Deserialization Of Untrusted Data

php-dompdf is vulnerable to Deserialization of Untrusted Data. The library is vulnerable to PHAR deserialization due to a lack of checking on the protocol before passing it into the filegetcontents function. If an attacker can upload files of any type to the server, they can pass in the phar://...

Monetising hacking by shorting commodity shipments

I’m continually asked by the maritime industry about the motivations of hackers. “Why would anyone hack us, we operate ships?” It strikes me that many of the public and a lot of maritime businesses still think of the ‘hacker’ as a solo operator in a dark hoodie in a basement of their parents’...

An allocation of resources without limits or throttling vulnerability exists in curl <v7.88.0 based on the "chained" HTTP compression algorithms meaning that a server response can be compressed multiple times and potentially with differentalgorithms. The number of acceptable "links" in this "decompression chain" wascapped but the cap was implemented on a per-header basis allowing a maliciousserver to insert a virtually unlimited number of compression steps simply byusing many headers. The use of such a decompression chain could result in a "malloc bomb" making curl end up spending enormous amounts of allocated heap memory or trying to and returning out of memory errors.

...

AZL-34602 CVE-2023-23916 affecting package cmake for versions less than 3.28.2-1

An allocation of resources without limits or throttling vulnerability exists in curl v7.88.0 based on the "chained" HTTP compression algorithms, meaning that a server response can be compressed multiple times and potentially with differentalgorithms. The number of acceptable "links" in this...

DEBIAN-CVE-2023-23916

An allocation of resources without limits or throttling vulnerability exists in curl v7.88.0 based on the "chained" HTTP compression algorithms, meaning that a server response can be compressed multiple times and potentially with differentalgorithms. The number of acceptable "links" in this...

Amazon Linux 2 : thunderbird (ALAS-2023-1945)

The version of thunderbird installed on the remote host is prior to 68.10.0-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2-2023-1945 advisory. The Mozilla Foundation Security Advisory describes this flaw as: Due to confusion about ValueTags on JavaScript...

SUSE CVE-2018-17469

Incorrect handling of PDF filter chains in PDFium in Google Chrome prior to 70.0.3538.67 allowed a remote attacker to perform an out of bounds memory read via a crafted PDF file...

SUSE CVE-2022-32206

curl 7.84.0 supports "chained" HTTP compression algorithms, meaning that a serverresponse can be compressed multiple times and potentially with different algorithms. The number of acceptable "links" in this "decompression chain" was unbounded, allowing a malicious server to insert a virtually...

CVE-2023-0159

The Extensive VC Addons for WPBakery page builder WordPress plugin before 1.9.1 does not validate a parameter passed to the php extract function when loading templates, allowing an unauthenticated attacker to override the template path to read arbitrary files from the hosts file system. This may ...

Apache Kafka Connect vulnerable to Deserialization of Untrusted Data

A possible security vulnerability has been identified in Apache Kafka Connect API. This requires access to a Kafka Connect worker, and the ability to create/modify connectors on it with an arbitrary Kafka client SASL JAAS config and a SASL-based security protocol, which has been possible on Kafka...

CVE-2023-25194

A possible security vulnerability has been identified in Apache Kafka Connect API. This requires access to a Kafka Connect worker, and the ability to create/modify connectors on it with an arbitrary Kafka client SASL JAAS config and a SASL-based security protocol, which has been possible on Kafka...

Signature replay attacks possible if deployed on multiple chains

Lines of code Vulnerability details Caller.callSigned operates using an EIP-712 signature which verifies the signed data to be used in a call on behalf of the signer. The problem with this method lies in the fact that it doesn't specify the chain ID, and thus if the contract is ever deployed to...

New Wave of Cyberattacks Targeting MS Exchange Servers

By Waqas Cybercriminals are leveraging two exploit chains ProxyNotShell/OWASSRF to target Microsoft Exchange servers, as warned by Bitdefender Labs. This is a post from HackRead.com Read the original post: New Wave of Cyberattacks Targeting MS Exchange Servers...

Introducing Proactive API Leak Management

Read the press release announcing the early release of Wallarm API Leak Management The recent surge in hacks involving leaked API Keys and other API secrets such as credentials, passwords, certificates, tokens and encryption keys has put everyone involved on notice – organizations need a way to...

Why Data Hygiene is Key to Industrial Cybersecurity

How can highly distributed organizations with complex, integrated supply chains defend against cyber threats? By practicing good data hygiene based on zero-trust principles...

Ducktail Malware Operation Evolves with New Malicious Capabilities

The operators of the Ducktail information stealer have demonstrated a "relentless willingness to persist" and continued to update their malware as part of an ongoing financially driven campaign. "The malware is designed to steal browser cookies and take advantage of authenticated Facebook session...

Trust Wallet Launches Browser Extension Wallet for Desktop

By Deeba Ahmed The extension will support all EVM chains and Solana. This is a post from HackRead.com Read the original post: Trust Wallet Launches Browser Extension Wallet for Desktop...

CVE-2022-3616

Attackers can create long chains of CAs that would lead to OctoRPKI exceeding its max iterations parameter. In consequence it would cause the program to crash, preventing it from finishing the validation and leading to a denial of service. Credits to Donika Mirdita and Haya Shulman - Fraunhofer...

CVE-2022-3616

Attackers can create long chains of CAs that would lead to OctoRPKI exceeding its max iterations parameter. In consequence it would cause the program to crash, preventing it from finishing the validation and leading to a denial of service. Credits to Donika Mirdita and Haya Shulman - Fraunhofer...

Input validation

Attackers can create long chains of CAs that would lead to OctoRPKI exceeding its max iterations parameter. In consequence it would cause the program to crash, preventing it from finishing the validation and leading to a denial of service. Credits to Donika Mirdita and Haya Shulman - Fraunhofer...