New Supply Chain Attack “Revival Hijack” Risks Massive PyPI Takeovers

JFrog's cybersecurity researchers have identified a new PyPI attack technique called "Revival Hijack," which exploits package deletion policies. Over 22,000 packages are at risk, potentially impacting thousands of users. Stay informed!...

GHSA-2H46-8GF5-FMXV Timing-Based Username Enumeration Vulnerability in Fides Webserver Authentication

A timing-based username enumeration vulnerability has been identified in Fides Webserver authentication. This vulnerability allows an unauthenticated attacker to determine the existence of valid usernames by analyzing the time it takes for the server to respond to login requests. The discrepancy ...

Nuclei Template Signature Verification Bypass

Summary A vulnerability has been identified in Nuclei's template signature verification system that could allow an attacker to bypass the signature check and possibly execute malicious code via custom code template. Affected Component The vulnerability is present in the template signature...

CVE-2024-45052

Fides is an open-source privacy engineering platform. Prior to version 2.44.0, a timing-based username enumeration vulnerability exists in Fides Webserver authentication. This vulnerability allows an unauthenticated attacker to determine the existence of valid usernames by analyzing the time it...

CVE-2024-45052 Fides Webserver Authentication Timing-Based Username Enumeration Vulnerability

Fides is an open-source privacy engineering platform. Prior to version 2.44.0, a timing-based username enumeration vulnerability exists in Fides Webserver authentication. This vulnerability allows an unauthenticated attacker to determine the existence of valid usernames by analyzing the time it...

CVE-2024-45052 Fides Webserver Authentication Timing-Based Username Enumeration Vulnerability

Fides is an open-source privacy engineering platform. Prior to version 2.44.0, a timing-based username enumeration vulnerability exists in Fides Webserver authentication. This vulnerability allows an unauthenticated attacker to determine the existence of valid usernames by analyzing the time it...

CVE-2024-8418

A flaw was found in Aardvark-dns, which is vulnerable to a Denial of Service attack due to the serial processing of TCP DNS queries. An attacker can exploit this flaw by keeping a TCP connection open indefinitely, causing the server to become unresponsive and resulting in other DNS queries timing...

CVE-2024-45394 Secret encryption vulnerable to brute-force attacks

Authenticator is a browser extension that generates two-step verification codes. In versions 7.0.0 and below, encryption keys for user data were stored encrypted at-rest using only AES-256 and the EVPBytesToKey KDF. Therefore, attackers with a copy of a user's data are able to brute-force the...

GHSA-JFVP-7X6P-H2PV runc can be confused to create empty files/directories on the host

Impact runc 1.1.13 and earlier as well as 1.2.0-rc2 and earlier can be tricked into creating empty files or directories in arbitrary locations in the host filesystem by sharing a volume between two containers and exploiting a race with os.MkdirAll. While this can be used to create empty files,...

CVE-2024-7654 Unauthenticated Content Injection in OpenEdge Management web interface via ActiveMQ discovery service

An ActiveMQ Discovery service was reachable by default from an OpenEdge Management installation when an OEE/OEM auto-discovery feature was activated. Unauthorized access to the discovery service's UDP port allowed content injection into parts of the OEM web interface making it possible for other...

CVE-2024-45678

The CVE-2024-45678 EYCL EAK issue affects Yubico YubiKey 5 Series firmware < 5.7.0 and YubiHSM 2 firmware

CVE-2020-36830

A vulnerability was found in nescalante urlregex up to 0.5.0 and classified as problematic. This issue affects some unknown processing of the file index.js of the component Backtracking. The manipulation leads to inefficient regular expression complexity. The attack may be initiated remotely. The...

CVE-2024-45388

Hoverfly (Git SpectoLabs) contains a path traversal vulnerability in the /api/v2/simulation POST handler that lets unauthenticated attackers read arbitrary files from the server by supplying a specially crafted bodyFile parameter (e.g., ../../../../etc/passwd). The implementation attempts to join...

ROS-20240902-19

A vulnerability exists in the phpMyAdmin database administration web application due to failure to take measures to protect the structure of the web page. Exploitation of the vulnerability could allow a remote attacker to conduct a cross-site scripting XSS attack...

Dolibarr 16 Pre-auth Contact Database Dump

This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Dolibarr 16 pre-auth contact database dump', 'Description' = %q Dolibarr version 16 'Vladimir TOUTAIN', 'Nolan LOSSIGNOL-DRILLIEN' , 'License' =...

Portmapper Amplification Scanner

This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Portmapper Amplification Scanner', 'Description' = %q This module can be used to discover Portmapper services which can be used in an amplificati...

OpenSSL DTLS ChangeCipherSpec Remote Denial of Service

This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'OpenSSL DTLS ChangeCipherSpec Remote DoS', 'Description' = %q This module performs a Denial of Service Attack against Datagram TLS in OpenSSL...

Nexpose XXE Arbitrary File Read

This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'nexpose' class MetasploitModule 'Nexpose XXE Arbitrary File Read', 'Description' = %q Nexpose v5.7.2 and prior is vulnerable to a XML External Entity attack via...

OpenSSL Server-Side ChangeCipherSpec Injection Scanner

This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule Msf::Auxiliary include Msf::Exploit::Remote::Tcp include Msf::Auxiliary::Scanner include Msf::Auxiliary::Report CIPHERSUITES = 0xc014,...

`exotel` project on PyPI compromised, malicious release made

The exotel project on PyPI was taken over via user account compromise via a phishing attack and a new malicious release made which contained code which some environment variables and downloaded and ran malware at install time...