Biden Signs New Cybersecurity Order

President Biden has signed a new cybersecurity order. It has a bunch of provisions, most notably using the US governments procurement power to improve cybersecurity practices industry-wide. Some details: The core of the executive order is an array of mandates for protecting government networks...

Vite 安全漏洞

Vite is a new front-end builder tool open-sourced by Vite. A security vulnerability exists in Vite that stems from default CORS settings and a lack of validation of the Origin header of a WebSocket connection, which allows any website to send any request to the development server and read the...

The vulnerability of the Microsoft .NET software platform and the Microsoft Visual Studio development tools is related to buffer overflows in dynamic memory, allowing an attacker to execute arbitrary code.

The vulnerability of the Microsoft .NET software platform and the Microsoft Visual Studio development environment is related to buffer overflows in dynamic memory. Exploiting this vulnerability can allow a remote attacker to execute arbitrary code...

AWS Cloud Development Kit (AWS CDK) IAM OIDC custom resource allows connection to unauthorized OIDC provider

Impact Users who use IAM OIDC custom resource provider package will download CA Thumbprints as part of the custom resource workflow, https://github.com/aws/aws-cdk/blob/d16482fc8a4a3e1f62751f481b770c09034df7d2/packages/%40aws-cdk/custom-resource-handlers/lib/aws-iam/oidc-handler/external.tsL34...

CVE-2025-23206 IAM OIDC custom resource allows connection to unauthorized OIDC provider in aws-cdk

The AWS Cloud Development Kit AWS CDK is an open-source software development framework to define cloud infrastructure in code and provision it through AWS CloudFormation. Users who use IAM OIDC custom resource provider package will download CA Thumbprints as part of the custom resource workflow...

CVE-2025-23206 IAM OIDC custom resource allows connection to unauthorized OIDC provider in aws-cdk

The AWS Cloud Development Kit AWS CDK is an open-source software development framework to define cloud infrastructure in code and provision it through AWS CloudFormation. Users who use IAM OIDC custom resource provider package will download CA Thumbprints as part of the custom resource workflow...

CVE-2025-23206

The CVE-2025-23206 issue affects AWS CDK (IAM OIDC custom resource workflow). The tls.connect call sets rejectUnauthorized: false, enabling potential MITM risk when downloading CA thumbprints. A patch is in progress; remediation guidance in the connected docs recommends upgrading to CDK v2.177.0 ...

PT-2025-4846

Name of the Vulnerable Software and Affected Versions AWS Cloud Development Kit AWS CDK versions prior to 2.177.0 Description The issue concerns the AWS Cloud Development Kit's AWS CDK handling of IAM OIDC custom resource provider packages. Specifically, the tls.connect method sets...

Microsoft Visual Studio Elevation of Privilege Vulnerability

Microsoft Visual Studio is a family of development tool suites from Microsoft, and a largely complete set of development tools that includes most of the tools needed throughout the software lifecycle. A security vulnerability exists in Microsoft Visual Studio. An attacker can exploit the...

AWS Cloud Development Kit 数据伪造问题漏洞

AWS Cloud Development Kit is an open source software development framework open sourced by Amazon Web Services for defining cloud infrastructure in code and configuring it via AWS CloudFormation. A data forgery vulnerability exists in AWS Cloud Development Kit, which stems from the fact that it...

BigAntSoft BigAnt office messenger SQL Injection Vulnerability

BigAntSoft BigAnt office messenger is a server/client instant messaging program for enterprise environments from BigAntSoft Australia. A SQL injection vulnerability exists in BigAntSoft BigAnt office messenger. The vulnerability can be exploited to conduct a SQL injection attack via the "devcode"...

The vulnerability of the integrated environment for managing the development lifecycle of IBM Jazz Foundation lies in its lack of access control for personal information, allowing attackers to disclose protected information.

The vulnerability of the integrated environment for managing the development lifecycle of IBM Jazz Foundation is related to deficiencies in restricting access to personal information. Exploiting this vulnerability could allow attackers to disclose protected information...

The vulnerability of the Microsoft .NET software platform and the Microsoft Visual Studio development tools lies in the creation of a temporary file in a directory with incorrect permissions, allowing an attacker to escalate their privileges.

The vulnerability of the Microsoft .NET software platform and the Microsoft Visual Studio development tools is related to the creation of a temporary file in the directory with incorrect permissions. Exploiting this vulnerability can allow an attacker to increase their privileges...

The vulnerability of the Microsoft .NET software platform and the Microsoft Visual Studio development tools is related to buffer overflows in dynamic memory, allowing an attacker to execute arbitrary code.

The vulnerability of the Microsoft .NET software platform and the Microsoft Visual Studio development environment is related to buffer overflows in dynamic memory. Exploiting this vulnerability can allow a remote attacker to execute arbitrary code...

Silverstripe Framework has a Reflected Cross Site Scripting (XSS) in error message

!IMPORTANT This vulnerability only affects sites which are in the "dev" environment mode. If your production website is in "dev" mode, it has been misconfigured, and you should immediately swap it to "live" mode. See https://docs.silverstripe.org/en/developerguides/debugging/environmenttypes/ for...

Cross-site Scripting (XSS)

Overview silverstripe/framework is a PHP framework forming the base for the SilverStripe CMS. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the error message display mechanism. An attacker can inject malicious scripts that are executed in the user's browser by...

CVE-2024-48858 Vulnerabilities in TIFF and PCX Image Codecs Impact QNX Software Development Platform

Improper input validation in the PCX image codec in QNX SDP versions 8.0, 7.1 and 7.0 could allow an unauthenticated attacker to cause a denial-of-service condition in the context of the process using the image codec...

CVE-2024-48857 Vulnerabilities in TIFF and PCX Image Codecs Impact QNX Software Development Platform

NULL pointer dereference in the PCX image codec in QNX SDP versions 8.0, 7.1 and 7.0 could allow an unauthenticated attacker to cause a denial-of-service condition in the context of the process using the image codec...

CVE-2024-48857

The CVE-2024-48857 entry describes a NULL pointer dereference in the PCX image codec of QNX SDP (Blackberry) affecting versions 8.0, 7.1 and 7.0. The underlying issue is triggered during image codec handling, allowing an unauthenticated attacker to cause a denial-of-service condition in the conte...

CVE-2024-48857 Vulnerabilities in TIFF and PCX Image Codecs Impact QNX Software Development Platform

NULL pointer dereference in the PCX image codec in QNX SDP versions 8.0, 7.1 and 7.0 could allow an unauthenticated attacker to cause a denial-of-service condition in the context of the process using the image codec...