Updated zbar packages fix security vulnerabilities

A heap-based buffer overflow exists in the qrreadermatchcenters function of ZBar 0.23.90. Specially crafted QR codes may lead to information disclosure and/or arbitrary code execution. To trigger this vulnerability, an attacker can digitally input the malicious QR code, or prepare it to be...

Latest Multi-Stage Attack Scenarios with Real-World Examples

Multi-stage cyber attacks, characterized by their complex execution chains, are designed to avoid detection and trick victims into a false sense of security. Knowing how they operate is the first step to building a solid defense strategy against them. Let's examine real-world examples of some of...

Keycloak: Vulnerable Redirect URI Validation Results in Open Redirec

A misconfiguration flaw was found in Keycloak. This issue can allow an attacker to redirect users to an arbitrary URL if a 'Valid Redirect URI' is set to http://localhost or http://127.0.0.1, enabling sensitive information such as authorization codes to be exposed to the attacker, potentially...

Keycloak: Vulnerable Redirect URI Validation Results in Open Redirec

A misconfiguration flaw was found in Keycloak. This issue can allow an attacker to redirect users to an arbitrary URL if a 'Valid Redirect URI' is set to http://localhost or http://127.0.0.1, enabling sensitive information such as authorization codes to be exposed to the attacker, potentially...

openSUSE Security Advisory (SUSE-SU-2024:4050-1)

The remote host is missing an update for the SPDX-FileCopyrightText: 2024 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

CVE-2024-11403

A flaw was found in the libjxl package. The JPEG decoder used by the JPEG XL encoder when doing JPEG recompression, such as using JxlEncoderAddJPEGFrame on untrusted input, does not properly check bounds in the presence of incomplete codes. This could lead to an out-of-bounds write. In jpegli,...

CVE-2024-11403

There exists an out of bounds read/write in LibJXL versions prior to commit 9cc451b91b74ba470fd72bd48c121e9f33d24c99. The JPEG decoder used by the JPEG XL encoder when doing JPEG recompression i.e. if using JxlEncoderAddJPEGFrame on untrusted input does not properly check bounds in the presence o...

CVE-2024-11403 Out of Bounds Memory Read/Write in libjxl

There exists an out of bounds read/write in LibJXL versions prior to commit 9cc451b91b74ba470fd72bd48c121e9f33d24c99. The JPEG decoder used by the JPEG XL encoder when doing JPEG recompression i.e. if using JxlEncoderAddJPEGFrame on untrusted input does not properly check bounds in the presence o...

CVE-2024-11403 Out of Bounds Memory Read/Write in libjxl

There exists an out of bounds read/write in LibJXL versions prior to commit 9cc451b91b74ba470fd72bd48c121e9f33d24c99. The JPEG decoder used by the JPEG XL encoder when doing JPEG recompression i.e. if using JxlEncoderAddJPEGFrame on untrusted input does not properly check bounds in the presence o...

CVE-2024-11403

CVE-2024-11403 involves an out-of-bounds read/write in LibJXL’s JPEG decoder used for recompression (JxlEncoderAddJPEGFrame) and also affects jpegli. The vulnerability arises when processing incomplete codes, allowing out-of-bounds writes and potentially causing reads of uninitialized memory or f...

CVE-2024-6247

Wyze Cam v3 Wi-Fi SSID OS Command Injection Remote Code Execution Vulnerability. This vulnerability allows physically present attackers to execute arbitrary code on affected installations of Wyze Cam v3 IP cameras. Authentication is not required to exploit this vulnerability. The specific flaw...

CVE-2024-6247 Wyze Cam v3 Wi-Fi SSID OS Command Injection Remote Code Execution Vulnerability

Wyze Cam v3 Wi-Fi SSID OS Command Injection Remote Code Execution Vulnerability. This vulnerability allows physically present attackers to execute arbitrary code on affected installations of Wyze Cam v3 IP cameras. Authentication is not required to exploit this vulnerability. The specific flaw...

CVE-2024-6247

CVE-2024-6247 involves Wyze Cam v3 where the OS command injection occurs through handling of SSIDs embedded in scanned QR codes. The root cause is improper validation of a user-supplied string used in a system call, enabling a local attacker with physical access to execute code as root on affecte...

USN-7118-1 zbar vulnerabilities

It was discovered that ZBar did not properly handle certain QR codes. If a user or automated system using ZBar were tricked into opening a specially crafted file, an attacker could possibly use this to obtain sensitive information. CVE-2023-40889 It was discovered that ZBar did not properly handl...

CVE-2024-52597

2FAuth is a web app to manage Two-Factor Authentication 2FA accounts and generate their security codes. Versions prior to 5.4.1 are vulnerable to stored cross-site scripting due to improper headers in direct access to uploaded SVGs. The application allows uploading images in several places. One o...

CVE-2024-52597 2FAuth vulnerable to stored cross-site scripting via SVG upload and direct access render

2FAuth is a web app to manage Two-Factor Authentication 2FA accounts and generate their security codes. Versions prior to 5.4.1 are vulnerable to stored cross-site scripting due to improper headers in direct access to uploaded SVGs. The application allows uploading images in several places. One o...

CVE-2024-52597 2FAuth vulnerable to stored cross-site scripting via SVG upload and direct access render

2FAuth is a web app to manage Two-Factor Authentication 2FA accounts and generate their security codes. Versions prior to 5.4.1 are vulnerable to stored cross-site scripting due to improper headers in direct access to uploaded SVGs. The application allows uploading images in several places. One o...

Malicious QR Codes: How big of a problem is it, really?

QR codes are disproportionately effective at bypassing most anti-spam filters, as most filters are not designed to recognize that a QR code is present in an image and decode the QR code. According to Cisco Talos' data, roughly 60% of all email containing a QR code is spam. Talos discovered two...

A week in security (November 11 – November 17)

Last week on Malwarebytes Labs: Malicious QR codes sent in the mail deliver malware 122 million people’s business contact info leaked by data broker Advertisers are pushing ad and pop-up blockers using old tricks Scammer robs homebuyers of life savings in $20 million theft spree Temu must respect...

africa.absa:inception-api (>=1.1.0 <=1.2.0), africa.absa:inception-codes-api (>=1.1.0 <=1.2.0) +10765 more potentially affected by CVE-2024-38828 via org.springframework:spring-webmvc (>=5.3.0 <=5.3.4)

org.springframework:spring-webmvc MAVEN version =5.3.0, =1.1.0, =1.1.0, =1.1.0, =1.1.0, =1.1.0, =1.1.0, =1.1.0, =1.1.0, =1.1.0, =4.4.0.2, =1.4.2, =1.6.6, =1.6.6.1 - ai.platon:distributed-lock-example =1.4.2 and more Source cves: CVE-2024-38828 Source advisory: OSV:GHSA-W3C8-7R8F-9JP8...