Easy Digital Downloads – Recent Purchases Security Vulnerabilities

CVE-2024-37296

The Aimeos HTML client provides Aimeos HTML components for e-commerce projects. Starting in version 2020.04.1 and prior to versions 2020.10.27, 2021.10.21, 2022.10.12, 2023.10.14, and 2024.04.5, digital downloads sold in online shops can be downloaded without valid payment, e.g. if the payment...

CVE-2024-37296

The Aimeos HTML client provides Aimeos HTML components for e-commerce projects. Starting in version 2020.04.1 and prior to versions 2020.10.27, 2021.10.21, 2022.10.12, 2023.10.14, and 2024.04.5, digital downloads sold in online shops can be downloaded without valid payment, e.g. if the payment...

CVE-2024-37296

The Aimeos HTML client provides Aimeos HTML components for e-commerce projects. Starting in version 2020.04.1 and prior to versions 2020.10.27, 2021.10.21, 2022.10.12, 2023.10.14, and 2024.04.5, digital downloads sold in online shops can be downloaded without valid payment, e.g. if the payment...

Exploit for OS Command Injection in Php

CVE-2024-4577 This is a PoC for PHP CVE-2024-4577....

CVE-2024-37296 Aimeos HTML client vulnerable to digital products download without proper payment status check

The Aimeos HTML client provides Aimeos HTML components for e-commerce projects. Starting in version 2020.04.1 and prior to versions 2020.10.27, 2021.10.21, 2022.10.12, 2023.10.14, and 2024.04.5, digital downloads sold in online shops can be downloaded without valid payment, e.g. if the payment...

CVE-2024-37296 Aimeos HTML client vulnerable to digital products download without proper payment status check

The Aimeos HTML client provides Aimeos HTML components for e-commerce projects. Starting in version 2020.04.1 and prior to versions 2020.10.27, 2021.10.21, 2022.10.12, 2023.10.14, and 2024.04.5, digital downloads sold in online shops can be downloaded without valid payment, e.g. if the payment...

Chinese Actor SecShow Conducts Massive DNS Probing on Global Scale

Cybersecurity researchers have shed more light on a Chinese actor codenamed SecShow that has been observed conducting Domain Name System (DNS) on a global scale since at least June 2023. The adversary, according to Infoblox security researchers Dr. Renée Burton and Dave Mitchell, operates from the....

23andMe data breach under joint investigation in two countries

The British and Canadian privacy authorities have announced they will undertake a joint investigation into the data breach at global genetic testing company 23andMe that was discovered in October 2023. On Friday October 6, 2023, 23andMe confirmed via a somewhat opaque blog post that cybercriminals....

When things go wrong: A digital sharing warning for couples

“When things go wrong” is a troubling prospect for most couples to face, but the internet—and the way that romantic partners engage both with and across it—could require that this worst-case scenario become more of a best practice. In new research that Malwarebytes will release this month,...

QR code SQL injection and other vulnerabilities in a popular biometric terminal

Biometric scanners offer a unique way to resolve the conflict between security and usability. They help to identify a person by their unique biological characteristics – a fairly reliable process that does not require the user to exert any extra effort. Yet, biometric scanners, as any other tech,.....

June 11, 2024—KB5039227 (OS Build 20348.2527)

June 11, 2024—KB5039227 (OS Build 20348.2527) For information about Windows update terminology, see the article about the types of Windows updates and the monthly quality update types. For an overview of Windows Server 2022, see its update history page. Note Follow @WindowsUpdate to find out when.....

Snowflake Breach Exposes 165 Customers' Data in Ongoing Extortion Campaign

As many as 165 customers of Snowflake are said to have had their information potentially exposed as part of an ongoing campaign designed to facilitate data theft and extortion, indicating the operation has broader implications than previously thought. Google-owned Mandiant, which is assisting the.....

Arm Warns of Actively Exploited Zero-Day Vulnerability in Mali GPU Drivers

Arm is warning of a security vulnerability impacting Mali GPU Kernel Driver that it said has been actively exploited in the wild. Tracked as CVE-2024-4610, the use-after-free issue impacts the following products - Bifrost GPU Kernel Driver (all versions from r34p0 to r40p0) Valhall GPU Kernel...

Exploit for Code Injection in Ssssssss Spider-Flow

...

[SECURITY] Fedora 40 Update: libvirt-10.1.0-2.fc40

Libvirt is a C toolkit to interact with the virtualization capabilities of recent versions of Linux (and other OSes). The main package includes the libvirtd server exporting the virtualization...

