Snapdragon Auto, Snapdragon Compute, Snapdragon Mobile Security Vulnerabilities

CVE-2024-34129 Acrobat Android : OverSecured Finding : Overwriting arbitrary files via attacker-controlled output file paths

Acrobat Mobile Sign Android versions 24.4.2.33155 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could result in a security feature bypass. An attacker could exploit this vulnerability to access files and directories....

AI and the Indian Election

As India concluded the world's largest election on June 5, 2024, with over 640 million votes counted, observers could assess how the various parties and factions used artificial intelligence technologies--and what lessons that holds for the rest of the world. The campaigns made extensive use of...

Operation Celestial Force employs mobile and desktop malware to target Indian entities

By Gi7w0rm, Asheer Malhotra and Vitor Ventura. Cisco Talos is disclosing a new malware campaign called "Operation Celestial Force" running since at least 2018. It is still active today, employing the use of GravityRAT, an Android-based malware, along with a Windows-based malware loader we track...

Cinterion EHS5 3G UMTS/HSPA Module Research

Modems play an important role in enabling connectivity for a wide range of devices. This includes not only traditional mobile devices and household appliances, but also telecommunication systems in vehicles, ATMs and Automated Process Control Systems (APCS). When integrating the modem, many...

Ukraine Police Arrest Suspect Linked to LockBit and Conti Ransomware Groups

The Cyber Police of Ukraine has announced the arrest of a local man who is suspected to have offered their services to LockBit and Conti ransomware groups. The unnamed 28-year-old native of the Kharkiv region allegedly specialized in the development of crypters to encrypt and obfuscate malicious...

Auto Coupons for WooCommerce < 3.0.15 - Reflected Cross-Site Scripting

Description The Auto Coupons for WooCommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in all versions up to, and including, 3.0.14 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web...

Ubuntu: Security Advisory (USN-6831-1)

The remote host is missing an update for...

CVE-2024-32504

An issue was discovered in Samsung Mobile Processor and Wearable Processor Exynos 850, Exynos 1080, Exynos 2100, Exynos 1280, Exynos 1380, Exynos 1330, Exynos W920, Exynos W930. The mobile processor lacks proper length checking, which can result in an OOB (Out-of-Bounds) Write...

WPMobile.App — Android and iOS Mobile Application < 11.42 - Reflected Cross-Site Scripting

Description The WPMobile.App — Android and iOS Mobile Application plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in all versions up to, and including, 11.41 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to...

CVE-2024-32504

An issue was discovered in Samsung Mobile Processor and Wearable Processor Exynos 850, Exynos 1080, Exynos 2100, Exynos 1280, Exynos 1380, Exynos 1330, Exynos W920, Exynos W930. The mobile processor lacks proper length checking, which can result in an OOB (Out-of-Bounds) Write...

CVE-2024-31956

An issue was discovered in Samsung Mobile Processor Exynos 2200, Exynos 1480, Exynos 2400. It lacks proper buffer length checking, which can result in an Out-of-Bounds...

CVE-2024-31956

An issue was discovered in Samsung Mobile Processor Exynos 2200, Exynos 1480, Exynos 2400. It lacks proper buffer length checking, which can result in an Out-of-Bounds...

SUSE SLES15 / openSUSE 15 Security Update : kernel (SUSE-SU-2024:2008-1)

The remote SUSE Linux SLES15 / openSUSE 15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2024:2008-1 advisory. The SUSE Linux Enterprise 15 SP5 RT kernel was updated to receive various security bugfixes. The following security bugs were...

CVE-2024-5906

A cross-site scripting (XSS) vulnerability in Palo Alto Networks Prisma Cloud Compute software enables a malicious administrator with add/edit permissions for identity providers to store a JavaScript payload using the web interface on Prisma Cloud Compute. This enables a malicious administrator to....

CVE-2024-5906

A cross-site scripting (XSS) vulnerability in Palo Alto Networks Prisma Cloud Compute software enables a malicious administrator with add/edit permissions for identity providers to store a JavaScript payload using the web interface on Prisma Cloud Compute. This enables a malicious administrator to....

CVE-2024-5906 Prisma Cloud Compute: Stored Cross-Site Scripting (XSS) Vulnerability in the Web Interface

A cross-site scripting (XSS) vulnerability in Palo Alto Networks Prisma Cloud Compute software enables a malicious administrator with add/edit permissions for identity providers to store a JavaScript payload using the web interface on Prisma Cloud Compute. This enables a malicious administrator to....

CVE-2024-2300

HP Advance Mobile Applications for iOS and Android are potentially vulnerable to information disclosure when using an outdated version of the application via mobile...

CVE-2024-2300

HP Advance Mobile Applications for iOS and Android are potentially vulnerable to information disclosure when using an outdated version of the application via mobile...

