CVE-2021-33694

SAP Cloud Connector, version - 2.0, does not sufficiently encode user-controlled inputs, allowing an attacker with Administrator rights, to include malicious codes that get stored in the database, and when accessed, could be executed in the application, resulting in Stored Cross-Site Scripting...

CVE-2021-33693

SAP Cloud Connector, version - 2.0, allows an authenticated administrator to modify a configuration file to inject malicious codes that could potentially lead to OS command execution...

Command injection

SAP Cloud Connector, version - 2.0, allows an authenticated administrator to modify a configuration file to inject malicious codes that could potentially lead to OS command execution...

CVE-2021-33693

SAP Cloud Connector, version - 2.0, allows an authenticated administrator to modify a configuration file to inject malicious codes that could potentially lead to OS command execution...

ECOA Building Automation System Cookie Poisoning / Authentication Bypass Vulnerabilities

ECOA building automation systems suffer from a cookie poisoning vulnerability that allows for authentication bypass. Many versions are affected. ECOA Building Automation System Cookie Poisoning Authentication Bypass Vendor: ECOA Technologies Corp. Product web page: http://www.ecoa.com.tw Affected...

ECOA Building Automation System Cross Site Request Forgery Vulnerability

ECOA building automation systems suffer from a cross site request forgery vulnerability. Many versions are affected. ECOA Building Automation System Cross-Site Request Forgery Vendor: ECOA Technologies Corp. Product web page: http://www.ecoa.com.tw Affected version: ECOA ECS Router Controller - E...

Inefficient Regular Expression Complexity in chalk/ansi-regex

✍️ Description It allows cause a denial of service when matching crafted invalid ANSI escape codes. 🕵️‍♂️ Proof of Concept // PoC.mjs import ansiRegex from 'ansi-regex'; forvar i = 1; i = 50000; i++ var time = Date.now; var attackstr = "\u001B"+";".repeati10000; ansiRegex.testattackstr var timecost...

PT-2021-5798 · Unknown +7 · Ansi-Regex +7

Name of the Vulnerable Software and Affected Versions: ansi-regex affected versions not specified Description: The issue is related to Inefficient Regular Expression Complexity, which could lead to a denial of service when parsing invalid ANSI escape codes. This can be exploited by a remote...

ECOA Building Automation System Hidden Backdoor Accounts and backdoor() Function

Summary 1 The Risk-Terminator Web Graphic control BEMS Building Energy Management System are designed to provide you with the latest in the Human Machine Interface HMI technology, for completely monitoring and controlling management. It may be used singly for small and medium sized facilities,...

ECOA Building Automation System Missing Encryption Of Sensitive Information

Summary 1 The Risk-Terminator Web Graphic control BEMS Building Energy Management System are designed to provide you with the latest in the Human Machine Interface HMI technology, for completely monitoring and controlling management. It may be used singly for small and medium sized facilities,...

Remote Code Execution (RCE)

ffmpeg is vulnerable to remote code execution. The vulnerability exists due to a heap-use-after-free in the avfreep function in libavutil/mem.c which allows an attacker to inject and execute malicious codes...

Hackers, tractors, and a few delayed actors. How hacker Sick Codes learned too much about John Deere: Lock and Code S02E16

No one ever wants a group of hackers to say about their company: "We had the keys to the kingdom." But thats exactly what the hacker Sick Codes said on this weeks episode of Lock and Code, in speaking with host David Ruiz, when talking about his and fellow hackers efforts to peer into John Deeres...

macOS 11’s hidden security improvements

A deep dive into macOS 11s internals reveals some security surprises that deserve to be more widely known. Contents 1. Introduction 1. Disclaimers 2. macOS 11s better known security improvements 1. Secret messages revealed? 3. CPU security mitigation APIs 1. The NOSMT mitigation 2. The TECS...

If a QR code leads you to a Bitcoin ATM at a gas station, it’s a scam

Rogue QR code antics have been back in the news recently. They’re not exactly a mainstay of fakery, but they do tend to enjoy small waves of popularity as events shaped by the real world remind everyone they still exist. The most notable example where this is concerned is of course the pandemic...

Android Malware ‘FlyTrap’ Hijacks Facebook Accounts

Researchers have uncovered a new Android trojan, dubbed FlyTrap, that’s spread to more than 10,000 victims via rigged apps on third-party app stores, sideloaded apps and hijacked Facebook accounts. In a report posted on Monday, Zimperium’s zLabs mobile threat research teams wrote that FlyTrap has...

A week in security (July 26 – August 1)

Last week on Malwarebytes Labs: OSX.XLoader hides little except its main purpose: What we learned in the installation process. The Clubhouse database “breach” is likely a non-breach. Here’s why. Kaseya Unitrends has unpatched vulnerabilities that could help attackers expand a breach. UDP Technolo...

G2A's Journey to Global Growth, Part 1: Keeping Gamers and Geeks Playing During a Pandemic

Near the end of March 2020, G2A.COM saw its traffic virtually double overnight. The pandemic had just begun, and people were looking for ways to stay entertained and connected under lockdown. Not surprisingly, a lot of people turned to video games, and G2A.COM was one of the first places they wen...

Amazon Linux 2 : libX11 (ALAS-2021-1686)

The version of libX11 installed on the remote host is prior to 1.6.7-3. It is, therefore, affected by a vulnerability as referenced in the ALAS2-2021-1686 advisory. A missing validation flaw was found in libX11. This flaw allows an attacker to inject X11 protocol commands on X clients, and in som...

The vulnerability of the Java framework for securing industrial applications using Spring Security, related to uncontrolled resource consumption, allows attackers to cause service failures.

The vulnerability of the Java framework for securing industrial applications using Spring Security is related to an uncontrolled resource consumption. Exploiting this vulnerability can allow a malicious actor to cause service failures by initiating authentication requests, thereby providing...

CVE-2021-33839

Luca through 1.7.4 on Android allows remote attackers to obtain sensitive information about COVID-19 tracking because the QR code of a Public Location can be intentionally confused with the QR code of a Private Meeting...