Justice AV Solutions JVS Viewer Embedded Malicious Code (CVE-2024-4978)

The version of Justice AV Solutions JVS Viewer installed on the remote host is 8.3.7. It is, therefore, affected by a vulnerability as referenced in the CVE-2024-4978 advisory. Justice AV Solutions Viewer Setup 8.3.7.250-1 contains a malicious binary when executed and is signed with an...

chromium -- multiple security fixes

Chrome Releases reports: This update includes 21 security fixes: [342456991] High CVE-2024-5830: Type Confusion in V8. Reported by Man Yue Mo of GitHub Security Lab on 2024-05-24 [339171223] High CVE-2024-5831: Use after free in Dawn. Reported by wgslfuzz on 2024-05-07 [340196361] High...

KLA68913 Multiple vulnerabilities in Google Chrome

Multiple vulnerabilities were found in Google Chrome. Malicious users can exploit these vulnerabilities to execute arbitrary code, cause denial of service, bypass security restrictions. Below is a complete list of vulnerabilities: Use after free vulnerability in PDFium can be exploited to cause...

CVE-2024-5843

Inappropriate implementation in Downloads in Google Chrome prior to 126.0.6478.54 allowed a remote attacker to obfuscate security UI via a malicious file. (Chromium security severity: Medium) Notes Author| Note ---|--- alexmurray | The Debian chromium source package is called chromium-browser in...

Google Chrome < 126.0.6478.56 Multiple Vulnerabilities

The version of Google Chrome installed on the remote macOS host is prior to 126.0.6478.56. It is, therefore, affected by multiple vulnerabilities as referenced in the 2024_06_stable-channel-update-for-desktop advisory. Type Confusion in V8 in Google Chrome prior to 126.0.6478.54 allowed a remote...

Google Chrome < 126.0.6478.56 Multiple Vulnerabilities

The version of Google Chrome installed on the remote Windows host is prior to 126.0.6478.56. It is, therefore, affected by multiple vulnerabilities as referenced in the 2024_06_stable-channel-update-for-desktop advisory. Type Confusion in V8 in Google Chrome prior to 126.0.6478.54 allowed a...

Stable Channel Update for Desktop

The Chrome team is delighted to announce the promotion of Chrome 126 to the stable channel for Windows, Mac and Linux. This will roll out over the coming days/weeks. Chrome 126.0.6478.54 (Linux) 126.0.6478.56/57( Windows, Mac) contains a number of fixes and improvements -- a list of changes is...

Unbound DNS <= 1.19.3 DoS Amplification Vulnerability (DNSBomb)

Unbound DNS is prone to a denial of service (DoS) amplification vulnerability (aka...

Fedora: Security Advisory for libvirt (FEDORA-2024-ee96e0c470)

The remote host is missing an update for...

More_eggs Malware Disguised as Resumes Targets Recruiters in Phishing Attack

Cybersecurity researchers have spotted a phishing attack distributing the More_eggs malware by masquerading it as a resume, a technique originally detected more than two years ago. The attack, which was unsuccessful, targeted an unnamed company in the industrial services industry in May 2024,...

Ransomware Is ‘More Brutal’ Than Ever in 2024

As the fight against ransomware slogs on, security experts warn of a potential escalation to “real-world violence.” But recent police crackdowns are successfully disrupting the cybercriminal...

A European Summer of Sports is Upon Us – What Does it Mean for Security?

The recent Champions League final in London (congratulations, Real Madrid!) marked the opening shot to a hot European summer of major sporting events. We now approach the highly anticipated UEFA EURO 2024 football tournament in Germany and the Olympic Games in Paris 2024. And as we do, bad actors.....

Using Electronic Health Records (EHRs) for Healthcare Data Extraction

Electronic health records (EHRs) have become crucial tools for storing and managing patient information. These digital records...

Bypassing 2FA with phishing and OTP bots

Introduction Two-factor authentication (2FA) is a security feature we have come to expect as standard by 2024. Most of today's websites offer some form of it, and some of them won't even let you use their service until you enable 2FA. Individual countries have adopted laws that require certain...

Improper Enforcement Of Behavioral Workflow

aimeos/ai-client-html is vulnerable to Improper enforcement of behavioral workflow. The vulnerability is due to an issue where digital downloads sold in online shops can be accessed without valid payment, for instance, if the payment process fails. This could allow attackers to obtain digital...

Tenable Security Center < 6.4.0 Multiple Vulnerabilities (TNS-2024-10)

According to its self-reported version, the Tenable Security Center running on the remote host is prior to 6.4.0. It is, therefore, affected by multiple vulnerabilities as referenced in the TNS-2024-10 advisory. Security Center leverages third-party software to help provide underlying...

Chef Infra Client Installed (Windows)

Chef Infra Client is installed on the remote Windows...

