A week in security (November 13 – November 19)

Last week on Malwarebytes Labs: Signal is testing usernames so you don’t have to share your phone number State of Maine data breach impacts 1.3 million people Credit card skimming on the rise for the holiday shopping season Update now! Microsoft patches 3 actively exploited zero-days Ransomware...

The vulnerability of Zoom’s video conferencing software lies in the insufficient testing of exception states, allowing attackers to trigger service failures.

The vulnerability of Zoom video conferencing software is related to insufficient testing of exception states. Exploiting this vulnerability could allow a malicious actor to cause service failures...

Microsoft Security Update Validation Report November 2023

Microsoft’s November 2023 security updates have passed Citrix testing the updates are listed below. The testing is not all-inclusive; all tests are executed against English only environments and issues may still be found upon implementation. Follow best practices for testing and installing softwa...

Goblob - A Fast Enumeration Tool For Publicly Exposed Azure Storage Blobs

Goblob is a lightweight and fast enumeration tool designed to aid in the discovery of sensitive information exposed publicy in Azure blobs, which can be useful for various research purposes such as vulnerability assessments, penetration testing, and reconnaissance. Warning. Goblob will issue...

CVE-2023-40719

A use of hard-coded credentials vulnerability in Fortinet FortiAnalyzer and FortiManager 7.0.0 - 7.0.8, 7.2.0 - 7.2.3 and 7.4.0 allows an attacker to access Fortinet private testing data via the use of static credentials...

CVE-2023-40719

A use of hard-coded credentials vulnerability in Fortinet FortiAnalyzer and FortiManager 7.0.0 - 7.0.8, 7.2.0 - 7.2.3 and 7.4.0 allows an attacker to access Fortinet private testing data via the use of static credentials...

The Importance of Continuous Security Monitoring for a Robust Cybersecurity Strategy

In 2023, the global average cost of a data breach reached $4.45 million. Beyond the immediate financial loss, there are long-term consequences like diminished customer trust, weakened brand value, and derailed business operations. In a world where the frequency and cost of data breaches are...

CVE-2023-43504

A vulnerability has been identified in COMOS All versions V10.4.4. Ptmcast executable used for testing cache validation service in affected application is vulnerable to Structured Exception Handler SEH based buffer overflow. This could allow an attacker to execute arbitrary code on the target...

Signal is testing usernames so you don’t have to share your phone number

Messaging service Signal is testing support for usernames as a replacement for phone numbers to serve as user identities. Signal provides encrypted instant messaging and is popular among people that value their privacy. Compared to more popular services like WhatsApp, Signal offers more layers of...

toolbox security update

An update is available for toolbox. This update affects Rocky Linux 9. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from the CVE list The toolbox container image can be used with Toolbox to obtain Rocky Linux...

RLSA-2023:6077 Moderate: toolbox security update

The toolbox container image can be used with Toolbox to obtain Rocky Linux based containerized command line environments to aid with development and software testing. Toolbox is built on top of Podman and other standard container technologies from OCI. This updates the toolbox image in the Rocky...

Users of ReraiseCrowdfund will potentially not receive appropriate voting power

Lines of code Vulnerability details Bug Description The recent code update introduces the functionality for authorities to reduce the total voting power by invoking the decreaseTotalVotingPower function of the party. However, this functionality can lead to issues when used in the time frame after...

Dvenom - Tool That Provides An Encryption Wrapper And Loader For Your Shellcode

Double Venom DVenom is a tool that helps red teamers bypass AVs by providing an encryption wrapper and loader for your shellcode. Capable of bypassing some well-known antivirus AVs. Offers multiple encryption methods including RC4, AES256, XOR, and ROT. Produces source code in C, Rust, PowerShell...

kernel: rcu: Fix __this_cpu_read() lockdep warning in rcu_force_quiescent_state()

A lockdep warning was found in the Linux kernel's RCU subsystem. The rcuforcequiescentstate function incorrectly uses thiscpuread in preemptible code context. This macro requires preemption to be disabled, but the code can be called from preemptible context during rcutorture testing, triggering a...

kernel: wifi: ath9k: don't allow to overwrite ENDPOINT0 attributes

In the Linux kernel, the following vulnerability has been resolved: wifi: ath9k: don't allow to overwrite ENDPOINT0 attributes A bad USB device is able to construct a service connection response message with target endpoint being ENDPOINT0 which is reserved for HTCCTRLRSVDSVC and should not be...

Testing with OpenAPI Specifications

The 2023 SANS Survey on API Security Jun-2023 found that less than 50 percent of respondents have API security testing tools in place. Even fewer 29 percent have API discovery tools. Wallarm delivers both these capabilities via our single, integrated App and API Security platform. Wallarm has lon...

Exploit for Code Injection in Vinchin Vinchin_Backup_And_Recovery

CVE-2024-22899-to-22903-ExploitChain 🛠️🔓 This repository hous...

Exploit for Server-Side Request Forgery in Moodle

CVE-2021-36396 Exploit Description This repository holds a...

Exploit for SQL Injection in Moodle

CVE-2021-36396 Exploit Description This repository holds a...

PentestPad: Platform for Pentest Teams

In the ever-evolving cybersecurity landscape, the game-changers are those who adapt and innovate swiftly. Pen test solutions not only supercharge productivity but also provide a crucial layer of objectivity, ensuring efficiency and exceptional accuracy. The synergy between a skilled penetration...