StimulusReflex arbitrary method call

Summary More methods than expected can be called on reflex instances. Being able to call some of them has security implications. Details To invoke a reflex a websocket message of the following shape is sent: json "target": "classnamemethodname", "args": The server will proceed to instantiate refl...

The New York Times vs. OpenAI: A Turning Point for Web Scraping?

In a recent blog, we covered the blurry lines of legality surrounding web scraping and how the advent of artificial intelligence AI and large language models LLMs further complicates the matter. Shortly after publishing the blog, a significant legal development began unfolding: The New York Times...

New EKS Access Management and Pod Identity features: a security analysis

The Wiz research team unpacks the security implications of the new EKS access and identity management features and recommends best practices when using them...

How to comply with GDPR requirements

Understanding the Basics of GDPR Compliance Within the sphere of cybersecurity, significant strides were made as the European Union EU introduced an innovative legislative tool called the General Data Protection Regulation GDPR, unveiled on May 25, 2018. This regulation highlights the EU's unifie...

curl: cookie is sent on redirect

Vulnerability description not provided...

Exploit for Cross-site Scripting in Phpgurukul Hospital_Management_System

CVE-2023-7173: Stored Cross-Site Scripting XSS in Hospital M...

AI Is Scarily Good at Guessing the Location of Random Photos

Wow: To test PIGEONs performance, I gave it five personal photos from a trip I took across America years ago, none of which have been published online. Some photos were snapped in cities, but a few were taken in places nowhere near roads or other easily recognizable landmarks. That didnt seem to...

How Strata Identity and Microsoft Entra ID solve identity challenges in mergers and acquisitions

This blog post is part of the Microsoft Intelligent Security Association guest blog series. Learn more about MISA. Along with every merger and acquisition between two companies comes the need to combine and strengthen their IT infrastructure. In particular, there is an immediate and profound impa...

Full Table Permissions by Default

Default table permissions in SurrealDB were FULL instead of NONE. This would lead to tables having FULL permissions for SELECT, CREATE, UPDATE and DELETE unless some other permissions were specified via the PERMISSIONS clause. We have decided to treat this behaviour as a vulnerability due to its...

CVE-2023-22524: RCE Vulnerability in Atlassian Companion for macOS

TL;DR This blog unveils a remote code execution vulnerability, identified as CVE-2023-22524, in Atlassian Companion for macOS, which has recently been patched. This critical vulnerability stemmed from an ability to bypass both the apps blocklist and macOS Gatekeeper, potentially allowing the...

Insecure and Inflexible Forwarder Approval Mechanism (Full Access Grant)

Lines of code Vulnerability details Impact The current implementation of the onlyApprovedForwarder modifier in the Ocean smart contract has several negative impacts: 1. Security Risk: Users are exposed to a significant security risk if their forwarder is compromised. An attacker can exploit full...

Is Web Scraping Illegal? Depends on Who You Ask

Web scraping has existed for a long time, and depending on who you ask, it can be loved or hated. But where is the line drawn between extracting data for legitimate business purposes and malicious data extraction that hurts business? The bar is getting blurrier by the day, and the introduction of...

CVE-2023-30590

The generateKeys API function returned from crypto.createDiffieHellman only generates missing or outdated keys, that is, it only generates a private key if none has been set yet, but the function is also needed to compute the corresponding public key after calling setPrivateKey. However, the...

CVE-2023-30590

The generateKeys API function returned from crypto.createDiffieHellman only generates missing or outdated keys, that is, it only generates a private key if none has been set yet, but the function is also needed to compute the corresponding public key after calling setPrivateKey. However, the...

Navigating the AI security landscape: From executive orders to cyber resilience

Explore the implications of the US Executive Order, discover the challenges and solutions in AI development, and learn how Coalfire's tailored approach ensures robust AI risk management...

Google’s Bard conversations turn up in search results

Google is coming under scrutiny after people discovered transcripts of conversations with its AI chatbot Bard are being indexed in Google search results. Bard is Googles answer to ChatGPT, and allows users to have conversations with an AI. Services like these have attracted a lot of attention,...

On Technologies for Automatic Facial Recognition

Interesting article on technologies that will automatically identify people: With technology like that on Mr. Leyvands head, Facebook could prevent users from ever forgetting a colleagues name, give a reminder at a cocktail party that an acquaintance had kids to ask about or help find someone at ...

Unchecked return value of low level call()/delegatecall()

Lines of code Vulnerability details The vulnerability related to an "Unchecked return value of low-level call/delegatecall" is a common and critical issue in Ethereum smart contracts. Let's break down this vulnerability and discuss its implications: 1. Low-Level Calls in Solidity: In Solidity,...

Swapping lacks deadline check

Lines of code Vulnerability details Impact There is no deadline when swapping tokens using EvolvingProteus. Swaps that are done through low gas transactions may be stuck in the mempool for a long time, resulting in unfavourable swap. Proof of Concept Evolving prometeus seems like an upgrade to...

Navigating Legacy Infrastructure: A CISO's Actionable Strategy for Success

Every company has some level of tech debt. Unless you're a brand new start-up, you most likely have a patchwork of solutions that have been implemented throughout the years, often under various leadership teams with different priorities and goals. As those technologies age, they can leave your...