SSnapdragon Automobile, Snapdragon Mobile, Snapdragon Wear Security Vulnerabilities

CVE-2023-28547

Memory corruption in SPS Application while requesting for public key in sorter...

Malicious Apps Caught Secretly Turning Android Phones into Proxies for Cybercriminals

Several malicious Android apps that turn mobile devices running the operating system into residential proxies (RESIPs) for other threat actors have been observed on the Google Play Store. The findings come from HUMAN's Satori Threat Intelligence team, which said the cluster of VPN apps came fitted....

Exploit for CVE-2024-20767

CVE-2024-20767-Adobe-ColdFusion Adobe ColdFusion is a rapid...

Vultur Android Banking Trojan Returns with Upgraded Remote Control Capabilities

The Android banking trojan known as Vultur has resurfaced with a suite of new features and improved anti-analysis and detection evasion techniques, enabling its operators to remotely interact with a mobile device and harvest sensitive data. "Vultur has also started masquerading more of its...

Amazon Linux 2 : firefox (ALASFIREFOX-2024-023)

The version of firefox installed on the remote host is prior to 115.9.0-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2FIREFOX-2024-023 advisory. AppendEncodedAttributeValue(), ExtraSpaceNeededForAttrEncoding() and AppendEncodedCharacters() could have...

Teleport: SSRF in region parameter that leads to AWS Teleport role AWS account takeover

You have an Integration page in Teleport where one of the options is AWS OIDC which will allow people in Teleport to add resources fluently without actually having initial access to these resources or installing any agents on them. You will need to have connected and ready OIDC integration with...

Kimai API returns timesheet entries a user should not be authorized to view

Summary The permission view_other_timesheet performs differently for the Kimai UI and the API, thus returning unexpected data through the API. Details When setting the view_other_timesheet permission to true, on the frontend, users can only see timesheet entries for teams they are a part of. When.....

Kimai API returns timesheet entries a user should not be authorized to view

Summary The permission view_other_timesheet performs differently for the Kimai UI and the API, thus returning unexpected data through the API. Details When setting the view_other_timesheet permission to true, on the frontend, users can only see timesheet entries for teams they are a part of. When.....

MFA bombing taken to the next level

Simply put, MFA bombing (also known as “push bombing” or “MFA fatigue”) is a brute force attack on your patience. Cybercriminals use MFA bombing to break into accounts that are protected by multi-factor authentication (MFA). MFA normally requires a user to enter a six-digit code sent by SMS, or...

Payment authorization and one-time passwords – Mobile Token

By Uzair Amir Isn't it shocking that people still use passwords like QWERTY12, 1234, or pet names for their online accounts?… This is a post from HackRead.com Read the original post: Payment authorization and one-time passwords – Mobile...

Exploit for Improper Authentication in Ivanti Endpoint Manager Mobile

CVE-2023-35078 Exploit POC ```sh ██████╗ ███╗ ...

How to back up your iPhone to a Windows computer

They say the only backup you ever regret is the one you didn't make. iPhone backups can be used to easily move your apps and data to a new phone, to recover things you've lost, or to fix things that have failed. We've published posts on how to back up your iPhone to iCloud, and how to backup an...

How to back up your iPhone to a Mac

They say the only backup you ever regret is the one you didn't make. iPhone backups can be used to easily move your apps and data to a new phone, to recover things you've lost, or to fix things that have failed. One of the most cost effective ways to backup your iPhone is to save backups to your...

How to back up your iPhone to iCloud

They say the only backup you ever regret is the one you didn't make. iPhone backups can be used to easily move your apps and data to a new phone, to recover things you've lost, or to fix things that have failed. The most convenient way to backup your iPhone is to have it backup to iCloud. Backups.....

[SECURITY] Fedora 38 Update: ofono-1.34-4.fc38

oFono.org is a place to bring developers together around designing an infrastructure for building mobile telephony (GSM/UMTS) applications. oFono includes a high-level D-Bus API for use by telephony applications. oFono also includes a low-level plug-in API for integrating with telephony stacks,...

[SECURITY] Fedora 39 Update: ofono-1.34-5.fc39

oFono.org is a place to bring developers together around designing an infrastructure for building mobile telephony (GSM/UMTS) applications. oFono includes a high-level D-Bus API for use by telephony applications. oFono also includes a low-level plug-in API for integrating with telephony stacks,...

