$0.99 Kindle Books Security Vulnerabilities

CVE-2023-43998

An issue in Books-futaba mini-app on Line v13.6.1 allows attackers to send crafted malicious notifications via leakage of the channel access...

CVE-2023-43998

An issue in Books-futaba mini-app on Line v13.6.1 allows attackers to send crafted malicious notifications via leakage of the channel access...

Design/Logic Flaw

An issue in Books-futaba mini-app on Line v13.6.1 allows attackers to send crafted malicious notifications via leakage of the channel access...

CVE-2023-43998

An issue in Books-futaba mini-app on Line v13.6.1 allows attackers to send crafted malicious notifications via leakage of the channel access...

What to do with that fancy new internet-connected device you got as a holiday gift

Welcome to 2024! The Threat Source newsletter is back after our winter break. When I wasn't spending my downtime chasing around my toddler, one of my main projects was to upgrade the internet connection at my house. My ISP started offering Gigabit speeds and a 60 GHz connection, which was...

Exploring malicious Windows drivers (Part 1): Introduction to the kernel and drivers

Drivers have long been of interest to threat actors, whether they are exploiting vulnerable drivers or creating malicious ones. Malicious drivers are difficult to detect and successfully leveraging one can give an attacker full access to a system. Real-world examples can be found in our previous...

Facial Scanning by Burger King in Brazil

In 2000, I wrote: "If McDonald's offered three free Big Macs for a DNA sample, there would be lines around the block." Burger King in Brazil is almost there, offering discounts in exchange for a facial scan. From a marketing video: "At the end of the year, it's Friday every day, and the hangover...

This Year in Spring - 2023

Welcome to another installment of This Week in Spring! It's December 26th, 2023, and we're staring down the new year! And you know what that means, right? It's time for our annual roundup, looking at all the latest and greatest in the wild and wonderful world of Springdom. This is This Year in...

Ben Rothke’s Review of A Hacker’s Mind

Ben Rothke chose A Hacker's Mind as "the best information security book of...

CVE-2023-38481

URL Redirection to Untrusted Site ('Open Redirect') vulnerability in CRM Perks Integration for WooCommerce and Zoho CRM, Books, Invoice, Inventory, Bigin.This issue affects Integration for WooCommerce and Zoho CRM, Books, Invoice, Inventory, Bigin: from n/a before...

CVE-2023-38481

URL Redirection to Untrusted Site ('Open Redirect') vulnerability in CRM Perks Integration for WooCommerce and Zoho CRM, Books, Invoice, Inventory, Bigin.This issue affects Integration for WooCommerce and Zoho CRM, Books, Invoice, Inventory, Bigin: from n/a before...

Open redirect

URL Redirection to Untrusted Site ('Open Redirect') vulnerability in CRM Perks Integration for WooCommerce and Zoho CRM, Books, Invoice, Inventory, Bigin.This issue affects Integration for WooCommerce and Zoho CRM, Books, Invoice, Inventory, Bigin: from n/a before...

CVE-2023-38481 WordPress Integration for WooCommerce and Zoho CRM Plugin < 1.3.7 is vulnerable to Open Redirection

URL Redirection to Untrusted Site ('Open Redirect') vulnerability in CRM Perks Integration for WooCommerce and Zoho CRM, Books, Invoice, Inventory, Bigin.This issue affects Integration for WooCommerce and Zoho CRM, Books, Invoice, Inventory, Bigin: from n/a before...

Is Web Scraping Illegal? Depends on Who You Ask

Web scraping has existed for a long time, and depending on who you ask, it can be loved or hated. But where is the line drawn between extracting data for legitimate business purposes and malicious data extraction that hurts business? The bar is getting blurrier by the day, and the introduction of.....

AI and Trust

I trusted a lot today. I trusted my phone to wake me on time. I trusted Uber to arrange a taxi for me, and the driver to get me to the airport safely. I trusted thousands of other drivers on the road not to ram my car on the way. At the airport, I trusted ticket agents and maintenance engineers...

What Is Network Availability?

Within the sphere of IT, 'network accessibility' is a term frequently used. Yet, does everyone understand its connotation? Simplistically put, network accessibility alludes to how readily a network or system can be accessed by its users. It quantifies to what extent a system is functioning and...

