8231 matches found
New ESXiArgs encryption routine outmaneuvers recovery methods
In what seems to be a typical arms race where one side responds to counter the progress the other side has made, the ransomware group behind the massive attack on ESXi Virtual Machines VMs has come up with a new variant that can no longer be decrypted with the recovery script released by the...
hb-ot-layout-gsubgpos.hh in HarfBuzz through 6.0.0 allows attackers to trigger O(n^2) growth via consecutive marks during the process of looking back for base glyphs when attaching marks.
...
Malicious code in beatuifulsoup (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: checkmarx 72ba369b5a85adbffd6e9f932e5386dfc0589fb06d1df90d9a67ac8b6ae723a9 Attacker distributed 900+ malicious packages via PyPi, infecting local browsers with malicious extension to manipulate clipboard and replace crypto wallet...
Malicious code in pyagme (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: checkmarx a9006373fe83e8c38a485abef06917a70996e85da2b5f4b697ae539ffc1f0075 Attacker distributed 900+ malicious packages via PyPi, infecting local browsers with malicious extension to manipulate clipboard and replace crypto wallet...
Security Bulletin: Vulnerability in IBM Java Runtime affect SPSS Collaboration and Deployment Services (CVE-2022-3676)
Summary There is a vulnerability in IBM® Runtime Environment Java™ Version 7 & 8 used by SPSS Collaboration and Deployment Services. This issue has been addressed. Vulnerability Details CVEID:CVE-2022-3676 DESCRIPTION: Eclipse Openj9 could allow a remote attacker to bypass security restrictions,...
CVE-2022-44570
A denial of service vulnerability in the Range header parsing component of Rack = 1.5.0. A Carefully crafted input can cause the Range header parsing component in Rack to take an unexpected amount of time, possibly resulting in a denial of service attack vector. Any applications that deal with...
CVE-2022-44572
A denial of service vulnerability in the multipart parsing component of Rack fixed in 2.0.9.2, 2.1.4.2, 2.2.4.1 and 3.0.0.1 could allow an attacker tocraft input that can cause RFC2183 multipart boundary parsing in Rack to take an unexpected amount of time, possibly resulting in a denial of servi...
Denial of service
A denial of service vulnerability in the multipart parsing component of Rack fixed in 2.0.9.2, 2.1.4.2, 2.2.4.1 and 3.0.0.1 could allow an attacker tocraft input that can cause RFC2183 multipart boundary parsing in Rack to take an unexpected amount of time, possibly resulting in a denial of servi...
Malicious code in ccx (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: checkmarx 4b65e79327daa2cc5ec5b36d4f94dde43607d8cb595f276122659ef69d86a25a Attacker distributed 900+ malicious packages via PyPi, infecting local browsers with malicious extension to manipulate clipboard and replace crypto wallet...
CVE-2022-44571
CVE-2022-44571 describes a denial-of-service in Rack’s Content-Disposition parsing, impacting applications that parse multipart posts (virtually all Rails apps). The issue can be triggered by crafted input causing extended parsing time. Fixed in Rack versions 2.0.9.2, 2.1.4.2, 2.2.4.1, and 3.0.0....
Replyable < 2.2.10 - Subscriber+ PHP Object Injection
The plugin does not validate the class name submitted by the request when instantiating an object in the promptdismissnotice action and also lacks CSRF check in the related action. This could allow any authenticated users, such as subscriber to perform Object Injection attacks. The attack could...
Future-Depth Institutional Management Website 代码问题漏洞
Future-Depth Institutional Management Website is a user-friendly institutional website from the individual developers at Future-Depth that offers various types of courses for students. A security vulnerability exists in Future-Depth Institutional Management Website IMS version 1.0. An attacker...
OESA-2023-1057 batik security update
Batik is an inline templating engine for CoffeeScript, inspired by CoffeeKup, that lets you write your template directly as a CoffeeScript function. Security Fixes: A vulnerability in Batik of Apache XML Graphics allows an attacker to run untrusted Java code from an SVG. This issue affects Apache...
OESA-2023-1050 batik security update
Batik is an inline templating engine for CoffeeScript, inspired by CoffeeKup, that lets you write your template directly as a CoffeeScript function. Security Fixes: A vulnerability in Batik of Apache XML Graphics allows an attacker to run untrusted Java code from an SVG. This issue affects Apache...
OESA-2023-1051 batik security update
Batik is an inline templating engine for CoffeeScript, inspired by CoffeeKup, that lets you write your template directly as a CoffeeScript function. Security Fixes: A vulnerability in Batik of Apache XML Graphics allows an attacker to run untrusted Java code from an SVG. This issue affects Apache...
Security Bulletin: IBM Aspera Orchestrator affected by Apache HTTP Server vulnerability (CVE-2022-30556)
Summary The following vulnerability has been addressed in IBM Aspera Orchestrator 4.0.1. Vulnerability Details CVEID:CVE-2022-30556 DESCRIPTION: Apache HTTP Server could allow a remote attacker to obtain sensitive information, caused by an error in modlua with websockets. An attacker could exploi...
Security Bulletin: IBM Aspera Orchestrator affected by denial of service vulnerability (CVE-2021-36160)
Summary The following vulnerability has been addressed in IBM Aspera Orchestrator 4.0.1. Vulnerability Details CVEID:CVE-2021-36160 DESCRIPTION: Apache HTTP Server is vulnerable to a denial of service, caused by an out-of-bounds read in modproxyuwsgi. By sending a specially crafted request...
Security Bulletin: IBM Aspera Orchestrator affected by OpenSSL vulnerability (CVE-2022-2068)
Summary Aspera Orchestrator has addressed the following vulnerability. Vulnerability Details CVEID:CVE-2022-2068 DESCRIPTION: OpenSSL could allow a remote attacker to execute arbitrary commands on the system, caused by improper validation of user-supplied input by the crehash script. By sending a...
Experts Warn of 'Ice Breaker' Cyberattacks Targeting Gaming and Gambling Industry
A new attack campaign has been targeting the gaming and gambling sectors since at least September 2022, just as the ICE London 2023 gaming industry trade fair event is scheduled to kick off next week. Israeli cybersecurity company Security Joes is tracking the activity cluster under the name Ice...
CVE-2023-23969
In Django 3.2 before 3.2.17, 4.0 before 4.0.9, and 4.1 before 4.1.6, the parsed values of Accept-Language headers are cached in order to avoid repetitive parsing. This leads to a potential denial-of-service vector via excessive memory usage if the raw value of Accept-Language headers is very larg...