Accept Stripe Donation – AidWP Security Vulnerabilities

Tamper proofing review: the iZettle card payment terminal

Tamper resistance is an increasingly important factor in smart devices. Together with secure hardware design and defensive coding, it can deliver a very secure device. One of the most common areas the average consumer will encounter tamper resistant devices is in payment terminals, or Pin Entry...

What’s in the spam mailbox this week?

We've seen a fair few spam emails in circulation this week, ranging from phishing to money muling to sexploitation. Shall we take a look? The FBI wants to give you back your money First out of the gate, we have a missive claiming to be from the FBI. Turns out you lost a huge sum of money that you.....

openSUSE Security Update : the Linux Kernel (openSUSE-2018-762) (Spectre)

The openSUSE Leap 15 kernel was updated to receive various security and bugfixes. The following security bugs were fixed : CVE-2018-13406: An integer overflow in the uvesafb_setcmap function could have result in local attackers being able to crash the kernel or potentially elevate...

Security update for the Linux Kernel (important)

The openSUSE Leap 15 kernel was updated to receive various security and bugfixes. The following security bugs were fixed: CVE-2018-13406: An integer overflow in the uvesafb_setcmap function could have result in local attackers being able to crash the kernel or potentially elevate...

lablind.com XSS vulnerability

Open Bug Bounty ID: OBB-639452 Description| Value ---|--- Affected Website:| lablind.com Open Bug Bounty Program:| Create your bounty program now. It's open and free. Vulnerable Application:| Custom Code Vulnerability Type:| XSS (Cross Site Scripting) / CWE-79 CVSSv3 Score:| 6.1...

Typeform, Popular Online Survey Software, Suffers Data Breach

Typeform, the popular Spanish-based online data collection company specializes in form building and online surveys for businesses worldwide, has today disclosed that the company has suffered a data breach that exposed partial data of its some users. The company identified the breach on June...

Liberapay: Exploiting JSONP callback on /username/charts.json endpoint leads to information disclosure despite user's privacy settings

Hello! Vulnerability Details The /username/charts.json endpoint can return a JSONP callback due to the fact that jsonp_dump is used in the file charts.json.spt. It appears that the content of the JSONP request depends on the authentication of the user. If the user enabled the privacy setting which....

Liberapay: CSRF token manipulation in every possible form submits. NO server side Validation

Web Application is generating CSRF_token values inside cookies which is not a best practice for web applications the revelation of cookies can reveal CSRF Tokens as well. Authenticity tokens should be kept separate from cookies and should be isolated to change operations in the account only....

Tragedy-Related Scams

In the wake of the recent Texas school shooting, NCCIC advises users to watch out for possible malicious cyber activity seeking to capitalize on this tragic event. Users should exercise caution in handling emails related to the shooting, even if they appear to originate from trusted sources....

Charitable <= 1.5.13 - Unauthorised Access

From the vendor blog pos details: Fix a bug that can in certain scenarios allow unauthorized users to access the user and donation details of previous donations. Payment details such as credit card details were not...

Detecting Cloned Cards at the ATM, Register

Much of the fraud involving counterfeit credit, ATM debit and retail gift cards relies on the ability of thieves to use cheap, widely available hardware to encode stolen data onto any card's magnetic stripe. But new research suggests retailers and ATM operators could reliably detect counterfeit...

Security update for the Linux Kernel (important)

The SUSE Linux Enterprise 12 SP3 RT kernel was updated to 4.4.128 to receive various security and bugfixes. The following security bugs were fixed: CVE-2018-10124: The kill_something_info function in kernel/signal.c might have allowed local users to cause a denial of service via an ...

BrilliantTS FUZE card (MCU firmware 0.1.73, BLE firmware 0.7.4)Vulnerability

Description of FUZE Card FUZE is an IoT device the size, shape, and thickness of a normal credit card. You program credit cards into it via Bluetooth (BLE) using a smart phone app. When you go to pay, you use the buttons and e-Paper display to select which card to emulate. The magnetic stripe...

Node.js third-party modules: Unrestricted file upload (RCE)

I would like to report an unrestricted file upload in express-cart. It allows a user with administrative privileges to upload a file to any path. Module module name: express-cart version: 1.1.5 npm page: https://www.npmjs.com/package/express-cart Module Description expressCart is a fully...

Node.js third-party modules: Privilege escalation allows any user to add an administrator

I would like to report privilege escalation in the npm module express-cart. It allows a normal user to add another user with administrator privileges. Module module name: express-cart version: 1.1.5 npm page: https://www.npmjs.com/package/express-cart Module Description expressCart is a fully...

Security update for the Linux Kernel (important)

The SUSE Linux Enterprise 12 SP3 kernel was updated to 4.4.126 to receive various security and bugfixes. The following security bugs were fixed: CVE-2018-1091: In the flush_tmregs_to_thread function in arch/powerpc/kernel/ptrace.c, a guest kernel crash can be triggered from ...

