GO-2024-3234 Mattermost Server vulnerable to application crash from attacker-generated large response in github.com/mattermost/mattermost-server

Mattermost Server vulnerable to application crash from attacker-generated large response in github.com/mattermost/mattermost-server...

DEBIAN-CVE-2024-7883

When using Arm Cortex-M Security Extensions CMSE, Secure stack contents can be leaked to Non-secure state via floating-point registers when a Secure to Non-secure function call is made that returns a floating-point value and when this is the first use of floating-point since entering Secure state...

PT-2024-38657

Name of the Vulnerable Software and Affected Versions Arm Cortex-M Security Extensions CMSE affected versions not specified Description The issue allows Secure stack contents to be leaked to Non-secure state via floating-point registers when a Secure to Non-secure function call is made that retur...

Mattermost Server vulnerable to application crash from attacker-generated large response

Mattermost versions 9.10.x = 9.10.2, 9.11.x = 9.11.1 and 9.5.x = 9.5.9 fail to prevent detailed error messages from being displayed in Playbooks which allows an attacker to generate a large response and cause an amplified GraphQL response which in turn could cause the application to crash by...

Cisco Secure Firewall Management Center Software HTML Injection Vulnerability

A vulnerability in the web-based management interface of Cisco Secure Firewall Management Center FMC Software, formerly Firepower Management Center Software, could allow an authenticated, remote attacker to inject arbitrary HTML content into a device-generated document. This vulnerability is due ...

CVE-2024-46707

...

Exploit for Code Injection in Ispconfig

CVE-2023-46818 exploit This is a python version of the origin...

A (Beta) Audio Roundup of September’s WordPress Vulnerabilities

For those of you that want to stay abreast of the newest vulnerabilities in the WP ecosystem, but like to multitask, here's an audio roundup of the vulnerabilities we published in the month of September. This is something new I'm trying. The conversation is AI generated by Google's NotebookLM...

A week in security (September 16 – September 22)

Last week on Malwarebytes Labs: "Simply staggering" surveillance conducted by social media and streaming services, FTC finds Tor anonymity compromised by law enforcement. Is it still safe to use? Walmart customers scammed via fake shopping lists, threatened with arrest Snapchat wants to put your...

Snapchat wants to put your AI-generated face in its ads

Snapchat is reserving the right to use your selfie images to power Cameos, Generative AI, and other experiences on Snapchat, including ads, according to our friends at 404 Media, The Snapchat Support page about its My Selfie feature says: “You’ll take selfies with your Snap camera or select image...

Cross Site Scripting(XSS)

MindsDB is vulnerable to Cross-Site Scripting XSS. The vulnerability is due to the lack of proper sanitization or validation of user-generated content within the MindsDB platform. It allows an attacker to execute arbitrary JavaScript code in a user's browser by injecting it into the web UI throug...

CGA-RM26-RMF3-QJQC

Bulletin has no description...

Man Faces 20 Years in Prison for First-Ever AI Music Streaming Scam

A North Carolina man has been arrested in the first criminal case involving AI-generated music streaming fraud. Accused…...

Freelinking - Moderately critical - Information Disclosure - SA-CONTRIB-2024-034

This module enables you to configure a wiki-like input filter that allows users to create links to site and external content. The module doesn't sufficiently check if a user has access to some URLs before rendering them as links. This vulnerability is mitigated by the fact that an attacker must...

PT-2024-37323 · WordPress · Sign-Up Sheets

Name of the Vulnerable Software and Affected Versions: Sign-up Sheets WordPress plugin versions prior to 2.2.13 Description: The issue is related to Reflected Cross-Site Scripting. It occurs because the plugin does not properly escape some generated URLs and the $ SERVER'REQUEST URI' parameter...

CVE-2024-43788 DOM Clobbering Gadget found in Webpack's AutoPublicPathRuntimeModule that leads to Cross-site Scripting (XSS)

Webpack is a module bundler. Its main purpose is to bundle JavaScript files for usage in a browser, yet it is also capable of transforming, bundling, or packaging just about any resource or asset. The webpack developers have discovered a DOM Clobbering vulnerability in Webpack’s...

New Research in Detecting AI-Generated Videos

The latest in what will be a continuing arms race between creating and detecting videos: The new tool the research project is unleashing on deepfakes, called "MISLnet", evolved from years of data derived from detecting fake images and video with tools that spot changes made to digital video or...

PT-2024-40827 · Oracle · Java

Name of the Vulnerable Software and Affected Versions: Java affected versions not specified Description: A security exception crash has been reported. The crash involves the com.github.javaparser.GeneratedJavaParser.Expression and java.base/java.lang.StringUTF16.compress functions, as well as the...

Hackers Claim to Have Leaked 1.1 TB of Disney Slack Messages

A hacker group called “NullBulge” says it stole more than a terabyte of Disney’s internal Slack messages and files from nearly 10,000 channels in an apparent protest over AI-generated art...

U.S. Seizes Domains Used by AI-Powered Russian Bot Farm for Disinformation

The U.S. Department of Justice DoJ said it seized two internet domains and searched nearly 1,000 social media accounts that Russian threat actors allegedly used to covertly spread pro-Kremlin disinformation in the country and abroad on a large scale. "The social media bot farm used elements of AI...