CVE-2021-43860

CVE-2021-43860 (Flatpak) affects Flatpak prior to 1.12.3 and 1.10.6, where permissions shown to users at install time may not match runtime permissions due to a null byte in app metadata. Malicious apps can grant themselves hidden permissions because xa.metadata is read from commit metadata as a ...

CVE-2021-43860

Flatpak is a Linux application sandboxing and distribution framework. Prior to versions 1.12.3 and 1.10.6, Flatpak doesn't properly validate that the permissions displayed to the user for an app at install time match the actual permissions granted to the app at runtime, in the case that there's a...

Lens 访问控制错误漏洞

Lens is a distribution of the OpenLens repository that contains Team Lens-specific customizations released under a legacy EULA. An authorization issue vulnerability exists in Lens that stems from a lack of websocket authentication leading to remote code execution when accessing a malicious websit...

Debian: Security Advisory (DSA-5038-1)

The remote host is missing an update for the Debian SPDX-FileCopyrightText: 2022 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

Data Skimmer Hits 100+ Sotheby’s Real-Estate Websites

UPDATE A supply-chain campaign infecting Sotheby’s real-estate websites with data-stealing skimmers was recently observed being distributed via a Brightcove cloud-video platform instance. According to Palo Alto Networks’ Unit 42 division, researchers noticed that most of the activity affected...

Huawei EulerOS: Security Advisory for krb5 (EulerOS-SA-2021-2858)

The remote host is missing an update for the Huawei EulerOS SPDX-FileCopyrightText: 2021 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

What is a Botnet ❓ Definition, Types, Example Attack

Professionals, who make system security arrangements, are well-aware of the term ‘botnet’. Often used for the chain of hijacked computers/systems, the term ‘botnet’ should be well understood if a restorative and robust system is instructed as their wrong usage can lead to tremendous chaos. Botnet...

NFTXSimpleFeeDistributor#distribute() Wrong implementation of NFTXSimpleFeeDistributor#_sendForReceiver can potentially cause receivers to get wrong amounts of tokens

Handle WatchPug Vulnerability details function sendForReceiverFeeReceiver memory receiver, uint256 vaultId, address vault, uint256 amountToSend internal virtual returns bool if receiver.isContract IERC20Upgradeablevault.approvereceiver.receiver, amountToSend; // If the receive is not properly...

Malicious receiver can make distribute function denial of service

Handle cccz Vulnerability details Impact In the NFTXSimpleFeeDistributor.sol contract, the distribute function calls the sendForReceiver function to distribute the fee function distributeuint256 vaultId external override virtual nonReentrant requirenftxVaultFactory != address0; address vault =...

sendAllocatedYETI() can be called by anyone

Handle jayjonah8 Vulnerability details Impact In TeamAllocation.sol, the sendAllocatedYETI function simply distributes YETI to the team. This is a transfer of value and it currently can be called by anyone as the onlyTeam modifier is not used here. Proof of Concept Tools Used Manual code review...

Livery Delivers a Seamless Low Latency Streaming Experience with Help from Akamai

Our new normal has ushered in the advent of hybrid events — a mix of in-person and virtual events. This has made seamless live streaming with active participation of the audience, both live and remote, more important than ever. Amsterdam-headquartered company Livery is an end-to-end SaaS solution...

claimRewards Does Not Prevent Users From Claiming Rewards After A Promotion's End Epoch

Handle leastwood Vulnerability details Impact claimRewards allows a user to collect their TWAB calculated rewards for a provided set of epochIds. The contract utilises a claimedEpochs mapping which tracks claimed rewards per user. Each claimed epoch is represented by a single bit within a uint256...

How We’re Protecting Customers & Staying Ahead of CVE-2021-44228

CVE-2021-44228 is a high profile vulnerability impacting multiple versions of a widely distributed Java software component, Apache Log4j 2. The specific vulnerability allows for unauthenticated remote code execution. For additional technical information, the team at LunaSec has an excellent...

Improve kernel security with the new Microsoft Vulnerable and Malicious Driver Reporting Center

Windows 10 and Windows 11 have continued to raise the security bar for drivers running in the kernel. Kernel-mode driver publishers must pass the Hardware Lab Kit HLK compatibility tests, malware scanning, and prove their identity through extended validation EV certificates. This has significantl...

CVE-2021-40860

A SQL Injection in the custom filter query component in Genesys intelligent Workload Distribution IWD before 9.0.013.11 allows an attacker to execute arbitrary SQL queries via the qlexpression parameter, with which all data in the database can be extracted and OS command execution is possible...

Genesys Intelligent Workload Distribution SQL注入漏洞

Genesys Intelligent Workload Distribution Iwd is an application from Genesys, Inc. It can be used with the Genesys Customer Interaction Management Cim platform to assign tasks to the resources best suited to handle them. A SQL injection vulnerability exists in Genesys Intelligent Workload...

Genesys Intelligent Workload Distribution SQL注入漏洞

Genesys Intelligent Workload Distribution Iwd is an application from Genesys, Inc. It can be used with the Genesys Customer Interaction Management Cim platform to assign tasks to the resources best suited to handle them. A SQL injection vulnerability exists in Genesys Intelligent Workload...

The vulnerability of the RPCbind server for dynamic naming services, related to unlimited resource distribution, allows attackers to cause service failures.

The vulnerability of the dynamic naming server RPC ports RPCbind is related to unlimited resource distribution. Exploiting this vulnerability can allow a malicious actor, operating remotely, to cause service failures...

openSUSE 15 Security Update : singularity (openSUSE-SU-2021:1525-1)

The remote SUSE Linux SUSE15 host has a package installed that is affected by a vulnerability as referenced in the openSUSE-SU-2021:1525-1 advisory. - The OCI Distribution Spec project defines an API protocol to facilitate and standardize the distribution of content. In the OCI Distribution...

Emotet’s back and it isn’t wasting any time

Emotet is one of the best known, and most dangerous, malware threats of the past several years. On several occasions it appeared to take an early retirement, but it has always came back. In January of this year, a global police operation dismantled Emotets botnet. Law enforcement then used their...