Eva-al10; Eva-cl00; Eva-dl00; Eva-l09; Eva-l19; Eva-l29; Eva-tl00; Vie-l09; Vie-l29 Security Vulnerabilities

All Vulnerabilities for eva.iape.edu.mx Patched via Open Bug Bounty

Following the coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has: a. verified the vulnerability and confirmed its existence; b. notified the website operator about its existence. Affected Website:| eva.iape.edu.mx ---|--- Open Bug...

All Vulnerabilities for eva.yavirac.edu.ec Patched via Open Bug Bounty

Following the coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has: a. verified the vulnerability and confirmed its existence; b. notified the website operator about its existence. Affected Website:| eva.yavirac.edu.ec ---|--- Open Bug...

Twitter says it out loud: Removing anonymity will not stop online abuse

An investigation by Twitter into racist tweets levied against three Black players on the English football team following the national hopefuls’ loss against Italy last month revealed that anonymity played almost no role in whether users posted abusive comments from their accounts. The analysis,...

Apple’s search for child abuse imagery raises serious privacy questions

The Internet has been on fire since the August 4 discovery (disclosed publicly by Mathew Green) that Apple will be monitoring photos uploaded to iCloud for child sexual abuse material (CSAM). Some see this as a great move by Apple that will protect children. Others view this as a potentially...

Our vision for a cybersecurity platform

Trend Micro co-founder and CEO Eva Chen discusses our latest vision, strategy, and cybersecurity platform approach at Perspectives...

reputation risk via upgradable contracts

Handle gpersoon Vulnerability details Impact The contract SwappableYieldSource is upgradable. This means the owner could upgrade and change the contract so any new functionality. Amongst others the owner could retrieve all the tokens of the Yieldsource and transfer them out. The project could...

Deployer backdoors in DAOVault, Router and SynthVault contracts

Handle 0xRajeev Vulnerability details Impact The contracts use an access control pattern where the contract deployer is included in the onlyDAO modifier which is used for authorized access to critical functions. Such contracts also include a purgeDeployer function which renounces (sets to...

The safe versions of transfer/transferFrom are not implemented as expected

Handle 0xRajeev Vulnerability details Impact The “safe” versions of token transfer/transferFrom as implemented either by OpenZeppelin’s SafeERC20 or Uniswap libraries, use a low-level call and make checks on the return data to handle cases where tokens may not return any value on...

Incompatibility With Rebasing/Deflationary/Inflationary tokens

Handle 0xRajeev Vulnerability details Impact WildCredit allows the permissionless listing of any ERC20 assets/pairs to be used in the protocol. Some of these tokens could charge a fee, add a reward or rebase over time. However, the protocol does not have the required support to handle such tokens.....

All Vulnerabilities for campusvirtual.ulsasaltillo.edu.mx Patched via Open Bug Bounty

Following the coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has: a. verified the vulnerability and confirmed its existence; b. notified the website operator about its existence. Affected Website:| campusvirtual.ulsasaltillo.edu.mx ...

safeTransferFrom in TransferHelper is not safeTransferFrom

Handle jonah1005 Vulnerability details Impact A non standard erc20 token would always raise error when calling _safeTransferFrom. If a user creates a USDT/DAI pool and deposit into the pool he would find out there's never a counterpart deposit. Proof of Concept TransferHelper does not uses...

Ratpack's default client side session signing key is highly predictable

Impact The client side session module uses the application startup time as the signing key by default. This means that if an attacker can determine this time, and if encryption is not also used (which is recommended, but is not on by default), the session data could be tampered with by someone...

Ratpack's default client side session signing key is highly predictable

Impact The client side session module uses the application startup time as the signing key by default. This means that if an attacker can determine this time, and if encryption is not also used (which is recommended, but is not on by default), the session data could be tampered with by someone...

All Vulnerabilities for eva.ladolorosa-loja.edu.ec Patched via Open Bug Bounty

Following the coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has: a. verified the vulnerability and confirmed its existence; b. notified the website operator about its existence. Affected Website:| eva.ladolorosa-loja.edu.ec ---|---...

CVE-2021-29480

Ratpack is a toolkit for creating web applications. In versions prior to 1.9.0, the client side session module uses the application startup time as the signing key by default. This means that if an attacker can determine this time, and if encryption is not also used (which is recommended, but is...

CVE-2021-29480

Ratpack is a toolkit for creating web applications. In versions prior to 1.9.0, the client side session module uses the application startup time as the signing key by default. This means that if an attacker can determine this time, and if encryption is not also used (which is recommended, but is...

CVE-2021-29480

Ratpack is a toolkit for creating web applications. In versions prior to 1.9.0, the client side session module uses the application startup time as the signing key by default. This means that if an attacker can determine this time, and if encryption is not also used (which is recommended, but is...

