JVN#70246549: WordPress plugin "FV Flowplayer Video Player" vulnerable to cross-site scripting

The WordPress plugin "FV Flowplayer Video Player" provided by Foliovision contains a cross-site scripting vulnerability CWE-79. Impact An arbitrary script may be executed on the user's web browser. Solution Update the plugin Update the plugin according to the information provided by the developer...

JVN#55813866: Explzh vulnerable to directory traversal

Explzh is a file compression/extraction software supporting multiple file formats. Explzh contains a directory traversal vulnerability CWE-22. Explzh is not vulnerable to relative path traversal but to absolute path traversal. Therefore, an attacker may create new files or overwrite existing file...

The vulnerability in the implementation of the style editor for the Developer Tools component of the Mozilla Firefox browser allows a perpetrator to gain unauthorized access to protected information.

The vulnerability of the Style Editor implementation in Mozilla Firefox’s Developer Tools relates to the possibility of routing traffic through Service Workers. Exploiting this vulnerability could allow a malicious actor, operating remotely, to gain unauthorized access to protected information...

The vulnerability of Mozilla Firefox’s toolbars allows a hacker to gain unauthorized access to protected information.

The vulnerability of Mozilla Firefox’s developer tools is related to the use of files and directories accessible from external parties. Exploiting this vulnerability can allow an attacker to gain unauthorized access to protected information...

How to Solve the Developer vs. Cybersecurity Team Battle

There is an ongoing tension between developers and security teams in many organizations. On one hand, developers face mounting pressure to build rich, feature-driven applications on nearly impossible timelines to remain competitive. On the other hand, security teams face rising pressures of their...

Bugged Smart Contract FuturXE: How Could Someone Mess up with Boolean? (CVE-2018–12025)

Recently SECBIT team found a serious bug about the if condition in a deployed ERC20 smart contract called FuturXE FXE and here is the bugged part: //Function for transer the coin from one address to another function transferFromaddress from, address to, uint value returns bool success //checking...

Password-Guessing Was Used to Hack Gentoo Linux Github Account

Maintainers of the Gentoo Linux distribution have now revealed the impact and "root cause" of the attack that saw unknown hackers taking control of its GitHub account last week and modifying the content of its repositories and pages. The hackers not only managed to change the content in compromis...

Security Bulletin: IBM API Connect Developer Portal is vulnerable to potential denial of service

Summary IBM API Connect has addressed the following vulnerability. IBM API Connect is vulnerable to a denial of service, caused by a lack of rate limiting in the TCP listener application. By sending a TCP SYN flood, a remote attacker could exploit this vulnerability to exhaust CPU and memory...

CVE-2018-1000521

BigTree-CMS contains a Cross Site Scripting XSS vulnerability in /users/create that can result in The low-privileged users can use this vulnerability to attack high-privilegedDeveloper users.. This attack appear to be exploitable via no. This vulnerability appears to have been fixed in after comm...

Security Bulletin: Multiple vulnerabilities in Ubuntu affect IBM API Connect Developer Portal

Summary IBM API Connect Developer Portal has addressed the following vulnerabilities. Vulnerability Details CVEID: CVE-2018-1126 DESCRIPTION: procps-ng procps is vulnerable to a buffer overflow, caused by improper bounds checking. By sending a specially crafted request, a remote attacker could...

Malicious App Infects 60,000 Android Devices – But Still Saves Their Batteries

UPDATE A battery-saving app that also allows attackers to snatch text messages and read sensitive log data has been downloaded by more than 60,000 Android devices so far. But what’s unique about the attack, according to the researchers at RiskIQ who discovered it, is that it holds true to its...

Google Developer Discovers a Critical Bug in Modern Web Browsers

Google researcher has discovered a severe vulnerability in modern web browsers that could have allowed websites you visit to steal the sensitive content of your online accounts from other websites that you have logged-in the same browser. Discovered by Jake Archibald, developer advocate for Googl...

Security Bulletin: IBM Platform Symphony (CVE-2013-5400)

Summary This bulletin relates to a potential elevation of privilege vulnerability when IBM Platform Symphony Developer Edition is installed in a networked environment. Vulnerability Details CVE ID: CVE-2013-5400 DESCRIPTION: IBM Platform Symphony Developer Edition installation includes a servlet...

Security Bulletin: Weakness in generated service credentials affects multiple Watson Developer Cloud services (CVE-2016-0391)

Summary A weakness in generated service credentials that affects multiple Watson Developer Cloud offered through IBM Bluemix has been identified and fixed. Replacement of previously generated credentials is recommended. Vulnerability Details CVEID: CVE-2016-0391 DESCRIPTION: Multiple Watson...

Security Bulletin: Buffer overflow in V8

Summary Under certain conditions, V8 may improperly expand memory allocations in the Zone::New function. This could potentially be used to cause a Denial of Service via buffer overflow or as a trigger for a remote code execution. Vulnerability Details CVEID: CVE-2016-1669 DESCRIPTION: Google Chro...

Security Bulletin: Multiple OpenSSL vulnerabilities in Node.js included in Rational Application Developer for WebSphere Software

Summary Multiple OpenSSL vulnerabilities in Node.js were found on May 3, 2016. Vulnerability Details CVEID: CVE-2016-2107 DESCRIPTION: OpenSSL could allow a remote attacker to obtain sensitive information, caused by an error when the connection uses an AES CBC cipher and the server support AES-NI...

Security Bulletin: node-uuid unsafe fallback to Math.random (CVE-2015-8851)

Summary A vulnerability in the node-uuid module causes the module to fallback on math.random under certain circumstances, which leads to predictable UUIDs. The node-uuid module is used by the Node.js Package Manager npm. Vulnerability Details CVEID: CVE-2015-8851 DESCRIPTION: node.js node-uuid...

Security Bulletin: Two ReDoS vulnerabilities in modules included in the Node.js npm tool

Summary Two ReDoS vulnerabilities in modules included in the Node.js npm tool shipped by IBM Rational Application Developer for WebSphere Software. Vulnerability Details CVEID: CVE-2016-2515 DESCRIPTION: Node.JS hawk is vulnerable to a denial of service, caused by an error in the regular expressi...

Security Bulletin: Multiple vulnerabilities in the IBM Java SDK affects IBM Rational Application Developer for WebSphere Software (CVE-2016-0363, CVE-2016-0376)

Summary There are multiple vulnerabilities in IBM® SDKs Java™ Technology Edition, Versions 7 and 8 that is used by IBM Rational Application Developer for WebSphere Software. These issues were disclosed as part of the IBM Java SDK updates in April 2016. Vulnerability Details CVEID: CVE-2016-0363...

Security Bulletin: Node.js Package Manager (npm) Bearer Token Vulnerability affects IBM Rational Application Developer for WebSphere Software (CVE-2016-3956)

Summary A vulnerability in the Node Package Manager's use of HTTP bearer tokens affects IBM SDK for Node.js. Vulnerability Details CVEID: CVE-2016-3956 DESCRIPTION: npm could allow a remote attacker to obtain sensitive information, caused by the unintentional leakage of bearer tokens from the...