Event-Driven Architectures & the Security Implications

This article explores event-driven architecture EDA with a detailed definition and explains how EDA offers many essential benefits to developers. It concludes with an outline of some best practices for mitigating security concerns...

Is it Illegal to Scrape a Website for Content?

Web scraping is the process of using bots to extract information from a website. In recent years, the debate over web scraping is growing more complex as business intelligence and data privacy issues arise. The practice of web scraping has gone on for nearly as long as there have been websites. T...

Who Has Control: The SaaS App Admin Paradox

Imagine this: a company-wide lockout to the company CRM, like Salesforce, because the organization's external admin attempts to disable MFA for themselves. They don't think to consult with the security team and don't consider the security implications, only the ease which they need for their team...

“Orwellian in the extreme” food store installs facial recognition cameras to stop crime, faces backlash

A convenience shop chain is under fire and facing legal charges for installing cameras with facial recognition software in 35 of its branches across the UK. The cameras analyze and convert video face captures into biometric data. The data is compared with a database of people who have committed...

CVE-2019-25071

A vulnerability was found in Apple iPhone up to 12.4.1. It has been declared as critical. Affected by this vulnerability is Siri. Playing an audio or video file might be able to initiate Siri on the same device which makes it possible to execute commands remotely. Exploit details have been...

MantisBT XSS in manage_custom_field_update.php

An issue was discovered in MantisBT through 2.24.3. In the helperensureconfirmed call in managecustomfieldupdate.php, the custom field name is not sanitized. This may be problematic depending on CSP settings...

ICE Is a Domestic Surveillance Agency

Georgetown has a new report on the highly secretive bulk surveillance activities of ICE in the US: When you think about government surveillance in the United States, you likely think of the National Security Agency or the FBI. You might even think of a powerful police agency, such as the New York...

What Generation Z can teach us about cybersecurity

Girl Security National Security Fellows Program fellow Amulya, a 17-year-old interested in countering online disinformation, said she feels her sense of personal privacy has been largely nonexistent “growing up in a media-saturated world.” She believes her sense of privacy was stolen by a...

From Pet Systems to Cattle Farm — What Happened to the Data Center?

There's something about craftsmanship. It's personal, its artistry, and it can be incredibly effective in achieving its goals. On the other hand, mass-market production can be effective in other ways, through speed, efficiency, and cost savings. The story of data centers is one of going from...

Cross-site Scripting (XSS) - Stored in livehelperchat/livehelperchat

Description The Mobile Options settings does not sanitise and escape the $mboptions'fcmkey' parameter lead to stored XSS Proof of Concept Go to Mobile settings, fill XSS payload into FCM Key field kind of: somekey" Impact XSS can have huge implications for a web application and its users. User...

Threat Intelligence on Log4j CVE: Key Findings and Their Implications

Continuing with our research into CVE-2021-44228, Akamai has previously written about what the vulnerability is and given recommendations on how to go beyond patching for extra protection. Across the Akamai network, we see traffic from 1.3 billion unique devices daily, with record traffic of 182...

Fixed in Apache Tomcat 8.5.72

Important: Denial of Service CVE-2021-42340 The fix for bug 63362 introduced a memory leak. The object introduced to collect metrics for HTTP upgrade connections was not released for WebSocket connections once the WebSocket connection was closed. This created a memory leak that, over time, could...

CVE-2021-21705

In PHP versions 7.3.x below 7.3.29, 7.4.x below 7.4.21 and 8.0.x below 8.0.8, when using URL validation functionality via filtervar function with FILTERVALIDATEURL parameter, an URL with invalid password field can be accepted as valid. This can lead to the code incorrectly parsing the URL and...

CVE-2021-21705 Incorrect URL validation in FILTER_VALIDATE_URL

In PHP versions 7.3.x below 7.3.29, 7.4.x below 7.4.21 and 8.0.x below 8.0.8, when using URL validation functionality via filtervar function with FILTERVALIDATEURL parameter, an URL with invalid password field can be accepted as valid. This can lead to the code incorrectly parsing the URL and...

CVE-2021-21705

In PHP versions 7.3.x below 7.3.29, 7.4.x below 7.4.21 and 8.0.x below 8.0.8, when using URL validation functionality via filtervar function with FILTERVALIDATEURL parameter, an URL with invalid password field can be accepted as valid. This can lead to the code incorrectly parsing the URL and...

Security implications of misconfigurations

By Jaeson Schultz. When defenders regularly monitor their organization's Domain Name System DNS queries, they can often snuff out potential attacks before they happen. At the very least, it's important to identify and fix configuration mistakes that could lead to nasty security breaches. ... This...

CVE-2021-21705

In PHP versions 7.3.x below 7.3.29, 7.4.x below 7.4.21 and 8.0.x below 8.0.8, when using URL validation functionality via filtervar function with FILTERVALIDATEURL parameter, an URL with invalid password field can be accepted as valid. This can lead to the code incorrectly parsing the URL and...

Millions of Connected Cameras Open to Eavesdropping

Millions of connected security and home cameras contain a critical software vulnerability that can allow remote attackers to tap into video feeds, according to a warning from the Cybersecurity and Infrastructure Security Agency CISA. The bug CVE-2021-32934, with a CVSS v3 base score of 9.1 has be...

klibc input validation error vulnerability (CNVD-2021-54000)

klibc is an application program. Provides the ability to work from kernel space as early as possible. klibc versions prior to 2.0.9 are vulnerable to an input validation error, which stems from multiple possible integer overflows in the cpio command on 32-bit systems that could lead to buffer...

The U.S. EO on Ransomware: What Does it Mean? – Part 2

The White House is urging companies to do more to stem the tide of ransomware attacks now that they are starting to impact critical infrastructure and supply chains. It is a good start, but what will be the implication of this to U.S. businesses?...