PHP < 8.1.29, 8.2.x < 8.2.20, 8.3.x < 8.3.8 Multiple Vulnerabilities - Active Check

PHP is prone to multiple...

Chef Infra Client Installed (Unix)

Chef Infra Client is installed on the remote Unix...

About the security content of visionOS 1.2

About the security content of visionOS 1.2 This document describes the security content of visionOS 1.2. About Apple security updates For our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are...

Exploit for CVE-2022-21500

...

CVE-2024-4577

In PHP versions 8.1. before 8.1.29, 8.2. before 8.2.20, 8.3.* before 8.3.8, when using Apache and PHP-CGI on Windows, if the system is set up to use certain code pages, Windows may use “Best-Fit” behavior to replace characters in command line given to Win32 API functions. PHP CGI module may...

Microsoft Revamps Controversial AI-Powered Recall Feature Amid Privacy Concerns

Microsoft on Friday said it will disable its much-criticized artificial intelligence (AI)-powered Recall feature by default and make it an opt-in. Recall, currently in preview and coming exclusively to Copilot+ PCs on June 18, 2024, functions as an "explorable visual timeline" by capturing...

Imperva Protects Against Critical PHP Vulnerability CVE-2024-4577

In the ever-evolving landscape of cybersecurity, staying ahead of vulnerabilities is crucial for safeguarding sensitive information and maintaining the integrity of digital assets. Recently, a critical vulnerability– identified as CVE-2024-4577 with an initial CVSS score of 9.8 – was discovered in....

Cyber Landscape is Evolving - So Should Your SCA

Traditional SCAs Are Broken: Did You Know You Are Missing Critical Pieces? Application Security professionals face enormous challenges securing their software supply chains, racing against time to beat the attacker to the mark. Software Composition Analysis (SCA) tools have become a basic...

The AI Debate: Google's Guidelines, Meta's GDPR Dispute, Microsoft's Recall Backlash

Google is urging third-party Android app developers to incorporate generative artificial intelligence (GenAI) features in a responsible manner. The new guidance from the search and advertising giant is an effort to combat problematic content, including sexual content and hate speech, created...

The Justice Department Took Down the 911 S5 Botnet

The US Justice Department has dismantled an enormous botnet: According to an indictment unsealed on May 24, from 2014 through July 2022, Wang and others are alleged to have created and disseminated malware to compromise and amass a network of millions of residential Windows computers worldwide....

Commando Cat Cryptojacking Attacks Target Misconfigured Docker Instances

The threat actor known as Commando Cat has been linked to an ongoing cryptojacking attack campaign that leverages poorly secured Docker instances to deploy cryptocurrency miners for financial gain. "The attackers used the cmd.cat/chattr docker image container that retrieves the payload from their.....

Exploit for CVE-2024-27956

...

IBM DB2 DoS (7145726) (Windows)

According to its self-reported version number, IBM Db2 on Windows is vulnerable to a denial of service by an authenticated user using a specially crafted query. Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version...

IBM DB2 Multiple Vulnerabilities (7145721, 7145727) (Windows)

According to its self-reported version number, IBM Db2 on Windows may be affected by multiple vulnerabilites: IBM Db2 is vulnerable to sensitive information disclosure when using ADMIN_CMD with IMPORT or EXPORT. (CVE-2023-38729) IBM Db2 is vulnerable to a denial of service caused by a...

CVE-2024-4610

Use After Free vulnerability in Arm Ltd Bifrost GPU Kernel Driver, Arm Ltd Valhall GPU Kernel Driver allows a local non-privileged user to make improper GPU memory processing operations to gain access to already freed memory.This issue affects Bifrost GPU Kernel Driver: from r34p0 through r40p0;...

IBM DB2 Multiple Vulnerabilities (7145722, 7145730) (Unix)

According to its self-reported version number, IBM Db2 on Unix may be affected by multiple vulnerabilites: IBM® Db2® is vulnerable to denial of service when quering a specific UDF built-in function concurrently. (CVE-2023-52296) IBM® Db2® is vulnerable to a denial of service with a...

IBM DB2 DoS (7145726) (Unix)

According to its self-reported version number, IBM Db2 on Unix is vulnerable to a denial of service by an authenticated user using a specially crafted query. Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version...

IBM DB2 Multiple Vulnerabilities (7145722, 7145730) (Windows)

According to its self-reported version number, IBM Db2 on Windows may be affected by multiple vulnerabilites: IBM® Db2® is vulnerable to denial of service when quering a specific UDF built-in function concurrently. (CVE-2023-52296) IBM® Db2® is vulnerable to a denial of service with a...