83 matches found
Mssing Crucial Checks When Unlocking funds for Withdraw Requests from L2
Lines of code Vulnerability details Impact Atomicity literally does not exist when users from L2 initiate a withdrawal by burning funds on the contract and sending the message to L1. This is giving malicious attackers plenty of time to stealthily launch a series of small and yet sizable forgery o...
Code injection
If an attacker can control a script that is executed in the victim's browser, then they can typically fully compromise that user. Amongst other things, the attacker can: Perform any action within the application that the user can perform. View any information that the user is able to view. Modify...
CVE-2022-3255 Cross-site Scripting (XSS) - Reflected in pimcore/pimcore
If an attacker can control a script that is executed in the victim's browser, then they can typically fully compromise that user. Amongst other things, the attacker can: Perform any action within the application that the user can perform. View any information that the user is able to view. Modify...
Ruby on Rails: ActionView sanitize helper bypass leading to XSS using SVG tag.
An HTML sanitization bypass vulnerability was discovered in the ActionView sanitize helper. This allowed an attacker to bypass sanitization and execute cross-site scripting XSS attacks by using the use tag of the SVG element. By embedding a base64 encoded SVG with malicious code, an attacker coul...
Summer of exploitation leads to healthcare under fire
May 2021 was a tough month for the Healthcare and Medical sector-the most notable threat trend at the time was the heavy use of a new popular exploit against Dell systems, leading to immense effort by attackers to utilize the exploit before it became less effective due to patching. During this...
Privilege Escalation
linux-gcp:focal is vulnerable to privilege escalation. The vulnerability exists in afllc.c which allows an attacker to craft and inject malicious attacks...
Five Eyes Nations Warn of Russian Cyber Attacks Against Critical Infrastructure
The Five Eyes nations have released a joint cybersecurity advisory warning of increased malicious attacks from Russian state-sponsored actors and criminal groups targeting critical infrastructure organizations amidst the ongoing military siege on Ukraine. "Evolving intelligence indicates that the...
4 Bad Bots Likely to Cause Problems for the Remainder of 2022
A short primer on internet bots An Internet bot bot, for short is a software application that runs automated tasks over the internet. Bots typically run simple tasks which they can perform at a dramatically greater rate than any human. Beneficial or anodyne bots are characterized as legitimate, o...
U.S. Cybersecurity Agency Publishes List of Free Security Tools and Services
The U.S. Cybersecurity and Infrastructure Security Agency CISA on Friday published a repository of free tools and services to enable organizations to mitigate, detect, and respond effectively to malicious attacks and further improve their security posture. The "Free Cybersecurity Services and...
Tarian - Antivirus for Kubernetes
We want to maintain this as an open-source project to fight against the attacks on our favorite Kubernetes ecosystem. By continuous contribution, we can fight threats together as a community. Protect your Applications running on Kubernetes from malicious attacks by pre-registering your source cod...
Affirm: Subdomain takeover due to non registered TLD [ ██████████.█████.██████.com ]
Summary: I was looking at recent disclosed report 1297689 and I was thinking to take a look for the same issue on this asset as I love to test for subdomain takeover vulnerabilities. While testing I noticed a DNS entry for ███████.████.██████████.com is CNAME ████.███████████ which's TLD is not...
How to Reduce Exchange Server Downtime in Case of a Disaster?
Exchange Server downtime may occur at any point in time due to several reasons, such as malware attack, server crash, database corruption, and hardware or software-related issues/incompatibility. However, downtime can impact productivity and lead to data loss that can have severe implications on...
What is Web API Security❓ — Methods of Protection
What is Web API Security❓ — Methods of Protection Before stressing what web API security is, it is important to first explain what APIs are. What are APIs? Fully known as Application Programming Interface , API is a software middle person that allows your applications to talk with one another. It...
CVE-2021-21327
GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software auditing. In GLPI before version 9.5.4 non-authenticated user can remotely instantiate object of any class existing in the GLPI environment that can be used to...
CVE-2021-21327
GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software auditing. In GLPI before version 9.5.4 non-authenticated user can remotely instantiate object of any class existing in the GLPI environment that can be used to...
Design/Logic Flaw
GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software auditing. In GLPI before version 9.5.4 non-authenticated user can remotely instantiate object of any class existing in the GLPI environment that can be used to...
CVE-2021-21327 Unsafe Reflection in getItemForItemtype()
GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software auditing. In GLPI before version 9.5.4 non-authenticated user can remotely instantiate object of any class existing in the GLPI environment that can be used to...
GLPI 9.5.3 - (fromtype) Unsafe Reflection Vulnerability
Exploit Title: GLPI 9.5.3 - 'fromtype' Unsafe Reflection Exploit Author: Vadym Soroka @Iterasec https://iterasec.com Vendor Homepage: https://glpi-project.org Software Link: https://github.com/glpi-project/glpi/releases Version: =9.5.3 Tested on:v9.5.3, 2021-02-13 Technical advisories:...
GLPI 9.5.3 - 'fromtype' Unsafe Reflection
Exploit Title: GLPI 9.5.3 - 'fromtype' Unsafe Reflection Date: 2021-02-13 Exploit Author: Vadym Soroka @Iterasec https://iterasec.com Vendor Homepage: https://glpi-project.org Software Link: https://github.com/glpi-project/glpi/releases Version: =9.5.3 Tested on:v9.5.3, 2021-02-13 Technical...
Other vulnerabilities exist in Ethermint
Due to the inconsistency between the storage cache cycle and the transaction processing cycle, storage changes caused by failed transactions are improperly retained in memory. Although dirty storage data is discarded at the EndBlock stage, it is still valid in the current block, which can lead to...