Mozilla: document.domain-based origin isolation has same-origin-property violation

A flaw was found in Mozilla's firefox and thunderbird where if two same-origin documents set document.domain differently to become cross-origin, it was possible for them to call arbitrary DOM methods/getters/setters on the now-cross-origin window. This could cause an interaction between two...

Security update for openconnect (moderate)

openSUSE Security Update: Security update for openconnect Announcement ID: openSUSE-SU-2019:2385-1 Rating: moderate References: 1151178 Cross-References: CVE-2019-16239 Affected Products: openSUSE Leap 15.1 An update that fixes one vulnerability is now available. Description: This update for...

Mozilla: document.domain-based origin isolation has same-origin-property violation

A flaw was found in Mozilla's firefox and thunderbird where if two same-origin documents set document.domain differently to become cross-origin, it was possible for them to call arbitrary DOM methods/getters/setters on the now-cross-origin window. This could cause an interaction between two...

Information Disclosure

mozilla firefox is vulnerable to information disclosure. When two same-origin documents set document.domain differently to become a cross-origin, it is possible to call arbitrary DOM methods/getters/setters on the now-cross-origin window...

CVE-2019-11762

If two same-origin documents set document.domain differently to become cross-origin, it was possible for them to call arbitrary DOM methods/getters/setters on the now-cross-origin window. This vulnerability affects Firefox 70, Thunderbird 68.2, and Firefox ESR 68.2...

python-twisted: Improper neutralization of CRLF characters in URIs and HTTP methods

In Twisted before 19.2.1, twisted.web did not validate or sanitize URIs or HTTP methods, allowing an attacker to inject invalid characters such as CRLF...

Cisco Unity Connection Web Framework Cross-Site Scripting Vulnerability

A vulnerability in the web framework of Cisco Unity Connection could allow an unauthenticated, remote attacker to conduct a cross-site scripting XSS attack against the user of the web interface of an affected system. The vulnerability is due to insufficient input validation of certain parameters...

Definitive Dossier of Devilish Debug Details – Part Deux: A Didactic Deep Dive into Data Driven Deductions

In Part One of this blog series, Steve Miller outlined what PDB paths are, how they appear in malware, how we use them to detect malicious files, and how we sometimes use them to make associations about groups and actors. As Steve continued his research into PDB paths, we became interested in...

A Comprehensive Guide On How to Protect Your Websites From Hackers

Humankind had come a long way from the time when the Internet became mainstream. What started as a research project ARPANET Advanced Research Projects Agency Network funded by DARPA has grown exponentially and has single-handedly revolutionized human behavior. When WWW world wide web came into...

Sliced Invoices <= 3.8.2 - Multiple Vulnerabilities

- Unauthenticated information disclosure, allowing attackers to access arbitrary invoices and quotes containing PII - Authenticated SQL injection and information disclosure - Additional issues, such as lack of CSRF and Authorisation checks on AJAX methods used to search invoices. -...

Eaphammer v1.9.0 - Targeted Evil Twin Attacks Against WPA2-Enterprise Networks

by Gabriel Ryan s0lst1c3gryanatspecterops.io EAPHammer is a toolkit for performing targeted evil twin attacks against WPA2-Enterprise networks. It is designed to be used in full scope wireless assessments and red team engagements. As such, focus is placed on providing an easy-to-use interface tha...

A Deepfake Deep Dive into the Murky World of Digital Imitation

About a year ago, top deepfake artist Hao Li came to a disturbing realization: Deepfakes, i.e. the technique of human-image synthesis based on artificial intelligence AI to create fake content, is rapidly evolving. In fact, Li believes that in as soon as six months, deepfake videos will be...

Deserialization of untrusted data

An issue was discovered in the Popup Maker plugin before 1.8.13 for WordPress. An unauthenticated attacker can partially control the arguments of the doaction function to invoke certain popmake or pum methods, as demonstrated by controlling content and delivery of popmake-system-info.txt aka the...

Security update for chromium (important)

openSUSE Security Update: Security update for chromium Announcement ID: openSUSE-SU-2019:2312-1 Rating: important References: 1146219 1153660 Cross-References: CVE-2019-13693 CVE-2019-13694 CVE-2019-13695 CVE-2019-13696 CVE-2019-13697 Affected Products: openSUSE Leap 15.1 An update that fixes 5...

GHSA-PWFW-MGFJ-7G3G ecdsa Denial of Service vulnerability in signature verification and signature malleability

possible DoS in signature verification and signature malleability Impact Code using VerifyingKey.verify and VerifyingKey.verifydigest may receive exceptions other than the documented BadSignatureError when signatures are malformed. If those other exceptions are not caught, they may lead to progra...

CVE-2007-5197

Buffer overflow in the Mono.Math.BigInteger class in Mono 1.2.5.1 and earlier allows context-dependent attackers to execute arbitrary code via unspecified vectors related to Reduce in Montgomery-based Pow methods...

CVE-2019-15272

A vulnerability in the web-based interface of Cisco Unified Communications Manager and Cisco Unified Communications Manager Session Management Edition SME could allow an unauthenticated, remote attacker to bypass security restrictions. The vulnerability is due to improper handling of malformed HT...

CVE-2019-15272

CVE-2019-15272 affects Cisco Unified Communications Manager and Cisco Unified Communications Manager Session Management Edition (SME). The root cause is improper handling of malformed HTTP methods in the web-based interface, allowing an unauthenticated, remote attacker to bypass security restrict...

CVE-2019-15272 Cisco Unified Communications Manager Security Bypass Vulnerability

A vulnerability in the web-based interface of Cisco Unified Communications Manager and Cisco Unified Communications Manager Session Management Edition SME could allow an unauthenticated, remote attacker to bypass security restrictions. The vulnerability is due to improper handling of malformed HT...

CVE-2019-15272 Cisco Unified Communications Manager Security Bypass Vulnerability

A vulnerability in the web-based interface of Cisco Unified Communications Manager and Cisco Unified Communications Manager Session Management Edition SME could allow an unauthenticated, remote attacker to bypass security restrictions. The vulnerability is due to improper handling of malformed HT...