GitLab: Able to view hackerone reports attachments

Summary Hi team, I accidentally found this bug. While reading one of hackerone public report https://hackerone.com/reports/446238 about gitlab, I found a link posted by gitlab member which is related to internal tracking of the report. I clicked that link...

Japan, France, New Zealand Warn of Sudden Uptick in Emotet Trojan Attacks

Cybersecurity agencies across Asia and Europe have issued multiple security alerts regarding the resurgence of email-based Emotet malware attacks targeting businesses in France, Japan, and New Zealand. "The emails contain malicious attachments or links that the receiver is encouraged to download,...

Japan, France, New Zealand Warn of Sudden Uptick in Emotet Trojan Attacks

Cybersecurity agencies across Asia and Europe have issued multiple security alerts regarding the resurgence of email-based Emotet malware attacks targeting businesses in France, Japan, and New Zealand. "The emails contain malicious attachments or links that the receiver is encouraged to download,...

Vulnerability fixed in Microsoft SQL Server Reporting Services

There is a vulnerability in Microsoft SQL Server Reporting Services SSRS. The vulnerability exists in the Reporting Service instance due to incorrect validation of attachments to reports. If successfully exploited, the vulnerability enables an authenticated malicious person able to add unauthoriz...

IBM Engineering Test Management Information Disclosure Vulnerability

IBM Engineering Test Management is a collaborative, Web-based quality management solution that provides end-to-end test planning and test asset management. A security vulnerability exists in IBM Engineering Test Management version 7.0.0. An attacker could exploit this vulnerability by sending a...

China-based APT Debuts Sepulcher Malware in Spear-Phishing Attacks

A China-based APT has been sending organizations spear-phishing emails that distribute a never-before-seen intelligence-collecting RAT dubbed Sepulcher. Researchers discovered the new malware being distributed over the past six months through two separate campaigns. The first, in March, targeted...

Malicious Attachments Remain a Cybercriminal Threat Vector Favorite

While attachment threat vectors are one of the oldest malware-spreading tricks in the books, email users are still clicking on malicious attachments that hit their inbox, whether it’s a purported “job offer” or a pretend “critical invoice.” The reason why threat actors are still relying on this...

openSUSE Security Update : MozillaThunderbird (openSUSE-2020-1205)

This update for MozillaThunderbird fixes the following issues : - Updated to Mozilla Thunderbird 68.11 : - Fixed various security issues MFSA-2020-35, bsc1174538. - Fixed CVE-2020-15652: Potential leak of redirect targets when loading scripts in a worker bsc1174538. - Fixed CVE-2020-6514: WebRTC...

Information disclosure

An information disclosure vulnerability exists when attaching files to Outlook messages. This vulnerability could potentially allow users to share attached files such that they are accessible by anonymous users where they should be restricted to specific users. To exploit this vulnerability, an...

Malicious Cyber Actor Spoofing COVID-19 Loan Relief Webpage via Phishing Emails

Summary The Cybersecurity and Infrastructure Security Agency CISA is currently tracking an unknown malicious cyber actor who is spoofing the Small Business Administration SBA COVID-19 loan relief webpage via phishing emails. These emails include a malicious link to the spoofed SBA website that th...

CactusPete APT group’s updated Bisonal backdoor

CactusPete also known as Karma Panda or Tonto Team is an APT group that has been publicly known since at least 2013. Some of the groups activities have been previously described in public by multiple sources. We have been investigating and privately reporting on this groups activity for years as...

OPENSUSE-SU-2020:1179-1 Security update for MozillaThunderbird

This update for MozillaThunderbird fixes the following issues: - Updated to Mozilla Thunderbird 68.11: Fixed various security issues MFSA-2020-35, bsc1174538. Fixed CVE-2020-15652: Potential leak of redirect targets when loading scripts in a worker bsc1174538. Fixed CVE-2020-6514: WebRTC data...

CVE-2020-11879

An issue was discovered in GNOME Evolution before 3.35.91. By using the proprietary non-RFC6068 "mailto?attach=..." parameter, a website or other source of mailto links can make Evolution attach local files or directories to a composed email message without showing a warning to the user, as...

CVE-2020-4410

IBM Jazz Foundation and IBM Engineering products could allow an authenticated user to send a specially crafted HTTP GET request to read attachments on the server that they should not have access to. IBM X-Force ID: 179539...

Design/Logic Flaw

IBM Jazz Foundation and IBM Engineering products could allow an authenticated user to send a specially crafted HTTP GET request to read attachments on the server that they should not have access to. IBM X-Force ID: 179539...

CVE-2020-4410

IBM Jazz Foundation and IBM Engineering products could allow an authenticated user to send a specially crafted HTTP GET request to read attachments on the server that they should not have access to. IBM X-Force ID: 179539...

CVE-2020-4410

CVE-2020-4410 affects IBM Jazz Foundation and IBM Engineering products, enabling an authenticated user to read attachments they should not access via a specially crafted HTTP GET request. Public details from IBM bulletin and CNVD corroborate an information-disclosure flaw in IBM Engineering Test ...

Debian DLA-2306-1 : libphp-phpmailer security update

It was discovered that there was an escaping issue in libphp-phpmailer, an email generation utility class for the PHP programming language. The Content-Type and Content-Disposition headers could have permitted file attachments that bypassed attachment filters which match on filename extensions. F...

Debian: Security Advisory (DLA-2306-1)

The remote host is missing an update for the Debian SPDX-FileCopyrightText: 2020 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

Critical Security Flaw in WordPress Plugin Allows RCE

Researchers are warning of a critical vulnerability in a WordPress plugin called Comments – wpDiscuz, which is installed on more than 70,000 websites. The flaw gives unauthenticated attackers the ability to upload arbitrary files including PHP files and ultimately execute remote code on vulnerabl...