Malicious Typo-Squatting

crossenv is a malicious typo-squatting package. The package uses a similar name to the original library so that developers may mistake it for the real one but have malicious actions under the hood such as stealing environment variables...

CVE-2016-10581

CVE-2016-10581 concerns the Steroids library (PhoneGap on Steroids), which downloads zipped resources over HTTP. The description states this makes it vulnerable to MITM attacks and, if an attacker can position themselves between the user and the server, may allow remote code execution by swapping...

RIPS Integration into Jenkins CI with Pipeline Support

Pipelines The Pipeline approach is a more developer friendly method to define the build and test process of a project. It is as easy as placing a file named Jenkinsfile into your project which contains all the configuration. This is well known from other build tools like Docker or make and improv...

JVN#79301396: Susie plug-in "axpdfium" may insecurely load Dynamic Link Libraries

Susie plug-in "axpdfium" contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries CWE-427. Impact Arbitrary code may be executed with the privilege of the user running the program where "axpdfium" is used. Solution Update the plug-in Update the plug-...

Why bad coding habits die hard—and 7 ways to kill them

Developers are usually the focus of blame when software vulnerabilities cause organizational breaches. Sometimes, quality assurance engineers are included in the flame. Interestingly, though, hardly anyone looks at why bad coding habits form in the first place. We're talking about the culture, th...

Microsoft Guidance for Speculative Store Bypass

Executive summary On January 3, 2018, Microsoft released an advisory and security updates related to a newly-discovered class of hardware vulnerabilities known as Spectre and Meltdown involving speculative execution side channels that affect AMD, ARM, and Intel CPUs to varying degrees. On May 21s...

JVN#96954395: Nessus vulnerable to cross-site scripting

Nessus provided by Tenable, Inc. contains a stored cross-site scripting vulnerability CWE-79. Impact Arbitrary JavaScript may be executed on the user's web browser. Solution Update the Software Update to the latest version according to the information provided by the developer. Products Affected...

OWASP iGoat (Swift) - A Damn Vulnerable Swift Application For iOS

This is a Swift version of original iGoat Objective C project. Using OWASP iGoat, you can learn exploiting and defending vulnerabilities in iOS Swift applications. Developed using Swif 4 and Ruby iGoat Objective C was presented at: OWASP TOP 10 Mobile Reverse Engineering Runtime Analysis Data...

UBUNTU-CVE-2018-5175

A mechanism to bypass Content Security Policy CSP protections on sites that have a "script-src" policy of "'strict-dynamic'". If a target website contains an HTML injection flaw an attacker could inject a reference to a copy of the "require.js" library that is part of Firefox's Developer Tools, a...

CVE-2018-5175

A mechanism to bypass Content Security Policy CSP protections on sites that have a "script-src" policy of "'strict-dynamic'". If a target website contains an HTML injection flaw an attacker could inject a reference to a copy of the "require.js" library that is part of Firefox's Developer Tools, a...

Microsoft Adds Support for JavaScript in Excel—What Could Possibly Go Wrong?

Shortly after Microsoft announced support for custom JavaScript functions in Excel, someone demonstrated what could possibly go wrong if this feature is abused for malicious purposes. As promised last year at Microsoft's Ignite 2017 conference, the company has now brought custom JavaScript...

KLA11248 Multiple vulnerabilities in Microsoft Developer Tools

Multiple vulnerabilities were found in Microsoft Developer Tools. Malicious users can exploit these vulnerabilities to spoof user interface, bypass security restrictions, cause denial of service. Below is a complete list of vulnerabilities: 1. A spoofing vulnerability in Azure IoT SDK can be...

Asylo Open-Source Framework Tackles TEEs for Cloud

Asylo, an open-source framework and software development kit SDK for creating applications that run in trusted execution environments TEEs, has launched to tackle the complexity involved in running a confidential computing platform for workloads in the cloud and virtual environments. TEEs provide...

Android Security Bulletin—May 2018Stay organized with collectionsSave and categorize content based on your preferences.

The Android Security Bulletin contains details of security vulnerabilities affecting Android devices. Security patch levels of 2018-05-05 or later address all of these issues. To learn how to check a device's security patch level, see Check & update your Android version. Android partners are...

ExpressionEngine: XML Member Proccessing - Local File inclusion Vulnerability

@lawrenceamer discovered a local file inclusion vulnerability that logged in users with access to the control panel and permission to access developer utilities may be able to exploit. @lawrenceamer gave a detailed report with step-by-step instructions for replicating and screen captures of a the...

ExpressionEngine: Import File Converter - local File inclusion

@lawrenceamer discovered a local file inclusion vulnerability that logged in users with access to the control panel and permission to access developer utilities may be able to exploit. @lawrenceamer gave a detailed report with step-by-step instructions for replicating and screen captures of a the...

CVE-2016-2169

Cloud Foundry Cloud Controller, capi-release versions prior to 1.0.0 and cf-release versions prior to v237, contain a business logic flaw. An application developer may create an application with a route that conflicts with a platform service route and receive traffic intended for the service...

CVE-2018-6111

An object lifetime issue in the developer tools network handler in Google Chrome prior to 66.0.3359.117 allowed a local attacker to execute arbitrary code via a crafted HTML page...

JVN#77753476: Hatena Bookmark App for iOS contains an address bar spoofing vulnerability

Hatena Bookmark App for iOS provided by Hatena Co., Ltd. contains a vulnerability where the address bar displays a different URL than the URL that is being accessed. Impact This vulnerability could be leveraged to forge the contents of the address bar for conducting phishing attacks. Solution...

KLA11226 OSI vulnerability in Microsoft Developer Tools

An information disclosure vulnerability was found in Microsoft Developer Tools. Malicious users can exploit this vulnerability to obtain sensitive information. Original advisories CVE-2018-1037 Related products Microsoft-Visual-Studio CVE list CVE-2018-1037 warning KB list 4089501 4087371 4091346...