Security update for the Linux Kernel (important)

The SUSE Linux Enterprise 12 SP3 Realtime kernel was updated to 4.4.120 to receive various security and bugfixes. The following security bugs were fixed: CVE-2017-5715: Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized ...

openSUSE Security Update : the Linux Kernel (openSUSE-2018-377)

The openSUSE Leap 42.3 kernel was updated to 4.4.126 to receive various security and bugfixes. The following security bugs were fixed : CVE-2018-1091: In the flush_tmregs_to_thread function in arch/powerpc/kernel/ptrace.c, a guest kernel crash can be triggered from unprivileged userspace...

Security update for the Linux Kernel (important)

The openSUSE Leap 42.3 kernel was updated to 4.4.126 to receive various security and bugfixes. The following security bugs were fixed: CVE-2018-1091: In the flush_tmregs_to_thread function in arch/powerpc/kernel/ptrace.c, a guest kernel crash can be triggered from unprivileged...

Coinhive Exposé Prompts Cancer Research Fundraiser

A story published here this week revealed the real-life identity behind the original creator of Coinhive -- a controversial cryptocurrency mining service that several security firms have recently labeled the most ubiquitous malware threat on the Internet today. In an unusual form of protest...

Goodfellas, the Brazilian carding scene is after you

There are three ways of doing things in the malware business: the right way, the wrong way and the way Brazilians do it. From the early beginnings, using skimmers on ATMs, compromising point of sales systems, or even modifying the hardware of processing devices, Latin America has been a fertile...

kernel security and bug fix update

[3.10.0-693.21.1.OL7] Oracle Linux certificates (Alexey Petrenko) Oracle Linux RHCK Module Signing Key was compiled into kernel (olkmod_signing_key.x509)([email protected]) Update x509.genkey [bug 24817676] [3.10.0-693.21.1] [x86] platform/uv: Mark tsc_check_sync as an init function...

Deepfakes FakeApp tool (briefly) includes cryptominer

A few weeks ago, we took a look at a forum dedicated to Deepfake clips where the site was pushing Coinhive mining scripts in the website's HTML code. As it turns out, there's been another mining blow-out in the form of one of the apps used to make the fakes. That's right—a tool designed to push...

Security update for the Linux Kernel (important)

The SUSE Linux Enterprise 12 SP1 LTSS kernel was updated to receive various security and bugfixes. The following security bugs were fixed: CVE-2017-5715: Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized ...

paydollar.com XSS vulnerability

Open Bug Bounty ID: OBB-565448 Description| Value ---|--- Affected Website:| paydollar.com Open Bug Bounty Program:| Create your bounty program now. It's open and free. Vulnerable Application:| Custom Code Vulnerability Type:| XSS (Cross Site Scripting) / CWE-79 CVSSv3 Score:| 6.1...

Security update for the Linux Kernel (important)

The SUSE Linux Enterprise 12 SP2 Realtime kernel was updated to 4.4.114 to receive various security and bugfixes. The following security bugs were fixed: CVE-2017-5715: Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized ...

Bingo, Amigo! Jackpotting: ATM malware from Latin America to the World

Introduction Of all the forms of attack against financial institutions around the world, the one that brings traditional crime and cybercrime together the most is the malicious ecosystem that exists around ATM malware. Criminals from different backgrounds work together with a single goal in mind:.....

Security update for the Linux Kernel (important)

The SUSE Linux Enterprise 12 GA LTSS kernel was updated to receive various security and bugfixes. The following security bugs were fixed: CVE-2017-5715: Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized disclosure ...

openSUSE Security Update : the Linux Kernel (openSUSE-2018-153) (Spectre)

The openSUSE Leap 42.3 kernel was updated to 4.4.114 to receive various security and bugfixes. The following security bugs were fixed : CVE-2017-5715: Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized disclosure of...

Security update for the Linux Kernel (important)

The SUSE Linux Enterprise 12 SP2 kernel was updated to 4.4.114 to receive various security and bugfixes. The following security bugs were fixed: CVE-2017-5715: Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized ...

Security update for the Linux Kernel (important)

The openSUSE Leap 42.3 kernel was updated to 4.4.114 to receive various security and bugfixes. The following security bugs were fixed: CVE-2017-5715: Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized disclosure of...

New Point-of-Sale Malware Steals Credit Card Data via DNS Queries

Cybercriminals are becoming more adept, innovative, and stealthy with each passing day. They are now adopting more clandestine techniques that come with limitless attack vectors and are harder to detect. A new strain of malware has now been discovered that relies on a unique technique to steal...

Security update for the Linux Kernel (important)

The SUSE Linux Enterprise 12 SP3 kernel was updated to 4.4.114 to receive various security and bugfixes. The following security bugs were fixed: CVE-2017-5715: Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized ...

Would You Have Spotted This Skimmer?