CVE-2021-29480 Default client side session signing key is highly predictable

Ratpack is a toolkit for creating web applications. In versions prior to 1.9.0, the client side session module uses the application startup time as the signing key by default. This means that if an attacker can determine this time, and if encryption is not also used (which is recommended, but is...

Prototype Pollution

Prototype pollution vulnerability in ‘expand-hash’ versions 0.1.0 through 1.0.1 allows an attacker to cause a denial of service and may lead to remote code...

Prototype Pollution

Prototype pollution vulnerability in ‘expand-hash’ versions 0.1.0 through 1.0.1 allows an attacker to cause a denial of service and may lead to remote code...

All Vulnerabilities for eva.fder.udelar.edu.uy Patched via Open Bug Bounty

Following the coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has: a. verified the vulnerability and confirmed its existence; b. notified the website operator about its existence. Affected Website:| eva.fder.udelar.edu.uy ---|--- Open...

CVE-2021-25948

Prototype pollution vulnerability in 'expand-hash' versions 0.1.0 through 1.0.1 allows an attacker to cause a denial of service and may lead to remote code...

CVE-2021-25948

Prototype pollution vulnerability in 'expand-hash' versions 0.1.0 through 1.0.1 allows an attacker to cause a denial of service and may lead to remote code...

CVE-2021-25948

Prototype pollution vulnerability in 'expand-hash' versions 0.1.0 through 1.0.1 allows an attacker to cause a denial of service and may lead to remote code...

CVE-2021-25948

Prototype pollution vulnerability in 'expand-hash' versions 0.1.0 through 1.0.1 allows an attacker to cause a denial of service and may lead to remote code...

Amazon Sidewalk Poised to Sweep You Into Its Mesh

Tweet On June 8, Amazon, the Web giant with tentacles reaching into every nook and cranny of our lives, is going to stretch those tentacles out further by turning all its gadgets into little cell towers so they can help each other out with little slices of bandwidth. It’s created a new Wi-Fi...

pendingWithdrawals not decreased after a withdraw

Handle shw Vulnerability details Impact The variable pendingWithdrawals in the contract Withdrawable is not decreased after the function withdraw is called, which causes the return value of function getReserveBalance less than it should be. This bug could cause incorrect results in several...

Colonial Pipeline attack spurs new rules for critical infrastructure

Following a devastating cyberattack on the Colonial Pipeline, the Transportation Security Administration—which sits within the government’s Department of Homeland Security—will issue its first-ever cybersecurity directive for pipeline companies in the United States, according to exclusive...

Cross-site Scripting (XSS) - Reflected in falconchristmas/fpp

✍️ Description In https://github.com/FalconChristmas/fpp/blob/123cdf2eb11062766da333a7a4d85bc0bf620e47/www/copystorage.php#L29 you echo a command built with untrusted user-input without sanitizing it : ```php &1"; echo "Command: $command\n"; // I can embed custom and malicious JS...

Padding Oracle Attack due to Observable Timing Discrepancy in jose-node-cjs-runtime

Impact AES_CBC_HMAC_SHA2 Algorithm (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) decryption would always execute both HMAC tag verification and CBC decryption, if either failed JWEDecryptionFailed would be thrown. But a possibly observable difference in timing when padding error would occur while.....

Padding Oracle Attack due to Observable Timing Discrepancy in jose-node-cjs-runtime

Impact AES_CBC_HMAC_SHA2 Algorithm (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) decryption would always execute both HMAC tag verification and CBC decryption, if either failed JWEDecryptionFailed would be thrown. But a possibly observable difference in timing when padding error would occur while.....

Padding Oracle Attack due to Observable Timing Discrepancy in jose-node-esm-runtime

Impact AES_CBC_HMAC_SHA2 Algorithm (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) decryption would always execute both HMAC tag verification and CBC decryption, if either failed JWEDecryptionFailed would be thrown. But a possibly observable difference in timing when padding error would occur while.....

Padding Oracle Attack due to Observable Timing Discrepancy in jose-node-esm-runtime

Impact AES_CBC_HMAC_SHA2 Algorithm (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) decryption would always execute both HMAC tag verification and CBC decryption, if either failed JWEDecryptionFailed would be thrown. But a possibly observable difference in timing when padding error would occur while.....

Padding Oracle Attack due to Observable Timing Discrepancy in jose-browser-runtime

Impact AES_CBC_HMAC_SHA2 Algorithm (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) decryption would always execute both HMAC tag verification and CBC decryption, if either failed JWEDecryptionFailed would be thrown. But a possibly observable difference in timing when padding error would occur while.....

