72 matches found
Developer account body snatchers pose risks to the software supply chain
Over the past several years, high-profile software supply chain attacks have increased in frequency. These attacks can be difficult to detect and source code repositories became a key focus of this research. Developer account takeovers present a substantial risk to the software supply chain becau...
CVE-2022-22460
IBM Security Verify Identity Manager 10.0 contains sensitive information in the source code repository that could be used in further attacks against the system. IBM X-Force ID: 225013...
CVE-2022-22460
IBM Security Verify Identity Manager 10.0 contains sensitive information in the source code repository that could be used in further attacks against the system. IBM X-Force ID: 225013...
IBM Security Verify Identity Manager 安全漏洞
IBM Security Verify Identity Manager is a security verification identity manager from IBM USA. A security vulnerability exists in IBM Security Verify Identity Manager version 10.0 that originates from the inclusion of sensitive information in the source code repository...
PermissionlessBasicPoolFactory\addPool() doesn’t check whether pool.excessBeneficiary is address(0)
Lines of code Vulnerability details Impact In PermissionlessBasicPoolFactory\addPool, it doesn’t check whether pool.excessBeneficiary is address0. Therefore, when doing withdrawExcessRewards. IERC20pool.rewardTokensi.transferpool.excessBeneficiary, rewards always revert. Proof of Concept...
O365-Doppelganger - A Quick Handy Script To Harvest Credentials Off Of A User During A Red Team And Get Execution Of A File From The User
O365-Doppelganger is NOT a replacement for hardcore phishing activities. There are several other tools which perform OAuth and OTA capture which is not the aim of O365-Doppelganger. O365-Doppelganger is a quick handy script to harvest credentials of a user during Red Teams. This repository is a...
The 5 Most-Wanted Threatpost Stories of 2021
As 2021 draws to a close, and the COVID-19 pandemic drags on, it’s time to take stock of what resonated with our 1 million+ monthly visitors this year, with an eye to summing up some hot trends gleaned from looking at the most-read stories on the Threatpost site. While 2020 was all about...
[SECURITY] Fedora 35 Update: libopenmpt-0.5.12-1.fc35
libopenmpt is a cross-platform C++ and C library to decode tracked music files modules into a raw PCM audio stream. libopenmpt is based on the player code of the OpenMPT project Open ModPlug Tracker. In order to avoid code base fragmentation, libopenmpt is developed in the same source code...
[SECURITY] Fedora 33 Update: libopenmpt-0.4.24-1.fc33
libopenmpt is a cross-platform C++ and C library to decode tracked music files modules into a raw PCM audio stream. libopenmpt is based on the player code of the OpenMPT project Open ModPlug Tracker. In order to avoid code base fragmentation, libopenmpt is developed in the same source code...
[SECURITY] Fedora 35 Update: libopenmpt-0.5.11-1.fc35
libopenmpt is a cross-platform C++ and C library to decode tracked music files modules into a raw PCM audio stream. libopenmpt is based on the player code of the OpenMPT project Open ModPlug Tracker. In order to avoid code base fragmentation, libopenmpt is developed in the same source code...
[SECURITY] Fedora 34 Update: libopenmpt-0.5.8-1.fc34
libopenmpt is a cross-platform C++ and C library to decode tracked music files modules into a raw PCM audio stream. libopenmpt is based on the player code of the OpenMPT project Open ModPlug Tracker. In order to avoid code base fragmentation, libopenmpt is developed in the same source code...
5 Ways Your Software Supply Chain is Out to Get You, Part 4: Dependency Confusion
Previously, we discussed how three kinds of supply chain attack methods, Vendor Compromise, Exploit Third Party Applications, and Exploit Open Source Libraries are threatening software supply chains, passing risk downstream to the organizations and users that trust and depend on them. In this...
[SECURITY] Fedora 33 Update: libopenmpt-0.4.19-1.fc33
libopenmpt is a cross-platform C++ and C library to decode tracked music files modules into a raw PCM audio stream. libopenmpt is based on the player code of the OpenMPT project Open ModPlug Tracker. In order to avoid code base fragmentation, libopenmpt is developed in the same source code...
[SECURITY] Fedora 34 Update: libopenmpt-0.5.7-1.fc34
libopenmpt is a cross-platform C++ and C library to decode tracked music files modules into a raw PCM audio stream. libopenmpt is based on the player code of the OpenMPT project Open ModPlug Tracker. In order to avoid code base fragmentation, libopenmpt is developed in the same source code...
OSV - Open Source Vulnerability DB And Triage Service
OSV is a vulnerability database and triage infrastructure for open source projects aimed at helping both open source maintainers and consumers of open source. For open source maintainers, OSV's automation helps reduce the burden of triage. Each vulnerability undergoes automated bisection and impa...
Discord-Stealing Malware Invades npm Packages
Three malicious software packages have been published to npm, a code repository for JavaScript developers to share and reuse code blocks. The packages represent a supply-chain threat given that they may be used as building blocks in various web applications; any applications corrupted by the code...
DNS as Code
Infrastructure as Code IaC and Continuous Delivery methods have become increasingly popular amongst development and operations teams as a means of maintaining high-performing websites. Code repositories, build servers, and configuration management systems are now industry standards, as these tool...
Cherokee Web Server <= 1.2.104 Multiple Vulnerabilities
Cherokee Web Server is prone to multiple vulnerabilities. Copyright C 2020 Greenbone Networks GmbH Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-or-later This program is free software; you...
Rocket.Chat: API Keys Hardcoded in Github repository
NOTE! Thanks for submitting a report! Please replace all the square sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to verify and then potentially issue a bounty, so be sure to take your time filling out the report! Summary: API Keys is ha...
commix
This is an automated tool called Commix, written by Anastasios Stasinopoulos, that can be used to test web-based applications for command injection vulnerabilities. The tool is designed to be used by web developers, penetration testers, or security researchers. It is available on GitHub and can b...