The Hidden Harm of Silent Patches

Hey all. I'm about to head off to RSAC 2022, but I wanted to jot down some thoughts I've had lately on a particularly squirrelly issue that comes up occasionally in coordinated vulnerability disclosure CVD — the issue of silent patches, and how they tend to help focused attackers and harm IT...

YODA Tool Found ~47,000 Malicious WordPress Plugins Installed in Over 24,000 Sites

As many as 47,337 malicious plugins have been uncovered on 24,931 unique websites, out of which 3,685 plugins were sold on legitimate marketplaces, netting the attackers $41,500 in illegal revenues. The findings come from a new tool called YODA that aims to detect rogue WordPress plugins and trac...

GHSA-62G2-M955-V383 Improper Input Validation in Apache Spark

Spark's Apache Maven-based build includes a convenience script, 'build/mvn', that downloads and runs a zinc server to speed up compilation. It has been included in release branches since 1.3.x, up to and including master. This server will accept connections from external hosts by default. A...

Android 13 Tries to Make Privacy and Security a No-Brainer

With its latest mobile OS update, Google aims to simplify the adoption of Android’s protective features for users and developers alike...

NewStart CGSL CORE 5.05 / MAIN 5.05 : firefox Multiple Vulnerabilities (NS-SA-2022-0029)

The remote NewStart CGSL host, running version CORE 5.05 / MAIN 5.05, has firefox packages installed that are affected by multiple vulnerabilities: - Further techniques that built on the slipstream research combined with a malicious webpage could have exposed both an internal network's hosts as...

Google's New Safety Section Shows What Data Android Apps Collect About Users

Google on Tuesday officially began rolling out a new "Data safety" section for Android apps on the Play Store to highlight the type of data being collected and shared with third-parties. "Users want to know for what purpose their data is being collected and whether the developer is sharing user...

Why Linode+Akamai Is Transformational for How Developers Use the Cloud

Just three weeks have gone by since Akamai officially welcomed Linode into our fold, and I’m encouraged by the excitement that so many have expressed about the combination of our two companies since we announced the acquisition in February. In conversations with us, industry analysts use the word...

Mozilla: Memory safety bugs fixed in Firefox 99 and Firefox ESR 91.8

The Mozilla Foundation Security Advisory describes this flaw as: Mozilla developers and community members Nika Layzell, Andrew McCreight, Gabriele Svelto, and the Mozilla Fuzzing Team reported memory safety bugs present in Firefox 98 and Firefox ESR 91.7. Some of these bugs showed evidence of...

JVN#59576930: Zero-channel BBS Plus vulnerable to cross-site scripting

Zero-channel BBS Plus by Zero-Channel BBS Plus Developers is a bulletin board CGI script. Zero-channel BBS Plus contains a cross-site scripting vulnerability CWE-79. Impact An arbitrary script may be executed on the web browser of the user who is accessing the management screen of the product,...

[SECURITY] Fedora 36 Update: libwebp-1.2.2-4.fc36

WebP is an image format that does lossy compression of digital photographic images. WebP consists of a codec based on VP8, and a container based on RIFF. Webmasters, web developers and browser developers can use WebP to compress, archive and distribute digital images more efficiently...

What’s New for Developers: March 2022

We have some excellent highlights this month. We’re excited to announce new videos, useful articles, an event recap, and much more...

Anti-war open-source software developer targets Russians and Belarussians with “protestware”

Russia is in the midst of its fourth week of attack against Ukraine. People worldwide have been increasingly and passionately showing support for Ukrainians since day one while condemning the atrocities of Russian President Vladimir Putin, the Russian military, and Belarus, its allied country...

Microsoft Azure Developers Awash in PII-Stealing npm Packages

Researchers have found hundreds of malicious packages in the npm repository of open-source JavaScript code, designed to steal personally identifiable information PII in a large-scale typosquatting attack against Microsoft Azure cloud users. That’s according to the JFrog Security Research team,...

Over 200 Malicious NPM Packages Caught Targeting Azure Developers

A new large scale supply chain attack has been observed targeting Azure developers with no less than 218 malicious NPM packages with the goal of stealing personal identifiable information. "After manually inspecting some of these packages, it became apparent that this was a targeted attack agains...

CVE-2022-0843

Mozilla developers Kershaw Chang, Ryan VanderMeulen, and Randell Jesup reported memory safety bugs present in Firefox 97. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerabilit...

PaquitoSoftware Notimoo Cross-Site Scripting Vulnerability

Notimoo is a method for web developers to display notifications to users. PaquitoSoftware Notimoo suffers from a cross-site scripting vulnerability that can be exploited by attackers to execute arbitrary web script or HTML via a carefully crafted header or message in a notification...

Axis IP Camera Shell Upload Exploit

This Metasploit module exploits the "Apps" feature in Axis IP cameras. The feature allows third party developers to upload and execute eap applications on the device. The system does not validate the application comes from a trusted source, so a malicious attacker can upload and execute arbitrary...

VMconf 22: Blindspots in the Knowledge Bases of Vulnerability Scanners

Hello everyone! This video was recorded for the VMconf22 Vulnerability Management conference. I want to talk about the blind spots in the knowledge bases of Vulnerability Scanners and Vulnerability Management products. This report was presented in Russian at Tenable Security Day 2022. The video i...

Persistence – Notepad++ Plugins

It is not uncommon a windows environment especially dedicated servers which are managed by developers or IT staff to have installed the Notepad++ text editor.… Continue reading - Persistence - Notepad++ Plugins...

Victor CMS users.php SQL注入漏洞

Victor CMS is an open source content management system from the individual developers of Victor Alagwu in Nigeria. victor CMS has a SQL injection vulnerability in v1.0, which stems from the lack of validation of externally entered SQL statements in database-based applications. An attacker could...