Padding Oracle Attack due to Observable Timing Discrepancy in jose-browser-runtime

Impact AES_CBC_HMAC_SHA2 Algorithm (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) decryption would always execute both HMAC tag verification and CBC decryption, if either failed JWEDecryptionFailed would be thrown. But a possibly observable difference in timing when padding error would occur while.....

Padding Oracle Attack due to Observable Timing Discrepancy in jose

jose is an npm library providing a number of cryptographic operations. Impact AES_CBC_HMAC_SHA2 Algorithm (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) decryption would always execute both HMAC tag verification and CBC decryption, if either failed JWEDecryptionFailed would be thrown. But a...

Padding Oracle Attack due to Observable Timing Discrepancy in jose

jose is an npm library providing a number of cryptographic operations. Impact AES_CBC_HMAC_SHA2 Algorithm (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) decryption would always execute both HMAC tag verification and CBC decryption, if either failed JWEDecryptionFailed would be thrown. But a...

CVE-2021-29443

jose is an npm library providing a number of cryptographic operations. In vulnerable versions AES_CBC_HMAC_SHA2 Algorithm (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) decryption would always execute both HMAC tag verification and CBC decryption, if either failed JWEDecryptionFailed would be...

CVE-2021-29443

jose is an npm library providing a number of cryptographic operations. In vulnerable versions AES_CBC_HMAC_SHA2 Algorithm (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) decryption would always execute both HMAC tag verification and CBC decryption, if either failed JWEDecryptionFailed would be...

CVE-2021-29443

jose is an npm library providing a number of cryptographic operations. In vulnerable versions AES_CBC_HMAC_SHA2 Algorithm (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) decryption would always execute both HMAC tag verification and CBC decryption, if either failed JWEDecryptionFailed would be...

Code injection

jose is an npm library providing a number of cryptographic operations. In vulnerable versions AES_CBC_HMAC_SHA2 Algorithm (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) decryption would always execute both HMAC tag verification and CBC decryption, if either failed JWEDecryptionFailed would be...

CVE-2021-29443 Padding Oracle Attack due to Observable Timing Discrepancy in jose

jose is an npm library providing a number of cryptographic operations. In vulnerable versions AES_CBC_HMAC_SHA2 Algorithm (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) decryption would always execute both HMAC tag verification and CBC decryption, if either failed JWEDecryptionFailed would be...

Slack hurries to fix direct message flaw that allowed harassment

The enormous work messaging platform Slack quickly reversed course yesterday, promising to revise a brand-new direct message feature that could have been misused for harassment. Added to the company’s “Slack Connect” product—which lets enterprise users share messages with contract workers and...

150,000 Verkada security cameras hacked—to make a point

Hackers were able to gain access to camera feeds from Verkada, a tech company that specializes in video security and physical access control, to demonstrate how prevalent surveillance is, reports say. Unfortunately, it also exposed the inner workings of hospitals, clinics, and mental health...

Finalists announced in second annual Microsoft Security 20/20 awards

2020 was a transformational year. Seemingly overnight, COVID-19 reshaped our perspective on work, home life, and security. Setting up home offices and powering through online presentations in our pajama bottoms (with cameos by pets and children), our industry rose to the challenge. All that...

Finalists announced in second annual Microsoft Security 20/20 awards

2020 was a transformational year. Seemingly overnight, COVID-19 reshaped our perspective on work, home life, and security. Setting up home offices and powering through online presentations in our pajama bottoms (with cameos by pets and children), our industry rose to the challenge. All that...

A week in security (March 1 – 7)

Last week on Malwarebytes Labs, our podcast featured Eva Galperin who talked to us about defending online anonymity and speech. We wrote about how Ryuk ransomware has developed a worm-like capability, how Exchange servers are attacked by Hafnium zero-days, 21 million free VPN users’ data was...

Defending online anonymity and speech with Eva Galperin: Lock and Code S02E03

This week on Lock and Code, we discuss the top security headlines generated right here on Labs. In addition, we talk to Eva Galperin, director of cybersecurity for Electronic Frontier Foundation, about the importance of protecting online anonymity and speech. In January, the New York Times...

Cyberattacks Launch Against Vietnamese Human-Rights Activists

Human-rights activists are being targeted by cyberattacks as part of a wider effort by the Vietnamese state to censor anyone speaking out against the government, Amnesty International’s Security Lab alleges. Ocean Lotus, a well-known threat actor dating back to 2013, is behind the spyware campaign....

Would real identities make social media safer?

“Use real identities to reduce abuse online” is a talking point you've almost certainly seen down the years. It also seems to come around like clockwork every other month, and is currently a hot topic in the UK after prominent journalists / media personalities raised the issue. It’s an interesting....