Security Bulletin: Vulnerability exists in Watson Explorer (CVE-2019-4441)

Summary Security vulnerability affects IBM Watson Explorer. Vulnerability Details CVEID: CVE-2019-4441 DESCRIPTION: IBM WebSphere Application Server 7.0, 8.0, 8.5, 9.0, and Liberty could allow a remote attacker to obtain sensitive information when a stack trace is returned in the browser. IBM...

Node.js third-party modules: [klona] Prototype pollution

I would like to report Prototype pollution in klona It allows adding arbitrary property to Prototype while deep cloning an object Module module name: klona version: Hunter's comments and funny memes goes here F690469 Impact Denial of Service and possible Remote code execution by overriding object...

Friday Squid Blogging: Giant Squid Video from the Gulf of Mexico

Fantastic video: Scientists had used a specialized camera system developed by Widder called the Medusa, which uses red light undetectable to deep sea creatures and has allowed scientists to discover species and observe elusive ones. The probe was outfitted with a fake jellyfish that mimicked the...

Privilege escalation

A privilege escalation vulnerability in the Trend Micro Deep Security as a Service Quick Setup cloud formation template could allow an authenticated entity with certain unrestricted AWS execution privileges to escalate to full privileges within the target AWS account...

CVE-2019-18191

A privilege escalation vulnerability in the Trend Micro Deep Security as a Service Quick Setup cloud formation template could allow an authenticated entity with certain unrestricted AWS execution privileges to escalate to full privileges within the target AWS account...

CVE-2019-18191

The CVE-2019-18191 entry concerns Trend Micro Deep Security as a Service Quick Setup cloud formation template. The vulnerability enables privilege escalation where an authenticated entity with certain unrestricted AWS execution privileges can gain full privileges within the target AWS account. Do...

Trend Micro Deep Security Agent 11 - Arbitrary File Overwrite Exploit

Exploit Title: Trend Micro Deep Security Agent 11 - Arbitrary File Overwrite Exploit Author : Peter Lapp Vendor Homepage : https://www.trendmicro.com/enus/business.html Link Software : https://help.deepsecurity.trendmicro.com/software.html?regs=NABU&prodid=1716 Tested on OS: v11.0.582 and...

Trend Micro Deep Security Agent 11 Arbitrary File Overwrite

Exploit Title: Trend Micro Deep Security Agent 11 - Arbitrary File Overwrite Exploit Author : Peter Lapp Exploit Date: 2019-12-05 Vendor Homepage : https://www.trendmicro.com/enus/business.html Link Software : https://help.deepsecurity.trendmicro.com/software.html?regs=NABU&prodid=1716 Tested on...

Manipulating Machine Learning Systems by Manipulating Training Data

Interesting research: "TrojDRL: Trojan Attacks on Deep Reinforcement Learning Agents": Abstract:: Recent work has identified that classification models implemented as neural networks are vulnerable to data-poisoning and Trojan attacks at training time. In this work, we show that these training-ti...

Prototype Pollution

Overview All versions of deep-setter are vulnerable to prototype pollution. The package does not restrict the modification of an Object's prototype, which may allow an attacker to add or modify an existing property that will exist on all objects. Recommendation No fix is currently available...

Debian DSA-4570-1 : mosquitto - security update

A vulnerability was discovered in mosquitto, a MQTT version 3.1/3.1.1 compatible message broker, allowing a malicious MQTT client to cause a denial of service stack overflow and daemon crash, by sending a specially crafted SUBSCRIBE packet containing a topic with a extremely deep hierarchy. C...

Tips to Accelerating PCI Data Security Standard Projects with Deep Security as a Service

Does your organization need to meet PCI DSS requirements? Are you struggling with multiple security tools? Or stretching your already overstretched team to prepare for an audit? Time to hit the accelerator with Trend Micro! If your applications deal with credit or payment card data, you need to g...

CVE-2019-15627

Versions 10.0, 11.0 and 12.0 of the Trend Micro Deep Security Agent are vulnerable to an arbitrary file delete attack, which may lead to availability impact. Local OS access is required. Please note that only Windows agents are affected...

CVE-2019-15626

The Deep Security Manager application Versions 10.0, 11.0 and 12.0, when configured in a certain way, may transmit initial LDAP communication in clear text. This may result in confidentiality impact but does not impact integrity or availability...

CVE-2019-15626

The Deep Security Manager application Versions 10.0, 11.0 and 12.0, when configured in a certain way, may transmit initial LDAP communication in clear text. This may result in confidentiality impact but does not impact integrity or availability...

Code injection

The Deep Security Manager application Versions 10.0, 11.0 and 12.0, when configured in a certain way, may transmit initial LDAP communication in clear text. This may result in confidentiality impact but does not impact integrity or availability...

Code injection

Versions 10.0, 11.0 and 12.0 of the Trend Micro Deep Security Agent are vulnerable to an arbitrary file delete attack, which may lead to availability impact. Local OS access is required. Please note that only Windows agents are affected...

CVE-2019-15627

The CVE-2019-15627 entry concerns Trend Micro Deep Security Agent versions 10.0, 11.0 and 12.0 on Windows, vulnerable to an arbitrary file delete/overwrite that can impact availability. Local OS access is required, and only Windows agents are affected. The underlying issue is a local file manipul...

CVE-2019-15627

Versions 10.0, 11.0 and 12.0 of the Trend Micro Deep Security Agent are vulnerable to an arbitrary file delete attack, which may lead to availability impact. Local OS access is required. Please note that only Windows agents are affected...

CVE-2019-15626

CVE-2019-15626 affects Deep Security Manager (versions 10.0, 11.0, 12.0). When configured in a certain way, the initial LDAP communication is transmitted in clear text, resulting in a confidentiality impact (high in CVSS 3.1, per sources). The connected documents do not provide concrete exploit d...