curl: Signed integer overflow in tool_progress_cb()

Summary: Good afternoon curl security! I built this curl from commit 8144ba38c383718355d8af2ed8330414edcbbc83. We discovered a signed integer overflow in toolprogresscb. Steps To Reproduce: Compiled with the Undefined Behavior Sanitizer enabled. Ran with the following command line: ./curl -q - -T...

Hacker who reported flaw in Hungarian Telekom faces up to 8-years in prison

Many of you might have this question in your mind: "Is it illegal to test a website for vulnerability without permission from the owner?" Or… "Is it illegal to disclose a vulnerability publicly?" Well, the answer is YES, it's illegal most of the times and doing so could backfire even when you hav...

Vulnerability Spotlight: Multiple Vulnerabilities in Yi Technology Home Camera

Vulnerabilities Discovered by Lilith xx of Cisco Talos. Overview Cisco Talos is disclosing multiple vulnerabilities in the firmware of the Yi Technology Home Camera. In order to prevent the exploitation of these vulnerabilities, Talos worked with Yi Technology to make sure a newer version of the...

Design/Logic Flaw

Dogtag PKI, through version 10.6.1, has a vulnerability in AAclAuthz.java that, under certain configurations, causes the application of ACL allow and deny rules to be reversed. If a server is configured to process allow rules before deny rules authz.evaluateOrder=allow,deny, then allow rules will...

CVE-2018-1080

Dogtag PKI, through version 10.6.1, has a vulnerability in AAclAuthz.java that, under certain configurations, causes the application of ACL allow and deny rules to be reversed. If a server is configured to process allow rules before deny rules authz.evaluateOrder=allow,deny, then allow rules will...

CVE-2018-1080

Dogtag PKI, through version 10.6.1, has a vulnerability in AAclAuthz.java that, under certain configurations, causes the application of ACL allow and deny rules to be reversed. If a server is configured to process allow rules before deny rules authz.evaluateOrder=allow,deny, then allow rules will...

CVE-2018-1080

Dogtag PKI, through version 10.6.1, has a vulnerability in AAclAuthz.java that, under certain configurations, causes the application of ACL allow and deny rules to be reversed. If a server is configured to process allow rules before deny rules authz.evaluateOrder=allow,deny, then allow rules will...

MaDDash 2.0.2 Directory Listing

Exploit Title: MaDDash 2.0.2 - Directory Listing Date: 2018-06-18 Vendor: perfSONAR Download Link: https://github.com/esnet/maddash/archive/master.zip Version: 2.0.2 Exploit Author: ManhNho CVE: CVE-2018-12522,CVE-2018-12523,CVE-2018-12524,CVE-2018-12525 Category: Webapps Tested on: Windows 7 ---...

MaDDash 2.0.2 - Directory Listing

MaDDash 2.0.2 - Directory Listing Exploit Title: MaDDash 2.0.2 - Directory Listing Date: 2018-06-18 Vendor: perfSONAR Download Link: https://github.com/esnet/maddash/archive/master.zip Version: 2.0.2 Exploit Author: ManhNho CVE: CVE-2018-12522,CVE-2018-12523,CVE-2018-12524,CVE-2018-12525 Category...

MaDDash 2.0.2 - Directory Listing Vulnerability

Exploit for java platform in category local exploits Exploit Title: MaDDash 2.0.2 - Directory Listing Vendor: perfSONAR Download Link: https://github.com/esnet/maddash/archive/master.zip Version: 2.0.2 Exploit Author: ManhNho CVE: CVE-2018-12522,CVE-2018-12523,CVE-2018-12524,CVE-2018-12525...

Google Tackles AI Principles: Is It Enough?

Google has released its manifesto of principles guiding its efforts in the artificial intelligence realm – though some say the salvo isn’t as complete as it could be. AI is the new golden ring for developers, thanks to its potential to not just automate functions at scale but also to make...

Russia asks Apple to remove Telegram Messenger from the App Store

Russia's communications regulator Roskomnadzor has threatened Apple to face the consequences if the company does not remove secure messaging app Telegram from its App Store. Back in April, the Russian government banned Telegram in the country for the company's refusal to hand over private...

Welcome to the Cyber-Regulatory Market of 2018 and Beyond

In the past few years, we’ve seen an increase in the number of companies facing legal consequences for ineffectively meeting deadlines requiring them to measure the effectiveness of their security solutions. Combined with these deadlines, companies also have to prove they have awareness and contr...

A week in security (December 04 – December 10)

Last week on the blog, we looked at a RIG EK malware campaign, explored how children are being tangled up in money mule antics, took a walk through the world of Blockchain, and gave a rundown of what's involved when securing web applications. We also laid out the trials and tribulations of the...

XMLDecoder deserialization vulnerability-vulnerability warning-the black bar safety net

Java misappropriation XMLDecoder parse the XML file moment, the presence of the password run the exploit. The sample XML file shown below: xml version="1.0" encoding="UTF-8"?& gt; java version="1.8.0131" class="java. beans. XMLDecoder" object class="java. lang. ProcessBuilder" array class="java...

VulnCheck KEV: CVE-2003-0681

A "potential buffer overflow in ruleset parsing" for Sendmail 8.12.9, when using the nonstandard rulesets 1 recipient 2, final, or 3 mailer-specific envelope recipients, has unknown consequences...

DAHUA technology camera products unauthorized access vulnerability technical analysis and protection solution-vulnerability warning-the black bar safety net

Recently,the domestic well-known Camera/DVR manufacturer DAHUA technologyDahua Technologyfor their part of the product firmware upgrade the patch used to fix an important security issue. However, in official statement released before the discovery of this vulnerability, security experts Bashis...

Yahoo Tells SEC Executives Failed to Act on Breach

Yahoo’s quarterly SEC filings have been the only window into the massive data breaches that have exposed more than 1.5 billion records in the past four years. This week, Yahoo’s Q4 2016 filing was made public, and the view got uglier. The company admitted to the SEC and its investors that its...

X (Formerly Twitter): Remote Unrestricted file Creation/Deletion and Possible RCE.

Hello Gents, During my research on Twitter BBP, I found below domain name: Reverb.twitter.com Background: We worked with Twitter to develop TwitterReverb, an application that reveals how conversations arise and reverberate across the entire Twitter landscape. The custom application allows visitor...

AirOS 6.x Arbitrary File Upload

Vulnerability It's possible to overwrite any file and create new ones on AirMax systems, because the "php2" maybe because of a patch don't verify the "filename" value of a POST request. It's possible to a unauthenticated user to exploit this vulnerability. Example Consider the following request:...