Shining a Light on Shadow Apps: The Invisible Gateway to SaaS Data Breaches

Shadow apps, a segment of Shadow IT, are SaaS applications purchased without the knowledge of the security team. While these applications may be legitimate, they operate within the blind spots of the corporate security team and expose the company to attackers. Shadow apps may include instances of...

Apartment Visitor Management System 1.0 SQL Injection / Code Execution

============================================================================================================================================= | Title : Apartment Visitor Management System 1.0 php code injection Vulnerability | | Author : indoushka | | Tested on : windows 10 FrPro / browser :...

The vulnerability of the mmu component in the Linux operating system allows attackers to compromise the confidentiality, integrity, and accessibility of data.

The vulnerability of the mmu component in the Linux operating system’s kernel is related to an uncontrolled element in the search process. Exploiting this vulnerability could allow an attacker to compromise the confidentiality, integrity, and accessibility of data...

PT-2024-9399 · Opensc +5 · Opensc +5

Name of the Vulnerable Software and Affected Versions: OpenSC affected versions not specified Description: A vulnerability was found in pkcs15-init in OpenSC. An attacker could use a crafted USB Device or Smart Card, which would present the system with a specially crafted response to APDUs...

SQL injection vulnerability in the electronic document security management system of Beijing Yisetong Technology Development Co.

Beijing Yisetong Technology Development Co., Ltd. is a domestic data security, network security and security services provider of three major business. A SQL injection vulnerability exists in the Yisetong Electronic Document Security Management System of Beijing Yisetong Technology Development Co...

Missing hostname validation in Kroxylicious

A flaw was found in Kroxylicious. When establishing the connection with the upstream Kafka server using a TLS secured connection, Kroxylicious fails to properly verify the server's hostname, resulting in an insecure connection. For a successful attack to be performed, the attacker needs to perfor...

No, not every Social Security number in the U.S. was stolen

My current least favorite thing about the churn of social media that Ive seen over the past week is waves of stories, posts and videos saying that every U.S. citizens Social Security number has been stolen or potentially viewed by a threat actor. The claim comes from a class action lawsuit filed ...

What’s Different About Data Security in the Cloud? Almost Everything.

In 2019, most organizations already had digital transformation plans in place. These plans included migrating workloads to modern cloud architectures. However, the Covid-19 pandemic compelled organizations to expedite their modernization efforts due to practical reasons. For instance, setting up ...

Siemens Location Intelligence suffers from insufficient encryption strength vulnerability

Location Intelligence is a web-based application that creates transparency in production and logistics processes based on location data, thus uncovering optimization potential. Siemens Location Intelligence suffers from an insufficient encryption strength vulnerability, which can be exploited by ...

GHSA-6R4J-4RJC-8VW5 RBAC Roles for `etcd` created by Kamaji are not disjunct

Summary Using an "open at the top" range definition in RBAC for etcd roles leads to some TCPs API servers being able to read, write and delete the data of other control planes. Details The problematic code is this:...

Security Bulletin: IBM Cloud Pak for Data is vulnerable to bypass security restriction due to Node.js undici module ( CVE-2024-30261, CVE-2024-30260 )

Summary Node.js undici module is used by IBM Cloud Pak for Data as part of the platform. CVE-2024-30261, CVE-2024-30260. Vulnerability Details CVEID:CVE-2024-30261 DESCRIPTION: Node.js undici module could allow a remote authenticated attacker to bypass security restrictions, caused by a flaw with...

Security Bulletin: IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to a denial of service in Speex [CVE-2020-23903]

Summary IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to a denial of service in Speex, caused by a divide-by-zero vulnerability in the function static int readsamples CVE-2020-23903. Speex is used by our Speech Service runtimes. This vulnerabilitiy has been...

The vulnerability of the setMacFilterRules function in the TOTOLINK CP900L wireless access point’s software allows a intruder to compromise the confidentiality, integrity, and accessibility of the protected information.

The vulnerability of the setMacFilterRules function in the TOTOLINK CP900L wireless access point software arises due to a stack overflow issue. Exploiting this vulnerability can allow an attacker, operating remotely, to compromise the confidentiality, integrity, and accessibility of the protected...

How Searchable Encryption Changes the Data Security Game

Searchable Encryption has long been a mystery. An oxymoron. An unattainable dream of cybersecurity professionals everywhere. Organizations know they must encrypt their most valuable, sensitive data to prevent data theft and breaches. They also understand that organizational data exists to be used...

Apple iOS和Apple iPadOS 安全漏洞

Apple iOS and Apple iPadOS are products of Apple Inc. Apple iOS is an operating system developed for mobile devices, and Apple iPadOS is an operating system for the iPad tablet computer. A security vulnerability exists in Apple iOS and Apple iPadOS version 17.5, which originates from an applicati...

Nexo Cements User Data Security with SOC 3 Assessment and SOC 2 Audit Renewal

Nexos SOC 2 Type II reassessment and new SOC 3 report is the latest step in the organization’s…...

Security Bulletin: IBM Cloud Pak for Data is vulnerable to several issues due to the go compiler

Summary Golang compiler is used by IBM Cloud Pak for Data to build various binaries. CVE-2022-28131, CVE-2022-30630, CVE-2022-30580, CVE-2022-32189, CVE-2022-30632, CVE-2022-28327, CVE-2022-30629, CVE-2022-30635, CVE-2022-30631, CVE-2022-32148, CVE-2022-1705, CVE-2022-1962, CVE-2022-24675,...

CVE-2024-41124

Puncia is the Official CLI utility for Subdomain Center & Exploit Observer. APIURLS is utilizing HTTP instead of HTTPS for communication that can lead to issues like Eavesdropping, Data Tampering, Unauthorized Data Access & MITM Attacks. This issue has been addressed in release version 0.21 by...

[PUNCIA] [CWE-319] Cleartext Transmission of Sensitive Information via HTTP urls in `API_URLS`

Impact APIURLS is utilizing HTTP instead of HTTPS for communication that can lead to issues like Eavesdropping, Data Tampering, Unauthorized Data Access & MITM Attacks. References ISSUE PATCH...

Dell Data Lakehouse 安全漏洞

Dell Data Lakehouse is a fully integrated data platform from Dell, Inc. An encryption issue vulnerability exists in Dell Data Lakehouse version 1.0.0.0, which stems from a missing encryption of sensitive data contained in the DDAE. An attacker could exploit this vulnerability to cause information...