Over 200 Malicious NPM Packages Caught Targeting Azure Developers

A new large scale supply chain attack has been observed targeting Azure developers with no less than 218 malicious NPM packages with the goal of stealing personal identifiable information. "After manually inspecting some of these packages, it became apparent that this was a targeted attack agains...

CVE-2022-0843

Mozilla developers Kershaw Chang, Ryan VanderMeulen, and Randell Jesup reported memory safety bugs present in Firefox 97. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerabilit...

PaquitoSoftware Notimoo Cross-Site Scripting Vulnerability

Notimoo is a method for web developers to display notifications to users. PaquitoSoftware Notimoo suffers from a cross-site scripting vulnerability that can be exploited by attackers to execute arbitrary web script or HTML via a carefully crafted header or message in a notification...

Axis IP Camera Shell Upload Exploit

This Metasploit module exploits the "Apps" feature in Axis IP cameras. The feature allows third party developers to upload and execute eap applications on the device. The system does not validate the application comes from a trusted source, so a malicious attacker can upload and execute arbitrary...

VMconf 22: Blindspots in the Knowledge Bases of Vulnerability Scanners

Hello everyone! This video was recorded for the VMconf22 Vulnerability Management conference. I want to talk about the blind spots in the knowledge bases of Vulnerability Scanners and Vulnerability Management products. This report was presented in Russian at Tenable Security Day 2022. The video i...

Persistence – Notepad++ Plugins

It is not uncommon a windows environment especially dedicated servers which are managed by developers or IT staff to have installed the Notepad++ text editor.… Continue reading - Persistence - Notepad++ Plugins...

Victor CMS users.php SQL注入漏洞

Victor CMS is an open source content management system from the individual developers of Victor Alagwu in Nigeria. victor CMS has a SQL injection vulnerability in v1.0, which stems from the lack of validation of externally entered SQL statements in database-based applications. An attacker could...

GHSA-8786-WG74-F522 Improper Control of Dynamically-Managed Code Resources in Crafter CMS Crafter Studio

Improper Control of Dynamically-Managed Code Resources vulnerability in Crafter Studio of Crafter CMS allows authenticated developers to execute OS commands via FreeMarker template exposed objects. This issue affects: Crafter Software Crafter CMS 3.0 versions prior to 3.0.27; 3.1 versions prior t...

Improper Control of Dynamically-Managed Code Resources in Crafter CMS Crafter Studio

Improper Control of Dynamically-Managed Code Resources vulnerability in Crafter Studio of Crafter CMS allows authenticated developers to execute OS commands via FreeMarker template exposed objects. This issue affects: Crafter Software Crafter CMS 3.0 versions prior to 3.0.27; 3.1 versions prior t...

Microsoft Temporarily Disables MSIX App Installers to Prevent Malware Abuse

Microsoft last week announced that it's temporarily disabling the MSIX ms-appinstaller protocol handler in Windows following evidence that a security vulnerability in the installer component was exploited by threat actors to deliver malware such as Emotet, TrickBot, and Bazaloader. MSIX, based on...

What’s New for Developers: January 2022

Hello, and welcome to our very first Developer Community update of 2022. In this new monthly series, we’ll share highlights of what is happening across the Akamai Developer Community. Since this is the first blog we’re posting, we will also catch up on news from October 2021 through today...

CVE-2021-46087

In jfinalcms = 5.1 0, there is a storage XSS vulnerability in the background system of CMS. Because developers do not filter the parameters submitted by the user input form, any user with background permission can affect the system security by entering malicious code...

Online Banking System SQL Injection Vulnerability

g33kyrash Online Banking System is an online banking system developed by g33kyrash individual developers using PHP and MySQL. g33kyrash Online Banking System is vulnerable to a SQL injection vulnerability, which stems from the fact that Online Banking System v1.0 was found to contain a SQL...

[SECURITY] Fedora 34 Update: prosody-0.11.12-1.fc34

Prosody is a flexible communications server for Jabber/XMPP written in Lua. It aims to be easy to use, and light on resources. For developers it aims to be easy to extend and give a flexible system on which to rapidly develop added functionality, or prototype new protocols...

CVE-2022-22752

Mozilla developers Christian Holler and Jason Kratzer reported memory safety bugs present in Firefox 95. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox...

Exploit for Uncontrolled Resource Consumption in Siemens 6Bk1602-0Aa12-0Tp0_Firmware

vuln4japi A vulnerable Java based REST API for demonstrating C...

MAL-2022-7431 Malicious code in bootstrap-feature (npm)

--- -= Per source details. Do not edit below this line.=- Source: checkmarx 3db5e43a78e41f050b0e265c951bc776e693abd20a01108e6c8ea2e15a5e7c4d Malicious packages campaign since 2021 targeting developers, steals source code and secrets...

Malicious code in cxp-jquery (npm)

--- -= Per source details. Do not edit below this line.=- Source: checkmarx b0e4725a2db5433915386ce19dadd7812b0f44e9afcb7c48d855797cf7a78537 Malicious packages campaign since 2021 targeting developers, steals source code and secrets...

Malicious code in lib-bb-html-sanitizer (npm)

--- -= Per source details. Do not edit below this line.=- Source: checkmarx 74072bddc9908e0147976fde0680c197ac5b38167bfcdf14afc5f79f23749f72 Malicious packages campaign since 2021 targeting developers, steals source code and secrets...

MAL-2021-1 Malicious code in cxp-jquery (npm)

--- -= Per source details. Do not edit below this line.=- Source: checkmarx b0e4725a2db5433915386ce19dadd7812b0f44e9afcb7c48d855797cf7a78537 Malicious packages campaign since 2021 targeting developers, steals source code and secrets...