When you realize how easy it is for thieves to compromise an ATM or credit card terminal with skimming devices, it's difficult not to inspect or even pull on these machines when you're forced to use them personally -- half expecting something will come detached. For those unfamiliar with the...

redcrossshimla.com XSS vulnerability

Open Bug Bounty ID: OBB-547425 Description| Value ---|--- Affected Website:| redcrossshimla.com Open Bug Bounty Program:| Create your bounty program now. It's open and free. Vulnerable Application:| Custom Code Vulnerability Type:| XSS (Cross Site Scripting) / CWE-79 CVSSv3 Score:| 6.1...

Security update for the Linux Kernel (important)

The SUSE Linux Enterprise 12 SP2 Realtime kernel was updated to 4.4.104 to receive various security and bugfixes. This update adds mitigations for various side channel attacks against modern CPUs that could disclose content of otherwise unreadable memory (bnc#1068032). CVE-2017-5753:...

Fundly 1.0.0 Cross Site Scripting

...

Security update for the Linux Kernel (important)

The SUSE Linux Enterprise 12 SP2 kernel was updated to 4.4.103 to receive various security and bugfixes. This update enables SMB encryption in the CIFS support in the Linux Kernel (fate#324404) The following security bugs were fixed: CVE-2017-1000410: The Linux kernel was affected by an...

Security update for the Linux Kernel (important)

The SUSE Linux Enterprise 12 SP3 kernel was updated to 4.4.103 to receive various security and bugfixes. The following security bugs were fixed: CVE-2017-1000410: The Linux kernel was affected by an information lea that lies in the processing of incoming L2CAP commands -...

openSUSE Security Update : the Linux Kernel (openSUSE-2017-1391) (Dirty COW)

The openSUSE Leap 42.3 kernel was updated to 4.4.103 to receive various security and bugfixes. The following security bugs were fixed : CVE-2017-1000405: A bug in the THP CoW support could be used by local attackers to corrupt memory of other processes and cause them to crash...

Security update for the Linux Kernel (important)

The openSUSE Leap 42.3 kernel was updated to 4.4.103 to receive various security and bugfixes. The following security bugs were fixed: CVE-2017-1000405: A bug in the THP CoW support could be used by local attackers to corrupt memory of other processes and cause them to crash ...

Security update for the Linux Kernel (important)

The openSUSE Leap 42.2 kernel was updated to 4.4.102 to receive various security and bugfixes. The following security bugs were fixed: CVE-2017-1000405: A bug in the THP CoW support could be used by local attackers to corrupt memory of other processes and cause them to crash ...

openSUSE Security Update : the Linux Kernel (openSUSE-2017-1390) (Dirty COW)

The openSUSE Leap 42.2 kernel was updated to 4.4.102 to receive various security and bugfixes. The following security bugs were fixed : CVE-2017-1000405: A bug in the THP CoW support could be used by local attackers to corrupt memory of other processes and cause them to crash...

Anti-Skimmer Detector for Skimmer Scammers

Crooks who make and deploy ATM skimmers are constantly engaged in a cat-and-mouse game with financial institutions, which deploy a variety of technological measures designed to defeat skimming devices. The latest innovation aimed at tipping the scales in favor of skimmer thieves is a small,...

Legal Robot: Exposes a series of other private credentials

Hi, I found a Javascript file where have many private credentials. JS File https://app.legalrobot.com/meteor_runtime_config.js Code ``` meteor_runtime_config =...

Security update for the Linux Kernel (important)

The SUSE Linux Enterprise 12 SP2 RT kernel was updated to 4.4.88 to receive various security and bugfixes. The following security bugs were fixed: CVE-2017-1000365: The Linux Kernel imposes a size restriction on the arguments and environmental strings passed through ...

simplycombo.com XSS vulnerability

Open Bug Bounty ID: OBB-385843 Description| Value ---|--- Affected Website:| simplycombo.com Open Bug Bounty Program:| Create your bounty program now. It's open and free. Vulnerable Application:| Custom Code Vulnerability Type:| XSS (Cross Site Scripting) / CWE-79 CVSSv3 Score:| 6.1...

Security update for the Linux Kernel (important)

The SUSE Linux Enterprise 12 SP2 kernel was updated to 4.4.90 to receive various security and bugfixes. The following security bugs were fixed: CVE-2017-1000252: The KVM subsystem in the Linux kernel allowed guest OS users to cause a denial of service (assertion failure, and...

Security update for the Linux Kernel (important)

The SUSE Linux Enterprise 12 SP3 kernel was updated to 4.4.92 to receive various security and bugfixes. The following security bugs were fixed: CVE-2017-1000252: The KVM subsystem in the Linux kernel allowed guest OS users to cause a denial of service (assertion failure, and...

Tragic-Event-Related Scams

In the wake of Sunday's tragic event in Las Vegas, US-CERT warns users to be watchful for various malicious cyber activity targeting both victims and potential donors. Users should exercise caution when handling emails that relate to the event, even if those emails appear to originate from trusted....