How CISOs are preparing to tackle 2022

Looking back over the last year, the security landscape has continued to experience significant change and escalation. Every day, we see the toll this is taking on organizations of all sizes as they navigate the enduring challenges of the pandemic, the expansion of the digital estate, and the...

Scemu - X86 32bits Emulator, For Securely Emulating Shellcodes

x86 32bits emulator, for securely emulating shellcodes. Features  rust safety, good for malware. All dependencies are in rust. zero unsafe blocks. very fast emulation much faster than unicorn 3,000,000 instructions/second 100,000 instructions/second printing every instruction -vv. powered by...

VUPlayer 2.49 - (.wax) Local Buffer Overflow (DEP Bypass) Exploit

Exploit Title: VUPlayer 2.49 - '.wax' Local Buffer Overflow DEP Bypass Exploit Author: Bryan Leong Vendor Homepage: http://www.vuplayer.com/ Software Link: Null Version: VUPlayer 2.49 Tested on: Windows 7 x64 CVE : CVE-2009-0182 VUPlayer 2.49 Local Buffer Overflow to Arbitrary Code Execution...

VUPlayer 2.49 - '.wax' Local Buffer Overflow (DEP Bypass)

Exploit Title: VUPlayer 2.49 - '.wax' Local Buffer Overflow DEP Bypass Date: 26/06/2021 Exploit Author: Bryan Leong Vendor Homepage: http://www.vuplayer.com/ Software Link: Null Version: VUPlayer 2.49 Tested on: Windows 7 x64 CVE : CVE-2009-0182 VUPlayer 2.49 Local Buffer Overflow to Arbitrary Co...

Security Bulletin: App Connect Professional & IBM WebSphere Cast Iron Solution are affected by OpenSSL vulnerability

Summary App Connect Professional & IBM WebSphere Cast Iron Solution have addressed the following vulnerability reported in OpenSSL. Vulnerability Details CVEID: CVE-2021-3449 DESCRIPTION: OpenSSL is vulnerable to a denial of service, caused by a NULL pointer dereference in signaturealgorithms...

This Week in Security News - December 3, 2021

This week, learn about how Squirrelwaffle utilized ProxyLogon and ProxyShell to hack email chains. Also, read on a recent data breach of the Los Angeles Planned Parenthood Network...

A review of Azure Sphere vulnerabilities: Unsigned code execs, kernel bugs, escalation chains and firmware downgrades

Summary of all the vulnerabilities reported by Cisco Talos in Microsoft Azure Sphere By Claudio Bozzato and Lilith . In May 2020, Microsoft kicked off the Azure Sphere Security Research Challenge, a three-month initiative aimed at finding bugs in Azure Sphere. In the first three months,... This i...

NewStart CGSL CORE 5.05 / MAIN 5.05 : thunderbird Multiple Vulnerabilities (NS-SA-2021-0140)

The remote NewStart CGSL host, running version CORE 5.05 / MAIN 5.05, has thunderbird packages installed that are affected by multiple vulnerabilities: - If Thunderbird is configured to use STARTTLS for an IMAP server, and the server sends a PREAUTH response, then Thunderbird will continue with a...

Mandating a Zero-Trust Approach for Software Supply Chains

In the wake of the SolarWinds attack last year, President Biden issued an executive order in May advocating for mandatory software bills of materials, or SBOMs, to increase software transparency and counter supply-chain attacks. For reference, SBOMs are machine-readable documents that provide a...

For Microsoft Exchange Server Vulnerabilities, Patching Remains Patchy

If you've been keeping tabs on the state of vulnerabilities, you've probably noticed that Microsoft Exchange has been in the news more than usual lately. Back in March 2021, Microsoft acknowledged a series of threats exploiting zero-day CVEs in on-premises instances of Exchange Server. Since then...

TikTok, GitHub, Facebook Join Open-Source Bug Bounty

Tech giants want hackers to take their money, in exchange for rooting out critical vulnerabilities lurking in the open-source code they use. As more businesses rely on open-source software for mission-critical infrastructure, HackerOne, along with sponsors including Elastic, Facebook, Figma,...

in dompdf/dompdf

Description DomPDF is vulnerable to PHAR deserialization due to a lack of checking on the protocol before passing it into the filegetcontents function. If an attacker can upload files of any type to the server he can pass in the phar:// protocol to unserialize the uploaded file and instantiate...

[SECURITY] [DLA 2759-1] gnutls28 alternate chains verification

------------------------------------------------------------------------- Debian LTS Advisory DLA-2759-1 [email protected] https://www.debian.org/lts/security/ Sylvain Beucler September 17, 2021 https://wiki.debian.org/LTS -...

Security Bulletin: Multiple vulnerabilities in OpenSSL may affect IBM Workload Scheduler

Summary OpenSSL vulnerabilities CVE-2021-3449 and CVE-2021-3450 have been disclosed by the OpenSSL Project. OpenSSL is used by IBM Workload Scheduler. IBM Workload Scheduler has addressed the CVE Vulnerability Details CVEID: CVE-2021-3449 DESCRIPTION: OpenSSL is vulnerable to a denial of service,...

CVE-2021-33831

api/account/register in the TH Wildau COVID-19 Contact Tracing application through 2021-09-01 has Incorrect Access Control. An attacker can interfere with tracing of infection chains by creating 500 random users within 2500 seconds...

GHSA-PC4W-8V5J-29W9 Deserialization of Untrusted Data in Neo4j

Neo4j through 3.4.18 with the shell server enabled exposes an RMI service that arbitrarily deserializes Java objects, e.g., through setSessionVariable. An attacker can abuse this for remote code execution because there are dependencies with exploitable gadget chains...

Deserialization of Untrusted Data in Neo4j

Neo4j through 3.4.18 with the shell server enabled exposes an RMI service that arbitrarily deserializes Java objects, e.g., through setSessionVariable. An attacker can abuse this for remote code execution because there are dependencies with exploitable gadget chains...

OpenSSL: Alternative Chains Certificate Forgery (20150709) - Linux

OpenSSL is prone to certificate forgery. Copyright C 2021 Greenbone Networks GmbH Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-or-later This program is free software; you can redistribute...

OpenSSL: Alternative Chains Certificate Forgery (20150709) - Windows

OpenSSL is prone to certificate forgery. Copyright C 2021 Greenbone Networks GmbH Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-or-later This program is free software; you can redistribute...

CVE-2021-34371

Neo4j through 3.4.18 with the shell server enabled exposes an RMI service that arbitrarily deserializes Java objects, e.g., through setSessionVariable. An attacker can abuse this for remote code execution because there are dependencies with exploitable gadget chains...