The Invariant can be broken as 1 NOTE does not always equal to 1 cNOTE.

Lines of code https://github.com/code-423n4/2023-11-canto/blob/335930cd53cf9a137504a57f1215be52c6d67cb3/asD/src/asD.sol#L52 Vulnerability details Impact users will not be able to redeem their asD tokens for equivalent amount of NOTE because when minting cNOTE, 1 cNOTE doesn't always equal 1 NOTE. ....

Intrinsic arbitrage between assets due to price feed deviation threshold

Lines of code Vulnerability details Impact Withdrawals have not yet been implemented but I assume it will be implemented in the usual way such that the fraction of total supply of rsETH a user redeems gives him an equal fraction of total assets held, i.e. received = sharesToRedeem * totalAssets /.....

libclamunrar - security update

Bulletin has no...

Exploit for Deserialization of Untrusted Data in Apache Log4J

Log4j Vulnerability - CVE-2021-44228 :green_book: ...

Online Retail Hack

Selling miniature replicas to unsuspecting shoppers: Online marketplaces sell tiny pink cowboy hats. They also sell miniature pencil sharpeners, palm-size kitchen utensils, scaled-down books and camping chairs so small they evoke the Stonehenge scene in "This Is Spinal Tap." Many of the minuscule.....

Exploit for Unquoted Search Path or Element in Openbsd Openssh

OpenSSH Vulnerability - CVE-2023-38408 :books: ###...

Fedora 39 : libcaca (2023-8282501ffb)

The remote Fedora 39 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2023-8282501ffb advisory. libcaca is affected by a Divide By Zero issue via img2txt, which allows a remote malicious user to cause a Denial of Service (CVE-2022-0856) Note that...

Rocky Linux 8 : perl (RLSA-2021:1678)

The remote Rocky Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RLSA-2021:1678 advisory. Perl before 5.30.3 on 32-bit platforms allows a heap-based buffer overflow because nested regular expression quantifiers have an integer overflow....

Fedora: Security Advisory for libcaca (FEDORA-2023-8282501ffb)

The remote host is missing an update for...

[SECURITY] Fedora 39 Update: libcaca-0.99-0.69.beta20.fc39

libcaca is the Colour AsCii Art library. It provides high level functions for color text drawing, simple primitives for line, polygon and ellipse drawing, as well as powerful image to text conversion...

Russian Reshipping Service ‘SWAT USA Drop’ Exposed

The login page for the criminal reshipping service SWAT USA Drop. One of the largest cybercrime services for laundering stolen merchandise was hacked recently, exposing its internal operations, finances and organizational structure. Here's a closer look at the Russia-based SWAT USA Drop Service,...

Scaling Issue in AccountingEngine.auctionSurplus Causing Token Drains

Lines of code https://github.com/open-dollar/od-contracts/blob/v1.5.5-audit/src/contracts/AccountingEngine.sol#L230 https://github.com/open-dollar/od-contracts/blob/v1.5.5-audit/src/libraries/Math.sol#L104 Vulnerability details Impact The impact of this vulnerability is significant as it leads to.....

books-bubbles.com Cross Site Scripting vulnerability OBB-3753458

Following the coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has: a. verified the vulnerability and confirmed its existence; b. notified the website operator about its existence. Technical details of the vulnerability are currently...

What is The Dark Web ?

The Undernet, a term frequently shrouded in enigma and often linked with unlawful activities, is a concealed segment of the digital world that is purposefully veiled and unreachable via regular internet browsers. This chapter aims to unveil the secrets of the Undernet, step by step demythifying...

3 crucial security steps people should do, but don't

Cybersecurity could be as easy as 1-2-3. The problem, though, is that people have to want it. In new research conducted by Malwarebytes, internet users across the United States and Canada admitted to dismal cybersecurity practices, failing to adopt some of the most basic defenses for staying safe.....

CVE-2023-45853

MiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. NOTE: MiniZip is not a supported part of the zlib product. NOTE: pyminizip through 0.2.6 is also vulnerable because it bundles an...

