New banking trojan “CarnavalHeist” targets Brazil with overlay attacks

Since February 2024, Cisco Talos has been observing an active campaign targeting Brazilian users with a new banking trojan called "CarnavalHeist." Many of the observed tactics, techniques and procedures TTPs are common among other banking trojans coming out of Brazil. This family has also been...

SUSE CVE-2024-23948

Multiple improper array index validation vulnerabilities exist in the readMSH functionality of libigl v2.5.0. A specially crafted .msh file can lead to an out-of-bounds write. An attacker can provide a malicious file to trigger this vulnerability.This vulnerability concerns the...

SUSE CVE-2024-23951

Multiple improper array index validation vulnerabilities exist in the readMSH functionality of libigl v2.5.0. A specially crafted .msh file can lead to an out-of-bounds write. An attacker can provide a malicious file to trigger this vulnerability.This vulnerability concerns the...

Twig Path Traversal vulnerability in the filesystem loader

Twig is affected by path traversal vulnerability when used with TwigLoaderFilesystem for loading Twig templates but only if the application is using non-trusted template names names provided by a end-user for instance. When affected, it is possible to go up one directory for the paths configured ...

GHSA-7CVR-XHM5-X998 Twig Path Traversal vulnerability in the filesystem loader

Twig is affected by path traversal vulnerability when used with TwigLoaderFilesystem for loading Twig templates but only if the application is using non-trusted template names names provided by a end-user for instance. When affected, it is possible to go up one directory for the paths configured ...

GHSA-4VF2-QFG3-7598 symfony/validator XML Entity Expansion vulnerability

Symfony 2.0.11 carried a similar XXE security fix, however, on review of ZF2 I also noted a vulnerability to XML Entity Expansion XEE attacks whereby all extensions making use of libxml2 have no defense against XEE Quadratic Blowup Attacks. The vulnerability is a function of there being no curren...

PT-2024-40262 · Symfony +2 · Symfony +2

Name of the Vulnerable Software and Affected Versions: Symfony versions prior to the latest version Description: The issue concerns XML Entity Expansion XEE attacks, which can lead to Denial Of Service attacks against a host's RAM. This is due to the lack of a method to disable custom entities in...

PT-2024-40156 · Twig · Twig

Name of the Vulnerable Software and Affected Versions: Twig affected versions not specified Description: The issue allows for path traversal when Twig is used with Twig Loader Filesystem for loading templates and the application uses non-trusted template names. This enables an attacker to access...

UBUNTU-CVE-2024-23951

Multiple improper array index validation vulnerabilities exist in the readMSH functionality of libigl v2.5.0. A specially crafted .msh file can lead to an out-of-bounds write. An attacker can provide a malicious file to trigger this vulnerability.This vulnerability concerns the...

UBUNTU-CVE-2024-24584

Multiple out-of-bounds read vulnerabilities exist in the readMSH functionality of libigl v2.5.0. A specially crafted .msh file can lead to an out-of-bounds read. An attacker can provide a malicious file to trigger this vulnerability.This vulnerabilitty concerns thereadMSH function while processin...

UBUNTU-CVE-2024-23948

Multiple improper array index validation vulnerabilities exist in the readMSH functionality of libigl v2.5.0. A specially crafted .msh file can lead to an out-of-bounds write. An attacker can provide a malicious file to trigger this vulnerability.This vulnerability concerns the...

D3Fack Loader: New Malware Exploits Google Ads and EV Certificates

...

Moderate: Red Hat Security Advisory: grub2 security update

An update for grub2 is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from the...

kernel: ext4: fix bug_on in __es_tree_search caused by bad boot loader inode

A flaw was identified in the ext4 filesystem implementation in the Linux kernel where a malformed or improperly initialized boot loader inode could trigger a BUGON condition inside the estreesearch function. This occurs when the inode’s mode imode is an unexpected type and the code does not...

Prototype Pollution

@bit/loader is vulnerable to Prototype Pollution. The vulnerability is due to missing proto property restrictions within the M function's e argument in index.js, which allows an attacker to execute arbitrary code...

ALSA-2024:3184 Moderate: grub2 security update

The grub2 packages provide version 2 of the Grand Unified Boot Loader GRUB, a highly configurable and customizable boot loader with modular architecture. The packages support a variety of kernel formats, file systems, computer architectures, and hardware devices. Security Fixes: grub2:...

@bit/bundler (>=12.0.0 <=12.1.3), pakit (>=2.0.0 <=2.3.0) potentially affected by CVE-2024-24293 via @bit/loader (=10.0.3)

@bit/loader NPM version =10.0.3 is affected by a known vulnerability. The following packages have a transitive dependency on @bit/loader and may be impacted: - @bit/bundler =12.0.0, =2.0.0, =2.3.0 Source cves: CVE-2024-24293 Source advisory: OSV:GHSA-8VR4-H4RR-8PH6...

GHSA-8VR4-H4RR-8PH6 MiguelCastillo @bit/loader Prototype Pollution issue

A Prototype Pollution issue in MiguelCastillo @bit/loader v.10.0.3 allows an attacker to execute arbitrary code via the M function e argument in index.js...

MiguelCastillo @bit/loader Prototype Pollution issue

A Prototype Pollution issue in MiguelCastillo @bit/loader v.10.0.3 allows an attacker to execute arbitrary code via the M function e argument in index.js...

CVE-2024-24293

A Prototype Pollution issue in MiguelCastillo @bit/loader v.10.0.3 allows an attacker to execute arbitrary code via the M function e argument in index.js...