Cross site scripting

PHPFusion 9.03.110 is affected by cross-site scripting XSS in the preg patterns filter html tag without "//" in descript function An authenticated user can trigger XSS by appending "//" in the end of text...

CVE-2021-40541

PHPFusion 9.03.110 is affected by cross-site scripting XSS in the preg patterns filter html tag without "//" in descript function An authenticated user can trigger XSS by appending "//" in the end of text...

Security Bulletin: Multiple Vulnerabilities in WebSphere Application Server bundled with IBM WebSphere Application Server Patterns

Summary WebSphere Application Server is shipped as a component of IBM WebSphere Application Server Patterns. Information about a security vulnerability affecting WebSphere Application Server has been published in multiple security bulletins. Vulnerability Details Refer to the security bulletins...

Tips & Tricks for Unmasking Ghoulish API Behavior

I was analyzing one of my customer’s API traffic the other day and I noticed something odd about the devices that were using the mobile application API. I found standard browsers like Firefox and Chrome hitting API endpoints that should only be touched by their mobile-application communication. I...

PYSEC-2021-356

nltk is vulnerable to Inefficient Regular Expression Complexity...

CVE-2021-34705

A vulnerability in the Voice Telephony Service Provider VTSP service of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to bypass configured destination patterns and dial arbitrary numbers. This vulnerability is due to insufficient validation of dial...

Inefficient Regular Expression Complexity in chalk/ansi-regex

ansi-regex is vulnerable to Inefficient Regular Expression Complexity which could lead to a denial of service when parsing invalid ANSI escape codes. Proof of Concept js import ansiRegex from 'ansi-regex'; forvar i = 1; i = 50000; i++ var time = Date.now; var attackstr = "\u001B"+";".repeati10000...

PT-2021-5798 · Unknown +7 · Ansi-Regex +7

Name of the Vulnerable Software and Affected Versions: ansi-regex affected versions not specified Description: The issue is related to Inefficient Regular Expression Complexity, which could lead to a denial of service when parsing invalid ANSI escape codes. This can be exploited by a remote...

Announcing the Launch of the Azure SSRF Security Research Challenge

Microsoft is excited to announce the launch of a new, three-month security research challenge under the Azure Security Lab initiative. The Azure Server-Side Request Forgery SSRF Research Challenge invites security researchers to discover and share high impact SSRF vulnerabilities in Microsoft...

Jsleak - A Go Code To Detect Leaks In JS Files Via Regex Patterns

jsleak is a tool to identify sensitive data in JS files through regex patterns. Although it's built for this, you can use it to identify anything as long as you have a regex pattern for it. How to install Directly: your package manager install pkg-config libpcre++-dev go get...

How profiling employee working hours helps to detect security incidents

At the TimeMachine company there are two special old friends Bob and Alice. Bob, as a team manager, usually has a very busy schedule filled with meetings all day long. You can even find him working late into the night trying to catch up on email he received during the day. Alice on the other hand...

Introducing the Manual Regex Editor in IDR’s Parsing Tool: Part 1

New to writing regular expressions? No problem. In this two-part blog series, we’ll cover the basics of regular expressions and how to write regular expression statements regex to extract fields from your logs while using the custom parsing tool. Like learning any new language, getting started ca...

SUSE: Security Advisory (SUSE-SU-2021:1497-1)

The remote host is missing an update for the SPDX-FileCopyrightText: 2021 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

Security Bulletin: WebSphere Application Server Java Batch shipped with IBM WebSphere Application Server Patterns is vulnerable to an XML External Entity Injection (XXE) vulnerability (CVE-2021-20492)

Summary WebSphere Application Server is shipped as a component of IBM WebSphere Application Server Patterns. Information about security vulnerabilities affecting WebSphere Application Server have been published in a security bulletin. Vulnerability Details Refer to the security bulletins listed i...

Security Bulletin: Multiple vulnerabilities in IBM Java SDK affects WebSphere Application Server April 2021 CPU that is bundled with IBM WebSphere Application Server Patterns

Summary There are multiple vulnerabilities in the IBM SDK Java Technology Edition that is shipped with IBM WebSphere Application Server. These issues were disclosed in the IBM Java SDK updates in April 2021. Vulnerability Details CVEID: CVE-2021-2161 DESCRIPTION: An unspecified vulnerability in...

Shining a light on dark patterns with Carey Parker: Lock and Code S02E09

This week on Lock and Code, we speak to cybersecurity advocate and author Carey Parker about "dark patterns," which are subtle tricks online to get you to make choices that might actually harm you. Dark patterns have been around for years, and the tricks theyre based on are even older. Ever bough...

perl: corruption of intermediate language state of compiled regular expression due to integer overflow leads to DoS

Perl before 5.30.3 has an integer overflow related to mishandling of a "PLregkindOPn == NOTHING" situation. A crafted regular expression could lead to malformed bytecode with a possibility of instruction injection...

Denial Of Service (DoS)

matrixsynapse is vulnerable to denial of service. An attacker is able to exploit the vulnerability by injecting certain eventmatch patterns that will lead the system to crash...

[SECURITY] Fedora 33 Update: python-yara-4.1.0-1.fc33

Python binding for the YARA pattern matching tool. YARA is a tool aimed at but not limited to helping malware researchers to identify and classify malware samples. With YARA you can create descriptions of malware families or whatever you want to describe based on textual or binary patterns. Each...

[SECURITY] Fedora 33 Update: yara-4.1.0-1.fc33

YARA is a tool aimed at but not limited to helping malware researchers to identify and classify malware samples. With YARA you can create descriptions of malware families or whatever you want to describe based on textual or binary patterns. Each description, a.k.a rule, consists of a set of strin...