UHS of Delaware Data Breach π΄
π Read
via "Dark Reading".
π Read
via "Dark Reading".
Dark Reading
130K+ Patients' Social Security Numbers Leaked in UHS of Delaware Data Breach
MARLTON, N.J., May 25, 2023 /PRNewswire/ -- Approximately 130,000 patients in Texas β and an untold number of others nationwide β are being notified that their protected health information was compromised when hackers breached the computer system of Universalβ¦
βΌ CVE-2023-20868 βΌ
π Read
via "National Vulnerability Database".
NSX-T contains a reflected cross-site scripting vulnerability due to a lack of input validation. A remote attacker can inject HTML or JavaScript to redirect to malicious pages.π Read
via "National Vulnerability Database".
βΌ CVE-2023-32318 βΌ
π Read
via "National Vulnerability Database".
Nextcloud server provides a home for data. A regression in the session handling between Nextcloud Server and the Nextcloud Text app prevented a correct destruction of the session on logout if cookies were not cleared manually. After successfully authenticating with any other account the previous session would be continued and the attacker would be authenticated as the previously logged in user. It is recommended that the Nextcloud Server is upgraded to 25.0.6 or 26.0.1.π Read
via "National Vulnerability Database".
π΄ 2 Lenses for Examining the Safety of Open Source Software π΄
π Read
via "Dark Reading".
Improving the security of open source repositories and keeping malicious components out requires a combination of technology and people.π Read
via "Dark Reading".
β€1
βΌ CVE-2023-33197 βΌ
π Read
via "National Vulnerability Database".
Craft is a CMS for creating custom digital experiences on the web. Cross-site scripting (XSS) can be triggered via the Update Asset Index utility. This issue has been patched in version 4.4.6.π Read
via "National Vulnerability Database".
β€1π1
βΌ CVE-2023-2854 βΌ
π Read
via "National Vulnerability Database".
BLF file parser crash in Wireshark 4.0.0 to 4.0.5 and 3.6.0 to 3.6.13 allows denial of service via crafted capture fileπ Read
via "National Vulnerability Database".
βΌ CVE-2023-21515 βΌ
π Read
via "National Vulnerability Database".
InstantPlay which included vulnerable script which could execute javascript in Galaxy Store prior to version 4.5.49.8 allows attackers to execute javascript API to install APK from Galaxy Store.π Read
via "National Vulnerability Database".
βΌ CVE-2023-32321 βΌ
π Read
via "National Vulnerability Database".
CKAN is an open-source data management system for powering data hubs and data portals. Multiple vulnerabilities have been discovered in Ckan which may lead to remote code execution. An arbitrary file write in `resource_create` and `package_update` actions, using the `ResourceUploader` object. Also reachable via `package_create`, `package_revise`, and `package_patch` via calls to `package_update`. Remote code execution via unsafe pickle loading, via Beaker's session store when configured to use the file session store backend. Potential DOS due to lack of a length check on the resource id. Information disclosure: A user with permission to create a resource can access any other resource on the system if they know the id, even if they don't have access to it. Resource overwrite: A user with permission to create a resource can overwrite any resource if they know the id, even if they don't have access to it. A user with permissions to create or edit a dataset can upload a resource with a specially crafted id to write the uploaded file in an arbitrary location. This can be leveraged to Remote Code Execution via Beaker's insecure pickle loading. All the above listed vulnerabilities have been fixed in CKAN 2.9.9 and CKAN 2.10.1. Users are advised to upgrade. There are no known workarounds for these issues.π Read
via "National Vulnerability Database".
π2
βΌ CVE-2023-33192 βΌ
π Read
via "National Vulnerability Database".
ntpd-rs is an NTP implementation written in Rust. ntpd-rs does not validate the length of NTS cookies in received NTP packets to the server. An attacker can crash the server by sending a specially crafted NTP packet containing a cookie shorter than what the server expects. The server also crashes when it is not configured to handle NTS packets. The issue was caused by improper slice indexing. The indexing operations were replaced by safer alternatives that do not crash the ntpd-rs server process but instead properly handle the error condition. A patch was released in version 0.3.3.π Read
via "National Vulnerability Database".
π1
βΌ CVE-2023-32325 βΌ
π Read
via "National Vulnerability Database".
PostHog-js is a library to interface with the PostHog analytics tool. Versions prior to 1.57.2 have the potential for cross-site scripting. Problem has been patched in 1.57.2. Users are advised to upgrade. Users unable to upgrade should ensure that their Content Security Policy is in place.π Read
via "National Vulnerability Database".
βΌ CVE-2023-32688 βΌ
π Read
via "National Vulnerability Database".
parse-server-push-adapter is the official Push Notification adapter for Parse Server. The Parse Server Push Adapter can crash Parse Server due to an invalid push notification payload. This issue has been patched in version 4.1.3.π Read
via "National Vulnerability Database".
βΌ CVE-2023-2922 βΌ
π Read
via "National Vulnerability Database".
A vulnerability classified as problematic has been found in SourceCodester Comment System 1.0. Affected is an unknown function of the file index.php of the component GET Parameter Handler. The manipulation of the argument msg leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-230076.π Read
via "National Vulnerability Database".
βΌ CVE-2023-26129 βΌ
π Read
via "National Vulnerability Database".
All versions of the package bwm-ng are vulnerable to Command Injection due to improper input sanitization in the 'check' function in the bwm-ng.js file. **Note:**To execute the code snippet and potentially exploit the vulnerability, the attacker needs to have the ability to run Node.js code within the target environment. This typically requires some level of access to the system or application hosting the Node.js environment.π Read
via "National Vulnerability Database".
π1
βΌ CVE-2023-2928 βΌ
π Read
via "National Vulnerability Database".
A vulnerability was found in DedeCMS up to 5.7.106. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file uploads/dede/article_allowurl_edit.php. The manipulation of the argument allurls leads to code injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-230083.π Read
via "National Vulnerability Database".