Workout Journal App 1.0 - Stored XSS Vulnerability

...

Wordfence Intelligence Weekly WordPress Vulnerability Report (March 18, 2024 to March 24, 2024)

Did you know we're running a Bug Bounty Extravaganza again? Earn over 6x our usual bounty rates, up to $10,000, for all vulnerabilities submitted through May 27th, 2024 when you opt to have Wordfence handle responsible disclosure! Last week, there were 94 vulnerabilities disclosed in 81 WordPress.....

Facebook spied on Snapchat users to get analytics about the competition

Social media giant Facebook snooped on Snapchat users' network traffic, engaged in anticompetitive behavior and exploited user data through deceptive practices. That's according to a court document filed March 23, 2024. The document mentions Facebook’s so-called In-App Action Panel (IAAP) program,....

Darcula Phishing Network Leveraging RCS and iMessage to Evade Detection

A sophisticated phishing-as-a-service (PhaaS) platform called Darcula has set its sights on organizations in over 100 countries by leveraging a massive network of more than 20,000 counterfeit domains to help cyber criminals launch attacks at scale. "Using iMessage and RCS rather than SMS to send...

Telegram Offers Premium Subscription in Exchange for Using Your Number to Send OTPs

In June 2017, a study of more than 3,000 Massachusetts Institute of Technology (MIT) students published by the National Bureau for Economic Research (NBER) found that 98% of them were willing to give away their friends' email addresses in exchange for free pizza. "Whereas people say they care...

[SECURITY] Fedora 40 Update: ofono-2.5-1.fc40

oFono.org is a place to bring developers together around designing an infrastructure for building mobile telephony (GSM/UMTS) applications. oFono includes a high-level D-Bus API for use by telephony applications. oFono also includes a low-level plug-in API for integrating with telephony stacks,...

SUSE SLED15 / SLES15 / openSUSE 15 Security Update : MozillaFirefox (SUSE-SU-2024:1002-1)

The remote SUSE Linux SLED15 / SLED_SAP15 / SLES15 / SLES_SAP15 / openSUSE 15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2024:1002-1 advisory. NSS was susceptible to a timing side-channel attack when performing RSA decryption. This...

Workout Journal App 1.0 - Stored XSS

...

SUSE SLES12 Security Update : MozillaFirefox (SUSE-SU-2024:1000-1)

The remote SUSE Linux SLES12 / SLES_SAP12 host has packages installed that are affected by a vulnerability as referenced in the SUSE-SU-2024:1000-1 advisory. An attacker was able to inject an event handler into a privileged object that would allow arbitrary JavaScript execution in the parent...

Workout Journal App 1.0 Cross Site Scripting

...

Event Management 1.0 SQL Injection

...

Noia - Simple Mobile Applications Sandbox File Browser Tool

Noia is a web-based tool whose main aim is to ease the process of browsing mobile applications sandbox and directly previewing SQLite databases, images, and more. Powered by frida.re. Please note that I'm not a programmer, but I'm probably above the median in code-savyness. Try it out, open an...

Disturbing robocaller fined $9.9 million

A federal court in Montana has fined a man $9.9 million after he was found responsible for causing thousands of unlawful and malicious spoofed robocalls. Sometimes there is good news. Well, for almost everybody except for the robocaller who was found guilty of unlawful robocalls to people in...

Server Side Request Forgery (SSRF)

mobsfscan is vulnerable to Server Side Request Forgery. The vulnerability due to inadequate input validation when extracting the android:host hostname attribute within the AndroidManifest.xml file, allowing attackers to manipulate requests and potentially make connections to internal-only services....

Rocky Linux 8 : firefox (RLSA-2024:1484)

The remote Rocky Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RLSA-2024:1484 advisory. NSS was susceptible to a timing side-channel attack when performing RSA decryption. This attack could potentially allow an attacker to recover the...

Salon Booking System < 9.6.3 - Unauthenticated Stored XSS

Description The plugin does not properly sanitize and escape the 'Mobile Phone' field when booking an appointment, allowing customers to conduct Stored Cross-Site Scripting attacks. The payload gets triggered when an admin visits the 'Customers' page and the malicious script is executed in the...