CVE-2024-2300 HP Advance Mobile Application – Potential Information Disclosure

HP Advance Mobile Applications for iOS and Android are potentially vulnerable to information disclosure when using an outdated version of the application via mobile...

CVE-2023-52742

In the Linux kernel, the following vulnerability has been resolved: net: USB: Fix wrong-direction WARNING in plusb.c The syzbot fuzzer detected a bug in the plusb network driver: A zero-length control-OUT transfer was treated as a read instead of a write. In modern kernels this error provokes a...

Unbreakable Enterprise kernel security update

[5.15.0-207.156.6] - uek-container: Add advanced routing options (Boris Ostrovsky) [Orabug: 36691279] - slub: use count_partial_free_approx() in slab_out_of_memory() (Jianfeng Wang) [Orabug: 36655468] - slub: introduce count_partial_free_approx() (Jianfeng Wang) [Orabug: 36655468] - Revert...

RHEL 8 : fence-agents (RHSA-2024:3811)

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2024:3811 advisory. The fence-agents packages provide a collection of scripts for handling remote power management for cluster devices. They allow failed or...

RHEL 9 : fence-agents (RHSA-2024:3820)

The remote Redhat Enterprise Linux 9 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2024:3820 advisory. The fence-agents packages provide a collection of scripts for handling remote power management for cluster devices. They allow failed or...

Oracle Linux 9 : fence-agents (ELSA-2024-3820)

The remote Oracle Linux 9 host has packages installed that are affected by a vulnerability as referenced in the ELSA-2024-3820 advisory. - bundled jinja2: fix CVE-2024-34064 Resolves: RHEL-36482 Tenable has extracted the preceding description block directly from the Oracle Linux security...

10 years of the GitHub Security Bug Bounty Program

Each year, we celebrate the GitHub Security Bug Bounty program, highlighting impressive bugs and researchers, rewards, live hacking events, and more. This year, we celebrate a new milestone: 10 years of the GitHub Security Bug Bounty program! While we've had some exciting growth over the last 10...

Schneider Electric APC Easy UPS Online Monitoring Software (Update A)

View CSAF 1. EXECUTIVE SUMMARY CVSS v3 9.8 ATTENTION: Exploitable remotely/Low attack complexity/Public exploits available Vendor: Schneider Electric Equipment: APC Easy UPS Online Monitoring Software Vulnerability: OS Command Injection, Missing Authentication for Critical Function 2. RISK...

Apple Launches Private Cloud Compute for Privacy-Centric AI Processing

Apple has announced the launch of a "groundbreaking cloud intelligence system" called Private Cloud Compute (PCC) that's designed for processing artificial intelligence (AI) tasks in a privacy-preserving manner in the cloud. The tech giant described PCC as the "most advanced security architecture.....

Enjin: Cloudflare /cdn-cgi/ path allows resizing images from unauthorised sources on enjinusercontent.com

Summary Hello team, During a review of the website: https://nft.production.enjinusercontent.com/ I discovered that any resource hosted under any external CDN can be rendered on the website without any restrictions. This behavior leads display of images or resources on the website, which may cause.....

CVE-2024-3549

The Blog2Social: Social Media Auto Post & Scheduler plugin for WordPress is vulnerable to SQL Injection via the 'b2sSortPostType' parameter in all versions up to, and including, 7.4.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL....

CVE-2024-3549

The Blog2Social: Social Media Auto Post & Scheduler plugin for WordPress is vulnerable to SQL Injection via the 'b2sSortPostType' parameter in all versions up to, and including, 7.4.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL....

Update 24.1 for Microsoft Dynamics 365 Business Central (on-premises) 2024 Release Wave 1 (Application Build 24.1.19498, Platform Build 24.0.19487)

Update 24.1 for Microsoft Dynamics 365 Business Central (on-premises) 2024 Release Wave 1 (Application Build 24.1.19498, Platform Build 24.0.19487) Overview This update replaces previously released updates. You should always install the latest update. This update also fixes vulnerabilities. For...

June 11, 2024—KB5039213 (OS Build 22000.3019)

June 11, 2024—KB5039213 (OS Build 22000.3019) For information about Windows update terminology, see the article about the types of Windows updates and the monthly quality update types. For an overview of Windows 11, version 21H2, see its update history page. Note Follow @WindowsUpdate to find out.....

CVE-2024-3549 Blog2Social: Social Media Auto Post & Scheduler <= 7.4.1 - Authenticated (Subscriber+) SQL Injection

The Blog2Social: Social Media Auto Post & Scheduler plugin for WordPress is vulnerable to SQL Injection via the 'b2sSortPostType' parameter in all versions up to, and including, 7.4.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL....

RHEL 8 : fence-agents (RHSA-2024:3795)

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2024:3795 advisory. The fence-agents packages provide a collection of scripts for handling remote power management for cluster devices. They allow failed or...

