Trello: XML entity expansion using svg file

Hope you guys are doing great. I want to report xml entity expansion bug while uploading svg file . When adding a card in boards it also allows to upload attachments which can include svg files. Users or admin can then download those attachment but the problem is when svg file is uploaded, websit...

CVE-2017-8899

Invision Power Services IPS Community Suite 4.1.19.2 and earlier has a composite of Stored XSS and Information Disclosure issues in the attachments feature found in User CP. This can be triggered by any Invision Power Board user and can be used to gain access to moderator/admin accounts. The...

Design/Logic Flaw

Invision Power Services IPS Community Suite 4.1.19.2 and earlier has a composite of Stored XSS and Information Disclosure issues in the attachments feature found in User CP. This can be triggered by any Invision Power Board user and can be used to gain access to moderator/admin accounts. The...

CVE-2017-8899

Invision Power Services IPS Community Suite 4.1.19.2 and earlier has a composite of Stored XSS and Information Disclosure issues in the attachments feature found in User CP. This can be triggered by any Invision Power Board user and can be used to gain access to moderator/admin accounts. The...

Debian DSA-3846-1 : libytnef - security update

Several issues were discovered in libytnef, a library used to decode application/ms-tnef e-mail attachments. Multiple heap overflows, out-of-bound writes and reads, NULL pointer dereferences and infinite loops could be exploited by tricking a user into opening a maliciously crafted winmail.dat...

PT-2017-2152 · Microsoft · Office

Name of the Vulnerable Software and Affected Versions: Microsoft Office affected versions not specified Description: The issue is related to the improper handling of data in Microsoft Office, which can be exploited by a remote attacker to execute arbitrary code. The exploitation can occur when a...

[SECURITY] Fedora 26 Update: tnef-1.4.14-2.fc26

This application provides a way to unpack Microsoft MS-TNEF MIME attachment s. It operates like tar in order to unpack files of type "application/ms-tnef", which may have been placed into the MS-TNEF attachment instead of being attached separately. Such files may have attachment names similar to...

Dridex and Locky Return Via PDF Attachments in Latest Campaigns

Dridex and Locky, two prolific malware families that made waves in 2016 after being distributed in several high-volume spam campaigns, have returned after a brief hiatus. FireEye observed a decline in the volume of Dridex and Locky in the latter half of 2016, but we recently observed two new larg...

CVE-2017-8778

GitLab before 8.14.9, 8.15.x before 8.15.6, and 8.16.x before 8.16.5 has XSS via a SCRIPT element in an issue attachment or avatar that is an SVG document...

Dridex and Locky Return Via PDF Attachments in Latest Campaigns

Dridex and Locky, two prolific malware families that made waves in 2016 after being distributed in several high-volume spam campaigns, have returned after a brief hiatus. FireEye observed a decline in the volume of Dridex and Locky in the latter half of 2016, but we recently observed two new larg...

Google Docs Phishing Campaign

US-CERT is aware of a phishing campaign that affected Google Docs users. The campaign used spoofed email addresses to target users with emails purporting to share a document for collaboration. Once the targeted users accepted invitations, they were encouraged to allow the phishing program access ...

Locky Ransomware Roars Back to Life Via Necurs Botnet

Cybercriminals behind the Locky ransomware and Necurs botnet are back in business. Last Friday researchers spotted both delivering nearly 35,000 emails in just a few hours, the first major Locky campaign researchers have seen in months, according to Cisco Talos. Researchers warn the latest Locky...

Combating a spate of Java malware with machine learning in real-time

In recent weeks, we have seen a surge in emails carrying fresh malicious Java .jar malware that use new techniques to evade antivirus protection. But with our research team’s automated expert systems and machine learning models, Windows 10 PCs get real-time protection against these latest threats...

Trello: Malicious file can be hidden as Card Attachment or Card Cover image

You can upload infected jpeg files to a card. If a user clicks on the attachment image, the infected file will get downloaded instead of showing the image. On opening it, any sort of system calls can be run on the victim. Steps to Reproduce 1 Navigate to https://trello.com/ 2 Click on the Tutoria...

Microsoft Outlook CVE-2017-0106 Remote Code Execution Vulnerability

Description Microsoft Outlook is prone to a remote code-execution vulnerability. An attacker can exploit this issue to execute arbitrary code in the context of an affected system. Failed exploit attempts may result in a denial of service condition; this can result in the attacker gaining complete...

Easter Holiday Phishing Scams and Malware Campaigns

As the Easter holiday approaches, US-CERT reminds users to stay aware of holiday scams and cyber campaigns, which may include: unsolicited shipping notifications that may actually be scams by attackers to solicit personal information phishing scams, electronic greeting cards that may contain...

MantisBT Cross-Site Scripting Vulnerability (CNVD-2017-04628)

MantisBT is an open-source issue management system developed in PHP and commonly used for internal collaboration within corporate teams. A cross-site scripting vulnerability exists in the moveattachmentspage.php page in MantisBT 1.2.16 and later versions, which can be exploited to inject script o...

Github Repository Owners Targeted by Data-Stealing Malware

Phishing emails zeroing in on developers who own Github repositories were infecting victims with malware capable of stealing data through keyloggers and modules that would snag screenshots. Researchers at Palo Alto Networks this week said that in mid-January, an unknown number of developers were...

[SECURITY] [DSA 3798-2] tnef regression update

------------------------------------------------------------------------- Debian Security Advisory DSA-3798-2 [email protected] https://www.debian.org/security/ Sebastien Delafond March 29, 2017 https://www.debian.org/security/faq -...

[SECURITY] [DSA 3798-2] tnef regression update

------------------------------------------------------------------------- Debian Security Advisory DSA-3798-2 [email protected] https://www.debian.org/security/ Sebastien Delafond March 29, 2017 https://www.debian.org/security/faq -...