Salon booking system < 9.6.3 - Unauthenticated Stored XSS

Description The plugin does not properly sanitize and escape the 'Mobile Phone' field and 'sms_prefix' parameter when booking an appointment, allowing customers to conduct Stored Cross-Site Scripting attacks. The payload gets triggered when an admin visits the 'Bookings' page and the malicious...

Salon booking system < 9.6.3 - Unauthenticated Stored XSS

Description The plugin does not properly sanitize and escape the 'Mobile Phone' field and 'sms_prefix' parameter when booking an appointment, allowing customers to conduct Stored Cross-Site Scripting attacks. The payload gets triggered when an admin visits the 'Bookings' page and the malicious...

MobileShop master v1.0 - SQL Injection Vulnerability

...

SPA-CART CMS - Stored XSS Vulnerability

...

Salon Booking System < 9.6.3 - Unauthenticated Stored XSS

Description The plugin does not properly sanitize and escape the 'Mobile Phone' field when booking an appointment, allowing customers to conduct Stored Cross-Site Scripting attacks. The payload gets triggered when an admin visits the 'Customers' page and the malicious script is executed in the...

CVE-2024-2927

A vulnerability was found in code-projects Mobile Shop 1.0. It has been classified as critical. Affected is an unknown function of the file Details.php of the component Login Page. The manipulation of the argument id leads to sql injection. It is possible to launch the attack remotely. The exploit....

CVE-2024-2927

A vulnerability was found in code-projects Mobile Shop 1.0. It has been classified as critical. Affected is an unknown function of the file Details.php of the component Login Page. The manipulation of the argument id leads to sql injection. It is possible to launch the attack remotely. The exploit....

CVE-2024-2927 code-projects Mobile Shop Login Page Details.php sql injection

A vulnerability was found in code-projects Mobile Shop 1.0. It has been classified as critical. Affected is an unknown function of the file Details.php of the component Login Page. The manipulation of the argument id leads to sql injection. It is possible to launch the attack remotely. The exploit....

Recent ‘MFA Bombing’ Attacks Targeting Apple Users

Several Apple customers recently reported being targeted in elaborate phishing attacks that involve what appears to be a bug in Apple's password reset feature. In this scenario, a target's Apple devices are forced to display dozens of system-level prompts that prevent the devices from being used...

Patch now: Mozilla patches two critical vulnerabilities in Firefox

Mozilla released version 124.0.1 of the Firefox browser to Release channel users (the default channel that most non-developers run) on March 22, 2024. The new version fixes two critical security vulnerabilities. One of the vulnerabilities affects Firefox on desktop only, and doesn't affect mobile.....

YouTube ordered to reveal the identities of video viewers

Federal US authorities have asked Google for the names, addresses, telephone numbers, and user activity of accounts that watched certain YouTube videos, according to unsealed court documents Forbes has seen. Of those users that weren’t logged in when they watched those videos between January 1...

Oracle Linux 7 : firefox (ELSA-2024-1486)

The remote Oracle Linux 7 host has a package installed that is affected by multiple vulnerabilities as referenced in the ELSA-2024-1486 advisory. NSS was susceptible to a timing side-channel attack when performing RSA decryption. This attack could potentially allow an attacker to recover the...

Orange Station 1.0 Shell Upload

...

Oracle Linux 8 : firefox (ELSA-2024-1484)

The remote Oracle Linux 8 host has a package installed that is affected by multiple vulnerabilities as referenced in the ELSA-2024-1484 advisory. AppendEncodedAttributeValue(), ExtraSpaceNeededForAttrEncoding() and AppendEncodedCharacters() could have experienced integer overflows, causing...

MobileShop Master 1.0 SQL Injection

...

Oracle Linux 9 : firefox (ELSA-2024-1485)

The remote Oracle Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2024-1485 advisory. To harden ICU against exploitation, the behavior for out-of-memory conditions was changed to crash instead of attempt to continue. This...

Bludit 3.13.0 Cross Site Scripting

...

Top 4 Industries at Risk of Credential Stuffing and Account Takeover (ATO) attacks

All industries are at risk of credential stuffing and account takeover (ATO) attacks. However, some industries are at a greater risk because of the sensitive information or volume of customer data they possess. While cyber-attacks come in all forms and techniques, credential stuffing involves an...