AMD SPI Lock Bypass June 2024 Security Update

AMD has informed HP of a potential weakness in AMD SPI protection features, which might allow arbitrary code execution. AMD is releasing firmware updates and HP is enabling AMD ROM Armor to mitigate these vulnerabilities. AMD has released updates to mitigate the potential vulnerability. HP has...

fence-agents security update

[4.10.0-62.3] - bundled jinja2: fix CVE-2024-34064 Resolves: RHEL-36482 [4.10.0-62.2] - fence_eps: add fence_epsr2 for ePowerSwitch R2 and newer Resolves: RHEL-35273 [4.10.0-62.1] - ha-cloud-support: upgrade bundled pyroute2 libs to fix issue in gcp-vpc-move-route's stop-action Resolves:...

Photo Gallery by 10Web – Mobile-Friendly Image Gallery < 1.8.24 - Authenticated (Contributor+) Path Traversal via esc_dir Function

Description The Photo Gallery by 10Web – Mobile-Friendly Image Gallery plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.8.23 via the esc_dir function. This makes it possible for authenticated attackers to cut and paste (copy) the contents of arbitrary...

SPI Lock Bypass

Bulletin ID: AMD-SB-1041 Potential Impact: System Integrity Severity:High Summary Potential weaknesses in AMD’s SPI protection features may allow an attacker to bypass the native System Management Mode (SMM) ROM protections. CVE Details CVE-2022-23829 A potential weakness in AMD SPI protection...

Moderate: fence-agents security update

The fence-agents packages provide a collection of scripts for handling remote power management for cluster devices. They allow failed or unreachable nodes to be forcibly restarted and removed from the cluster. Security Fix(es): jinja2: accepts keys containing non-attribute characters...

KB5039334: Servicing stack update for Windows 10, version 1607 and Server 2016: June 11, 2024

KB5039334: Servicing stack update for Windows 10, version 1607 and Server 2016: June 11, 2024 __ End of support information Windows 10, version 1607 Mobile and Mobile Enterprise editions reached the end of support (EOS) on October 9, 2018. These editions will no longer be offered servicing stack...

mobile-university-anmeldung.de Cross Site Scripting vulnerability OBB-3934476

Following the coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has: a. verified the vulnerability and confirmed its existence; b. notified the website operator about its existence. Technical details of the vulnerability are currently...

A European Summer of Sports is Upon Us – What Does it Mean for Security?

The recent Champions League final in London (congratulations, Real Madrid!) marked the opening shot to a hot European summer of major sporting events. We now approach the highly anticipated UEFA EURO 2024 football tournament in Germany and the Olympic Games in Paris 2024. And as we do, bad actors.....

Google Takes Down Influence Campaigns Tied to China, Indonesia, and Russia

Google has revealed that it took down 1,320 YouTube channels and 1,177 Blogger blogs as part of a coordinated influence operation connected to the People's Republic of China (PRC). "The coordinated inauthentic network uploaded content in Chinese and English about China and U.S. foreign affairs,"...

Bypassing 2FA with phishing and OTP bots

Introduction Two-factor authentication (2FA) is a security feature we have come to expect as standard by 2024. Most of today's websites offer some form of it, and some of them won't even let you use their service until you enable 2FA. Individual countries have adopted laws that require certain...

A week in security (June 3 &#8211; June 9)

Last week on Malwarebytes Labs: Google will start deleting location history Advance Auto Parts customer data posted for sale Husband stalked ex-wife with seven AirTags, indictment says Microsoft Recall snapshots can be easily grabbed with TotalRecall tool Financial sextortion scams on the rise...

Blog2Social: Social Media Auto Post & Scheduler < 7.4.2 - Authenticated (Subscriber+) SQL Injection

Description The Blog2Social: Social Media Auto Post & Scheduler plugin for WordPress is vulnerable to SQL Injection via the 'b2sSortPostType' parameter in all versions up to, and including, 7.4.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the.....

Intel 2024.2 IPU - BIOS May 2024 Security Update

Intel has informed HP of potential security vulnerabilities in some Intel® Processors, which might allow information disclosure and/or denial of service. Intel is releasing microcode updates to mitigate the potential vulnerabilities. Intel has released updates to mitigate the potential...

HP Advance Mobile Application – Potential Information Disclosure

HP Advance Mobile Applications for iOS and Android are potentially vulnerable to information disclosure when using an outdated version of the application via mobile devices. Update your...

CVE-2024-32797

Missing Authorization vulnerability in Martin Gibson WP LinkedIn Auto Publish.This issue affects WP LinkedIn Auto Publish: from n/a through...

CVE-2024-32797

Missing Authorization vulnerability in Martin Gibson WP LinkedIn Auto Publish.This issue affects WP LinkedIn Auto Publish: from n/a through...