Memory Corruption

Mozilla Firefox is an open source web browser. XULRunner provides the XUL Runtime environment for Mozilla Firefox. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox. CVE-2012-1970,...

Is your org structure threatening your IT security infrastructure?

5 Tips to Solve API Security Issues in Any IT Security Infrastructure Start listening. Integrating isn’t enough if your teams aren’t talking. In a hyper-competitive environment, keeping up with customer usability demands often means adopting a hyper-agile development process. It’s a dangerous...

[20190501] - Core - XSS in com_users ACL debug views

The debug views of comusers do not properly escape user supplied data, which leads to a potential XSS attack vector...

CVE-2019-9669

The documents describe CVE-2019-9669 as affecting Wordfence WordPress plugin version 7.2.3, indicating a potential XSS via a unique attack vector. The root discussion notes that firewall rules are hosted separately and pushed to the plugin, and that bypassing a WAF rule may not constitute a softw...

CVE-2019-2516

Vulnerability in the Portable Clusterware component of Oracle Database Server. Supported versions that are affected are 11.2.0.4, 12.1.0.2, 12.2.0.1 and 18c. Easily exploitable vulnerability allows high privileged attacker having Grid Infrastructure User privilege with logon to the infrastructure...

UBUNTU-CVE-2019-11391

DISPUTED An issue was discovered in OWASP ModSecurity Core Rule Set CRS through 3.1.0. /rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf allows remote attackers to cause a denial of service ReDOS by entering a specially crafted string with $a at the beginning and nested repetition operators. NOTE: t...

WPA Authorization Issues Vulnerabilities

WPA is a set of Wi-Fi access protection schemes from the Wi-Fi Alliance USA, including security protocols and security authentication procedures. There is a security vulnerability in the implementation of WPA. An attacker can exploit the vulnerability to gain access to sensitive information...

. NET advanced code audit of the nine classes BinaryFormatter deserialization vulnerability-vulnerability warning-the black bar safety net

The BinaryFormatter and SoapFormatter two classes the difference between the data streams of different formats, other features on both about the same, the BinaryFormatter is located in the namespace System. Runtime. Serialization. Formatters. Binary it is the direct use of binary the way the obje...

. NET advanced code audit of the first six classes DataContractSerializer deserialization vulnerability-vulnerability warning-the black bar safety net

DataContractSerializer class is used for serialization and de-serialization in Windows Communication Foundation WCF message to send the data for the CLR data type is serialized into an XML stream, which is located in the namespace System. Runtime. Serialization, and inherits from the System...

CVE-2018-19589

Incorrect Access Controls of Security Officer SO in PKCS11 R2 provider that ships with the Utimaco CryptoServer HSM product package allows an SO authenticated to a slot to retrieve attributes of keys marked as private keys in external key storage, and also delete keys marked as private keys in...

UBUNTU-CVE-2019-11005

In GraphicsMagick 1.4 snapshot-20190322 Q8, there is a stack-based buffer overflow in the function SVGStartElement of coders/svg.c, which allows remote attackers to cause a denial of service application crash or possibly have unspecified other impact via a quoted font family value...

libreoffice/slkfuzzer: Heap-buffer-overflow in std::__1::vector<mdds::multi_type_vector<mdds::mtv::custom_block_func3<mdds::mtv

Project: git://anongit.freedesktop.org/libreoffice/core Detailed report: https://oss-fuzz.com/testcase?key=5754291572178944 Project: libreoffice Fuzzer: libFuzzerlibreofficeslkfuzzer Fuzz target binary: slkfuzzer Job Type: libfuzzerasanlibreoffice Platform Id: linux Crash Type: Heap-buffer-overfl...

PT-2019-11695 · Jenkins · Jenkins Kmap Plugin

Name of the Vulnerable Software and Affected Versions: Jenkins Kmap Plugin affected versions not specified Description: A missing permission check in the KmapJenkinsBuilder.DescriptorImpl form validation methods of the Jenkins Kmap Plugin allows attackers with Overall/Read permission to initiate ...

A vulnerability in the library for processing and transforming HTML/XML code fragments, called Ruby Loofah, arises due to improper handling of input during web page generation. This vulnerability allows attackers to inject arbitrary JavaScript code.

The vulnerability in the library for processing and transforming HTML/XML code fragments in Ruby Loofah is related to insufficient cleaning of SVG elements in JavaScript. Exploiting this vulnerability allows a remote attacker to inject arbitrary JavaScript code...

PT-2019-11381 · Jenkins · Jenkins Soasta Cloudtest Plugin +1

Name of the Vulnerable Software and Affected Versions: Jenkins SOASTA CloudTest Plugin affected versions not specified Description: A missing permission check in the CloudTestServer.DescriptorImpldoValidate form validation method allows attackers with Overall/Read permission to initiate a...

Mobile-First Phishing Kit Targets Verizon Customers

As people increasingly go mobile-first in their work and personal lives, cybercrime is keeping up: The latest is a phishing kit that specifically targets Verizon Wireless customers in the U.S. According to Jeremy Richards, a researcher at Lookout Security, the kit pushes phishing links to users v...

EulerOS 2.0 SP5 : python (EulerOS-SA-2019-1149)

According to the version of the python packages installed, the EulerOS installation on the remote host is affected by the following vulnerability : - Python 2.7.x through 2.7.16 and 3.x through 3.7.2 is affected by: Improper Handling of Unicode Encoding with an incorrect netloc during NFKC...

Google Warns of Growing Android Attack Vector: Backdoored SDKs and Pre-Installed Apps

Google is reporting an uptick in efforts by bad actors to plant potentially harmful applications PHAs on Android devices via pre-installed apps and by bundling them with system updates delivered over the air. The technique is especially troubling, Google said, because PHAs are often malicious and...

PT-2019-4931 · Imagemagick +1 · Imagemagick +1

Name of the Vulnerable Software and Affected Versions: ImageMagick version 7.0.8-36 Q16 Description: The issue is related to a memory leak in the SVGKeyValuePairs function of coders/svg.c, which can be exploited by an attacker to cause a denial of service via a crafted image file. This is due to...

Design/Logic Flaw

Cobham Satcom Sailor 250 and 500 devices before 1.25 contained an unauthenticated password reset vulnerability. This could allow modification of any user account's password including the default "admin" account, without prior knowledge of their password. All that is required is knowledge of the...