Hacking the High School Grading System

Interesting New York Times article about high-school students hacking the grading system. What's not helping? The policies many school districts are adopting that make it nearly impossible for low-performing students to fail--they have a grading floor under them, they know it, and that allows...

Slackware Linux 15.0 / current libcaca Vulnerability (SSA:2023-284-04)

The version of libcaca installed on the remote host is prior to 0.99.beta20. It is, therefore, affected by a vulnerability as referenced in the SSA:2023-284-04 advisory. libcaca is affected by a Divide By Zero issue via img2txt, which allows a remote malicious user to cause a Denial of...

Slackware: Security Advisory (SSA:2023-284-04)

The remote host is missing an update for...

Fedora: Security Advisory for libcaca (FEDORA-2023-335e8b2908)

The remote host is missing an update for...

Fedora: Security Advisory for libcaca (FEDORA-2023-7248587205)

The remote host is missing an update for...

[slackware-security] libcaca

New libcaca packages are available for Slackware 15.0 and -current to fix a security issue. Here are the details from the Slackware 15.0 ChangeLog: patches/packages/libcaca-0.99.beta20-i586-1_slack15.0.txz: Upgraded. Fixed a crash bug (a crafted file defining width of zero leads to divide by ...

[SECURITY] Fedora 38 Update: libcaca-0.99-0.69.beta20.fc38

libcaca is the Colour AsCii Art library. It provides high level functions for color text drawing, simple primitives for line, polygon and ellipse drawing, as well as powerful image to text conversion...

[SECURITY] Fedora 37 Update: libcaca-0.99-0.69.beta20.fc37

libcaca is the Colour AsCii Art library. It provides high level functions for color text drawing, simple primitives for line, polygon and ellipse drawing, as well as powerful image to text conversion...

Fedora 38 : libcaca (2023-7248587205)

The remote Fedora 38 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2023-7248587205 advisory. libcaca is affected by a Divide By Zero issue via img2txt, which allows a remote malicious user to cause a Denial of Service (CVE-2022-0856) Note that...

Fedora 37 : libcaca (2023-335e8b2908)

The remote Fedora 37 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2023-335e8b2908 advisory. libcaca is affected by a Divide By Zero issue via img2txt, which allows a remote malicious user to cause a Denial of Service (CVE-2022-0856) Note that...

AI Risks

There is no shortage of researchers and industry titans willing to warn us about the potential destructive power of artificial intelligence. Reading the headlines, one would hope that the rapid gains in AI technology have also brought forth a unifying realization of the risks--and the steps we...

Exploit for Use After Free in Linux Linux Kernel

Linux kernel release 4.x http://kernel.org/ These are the...

User can selectively turn on the fallback flag to take all ETH on the agent contract as layerzero fee refund

Lines of code https://github.com/code-423n4/2023-09-maia/blob/f5ba4de628836b2a29f9b5fff59499690008c463/src/RootBridgeAgent.sol#L938 https://github.com/LayerZero-Labs/LayerZero/blob/48c21c3921931798184367fc02d3a8132b041942/contracts/Endpoint.sol#L95 Vulnerability details Impact _performFallbackCall....

Presto JDBC Server-Side Request Forgery by nextUri

Summary Presto JDBC is vulnerable to Server-Side Request Forgery (SSRF) when connecting a remote Presto server. An attacker can modify the nextUri parameter to internal server in response content that Presto JDBC client will request next and view sensitive information from highly sensitive...

Presto JDBC Server-Side Request Forgery by redirect

Summary Presto JDBC is vulnerable to Server-Side Request Forgery (SSRF) when connecting a remote Presto server. An attacker can construct a redirect response that Presto JDBC client will follow and view sensitive information from highly sensitive internal servers or perform a local port scan. ...

Meta is using your public Facebook and Instagram posts to train its AI

Post anything publicly on Facebook and Instagram? Meta has likely been using those posts to train its AI, according to the company's top policy executive. In an interview with Reuters, Meta President of Global Affairs Nick Clegg said the company used the public posts to train the LLM (large...

About the security content of macOS Sonoma 14

About the security content of macOS Sonoma 14 This document describes the security content of macOS Sonoma 14. About Apple security updates For our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are...

Exploit for CVE-2023-4128

Linux kernel release 4.x http://kernel.org/ These are the...