Lenovo XClarity Controller (XCC) Vulnerabilities - Lenovo Support US

No description provided...

A week in security (March 6 - 12)

Last week on Malwarebytes Labs: 8 cybersecurity tips to keep you safe when travelling National Cybersecurity Strategy Document: What you need to know Intel CPU vulnerabilities fixed. But should you update? Warning issued over Royal ransomware Play ransomware gang leaks City of Oakland data...

The _allocBPS field from strategy struct can be 0 this will make the strategy irrevocable

Lines of code Vulnerability details Impact No sanity check will make a strategy irrevocable Proof of Concept The addStrategy function can be used to add a strategy, there are multiple sanity checks inside the function however there is missing a very important one, there is no check for allocBPS !...

New National Cybersecurity Strategy

Last week, the Biden administration released a new National Cybersecurity Strategy summary here. There is lots of good commentary out there. Its basically a smart strategy, but the hard parts are always the implementation details. Its one thing to say that we need to secure our cloud...

National Cybersecurity Strategy Document: What you need to know

The US Government has been working on the National Cybersecurity Strategy Document 2023 for some time now, and its finally been released. The strategy document, which replaces the last such piece of work from 2018, attempts to indicate the general direction of the US approach to cybercrime and...

The High-Stakes Blame Game in the White House Cybersecurity Plan

The Biden administration’s new strategy would shift the liability for security failures to a controversial target: the companies that caused them...

White House National Cybersecurity Strategy: Software Firms Liable for Breaches

By Waqas Under the new National cybersecurity strategy, critical infrastructure firms and software companies will face federal accountability for security… This is a post from HackRead.com Read the original post: White House National Cybersecurity Strategy: Software Firms Liable for Breaches...

TPM 2.0 Vulnerabilities - Lenovo Support US

No description provided...

Application Security vs. API Security: What is the difference?

As digital transformation takes hold and businesses become increasingly reliant on digital services, it has become more important than ever to secure applications and APIs Application Programming Interfaces. With that said, application security and API security are two critical components of a...

How to Use AI in Cybersecurity and Avoid Being Trapped

The use of AI in cybersecurity is growing rapidly and is having a significant impact on threat detection, incident response, fraud detection, and vulnerability management. According to a report by Juniper Research, the use of AI for fraud detection and prevention is expected to save businesses $1...

apollo-portal has potential CSRF issue

Impact A low-privileged user can create a special web page. If an authenticated portal admin visits this page, the page can silently send a request to assign new roles for that user without any confirmation from the Portal admin. Patches Cookie SameSite strategy was set to Lax in 4664 and was...

Akamai’s Differentiated Cloud Strategy

Akamai is taking a different approach to cloud computing than providers who base their platforms solely on core data centers. Read more about our strategy...

CVE-2023-25569

Apollo is a configuration management system. Prior to version 2.1.0, a low-privileged user can create a special web page. If an authenticated portal admin visits this page, the page can silently send a request to assign new roles for that user without any confirmation from the Portal admin. Cooki...

Design/Logic Flaw

Apollo is a configuration management system. Prior to version 2.1.0, a low-privileged user can create a special web page. If an authenticated portal admin visits this page, the page can silently send a request to assign new roles for that user without any confirmation from the Portal admin. Cooki...

SUSE CVE-2022-23630

Gradle is a build tool with a focus on build automation and support for multi-language development. In some cases, Gradle may skip that verification and accept a dependency that would otherwise fail the build as an untrusted external artifact. This occurs when dependency verification is disabled ...

Malicious Package

Overview s3trnasfers is a malicious package. It attempts typosquatting popular packages. The malicious script is base64 obfuscated located in init.py file and tries to steal the current username, platform and IP information and send them to a remote host. Malicious behavior python import getpass...

CVE-2023-23925

Switcher Client is a JavaScript SDK to work with Switcher API which is cloud-based Feature Flag. Unsanitized input flows into Strategy match operation EXIST, where it is used to build a regular expression. This may result in a Regular expression Denial of Service attack reDOS. This issue has been...

Design/Logic Flaw

Switcher Client is a JavaScript SDK to work with Switcher API which is cloud-based Feature Flag. Unsanitized input flows into Strategy match operation EXIST, where it is used to build a regular expression. This may result in a Regular expression Denial of Service attack reDOS. This issue has been...

CVE-2023-23925 Switcher Client contains Regular Expression Denial of Service (ReDoS)

Switcher Client is a JavaScript SDK to work with Switcher API which is cloud-based Feature Flag. Unsanitized input flows into Strategy match operation EXIST, where it is used to build a regular expression. This may result in a Regular expression Denial of Service attack reDOS. This issue has been...

CVE-2023-23925 Switcher Client contains Regular Expression Denial of Service (ReDoS)

Switcher Client is a JavaScript SDK to work with Switcher API which is cloud-based Feature Flag. Unsanitized input flows into Strategy match operation EXIST, where it is used to build a regular expression. This may result in a Regular expression Denial of Service attack reDOS. This issue has been...