Weblate: CSP "script-src" includes "unsafe-inline" in weblate.org and demo.weblate.org

Weblate is using unsafe-inline in script-src csp headers which allows the use of inline resources, such as inline elements, javascript: URLs, inline event handlers, and inline elements. POC: HTTP/1.1 200 OK Server: nginx Date: Tue, 23 May 2017 10:49:15 GMT Content-Type: text/html; charset=utf-8...

Information Disclosure in the Management Web Interface

A vulnerability exists in the Management Web Interface of PAN-OS, that could allow for Information Disclosure. The Management Web Interface does not properly validate certain permissions which could allow for Information Disclosure. Ref PAN-70541 / CVE-2017-7644 Successfully exploiting this issue...

Information Disclosure in the Management Web Interface

A vulnerability exists in the Management Web Interface that could allow for Information Disclosure. The Management Web Interface does not properly validate specific request parameters which can potentially allow for Information Disclosure. Ref PAN-70434 / CVE-2017-7216 Successfully exploiting thi...

Local Privilege Escalation in the Management Web Interface

A vulnerability exists in the Management Web Interface that could allow for local privilege escalation. The Management Web Interface does not properly validate specific request parameters which can potentially allow executing code with higher privileges. Ref PAN-70426/ CVE-2017-7218 Successfully...

Tampering of temporary export files in the Management Web Interface

A vulnerability exists in the Management Web Interface that could allow an attacker to tamper with export files. The Management Web Interface does not properly validate specific request parameters which can potentially allow arbitrary data to be written to export files. Ref PAN- 70436 /...

Tampering of temporary export files in the Management Web Interface

A vulnerability exists in the Management Web Interface that could allow an attacker to tamper with export files. The Management Web Interface does not properly validate specific request parameters which can potentially allow arbitrary data to be written to export files. Ref PAN- 70436 /...

Phabricator: An unsafe design practice in the Passphrase may result in Secret being accidentally changed.

Summary: An unsafe design practice in the Passphrase may result in Secret being accidentally changed. Preface: If a user wants to share his/hers secrets, he/she may use the Passphrase. But when he/she created the credential and setted who can view it and who can edit it, they will soon discover...

70+ Cyber Security Micro-Courses and Certifications To Boost Your IT Career

With the evolving hacking events around us, cyber-security skills are in high demand across all organizations and industries, because a shortage of skilled cyber security practitioners could leave an organization vulnerable to cyber attacks. But knowledge alone is not sufficient, 'certification a...

Information Disclosure in the Management Web Interface

A vulnerability exists in the Management Web Interface that could result in Information Disclosure. Ref PAN-70428 / CVE-2017-5583 PAN-OS contains a post-authentication vulnerability that may allow for Information Disclosure. Successful exploitation allows an attacker to download arbitrary files...

Update Rollup 3 for Windows Server 2012 Essentials

Update Rollup 3 for Windows Server 2012 Essentials Introduction This article lists the issues that are fixed in Update Rollup 3 for Windows Server 2012 Essentials. Important This update rollup contains server-side fixes. After you apply this update rollup, the client-side package is installed...

Doctor Virtual Practice - Customized SSL, Dangerous filesystem permissions, GPL license vulnerabilities

HackApp vulnerability scanner discovered that application Doctor Virtual Practice published at the 'play' market has multiple vulnerabilities...

IBM Opens Attack Simulation Test Center

CAMBRIDGE, Ma. – IBM cut the ribbon on its new global security headquarters Wednesday that will also serve as command center for its just announced X-Force Incident Response and Intelligence Services. The centerpiece of the new 153,000-sqft facility is the company’s Cyber Range which IBM bills as...

Pushwoosh: Spoof Email with Hyperlink Injection via Invites functionality

Email Spoofing via hyperlink injection. Design Issue, Missing Best Practice, Low severity...

CompTIA Information Disclosure

I was signed up CompTIA account with a fake name for a privacy reason. Later on, I wanted to update my name in CompTIA account because I was planning to take their Security+ certificate. The problem is I cannot update my name directly from the profile menu, it told me to create a support ticket...

Germany Orders Facebook to Stop Collecting Data on WhatsApp Users

A German privacy regulator issued an order this week prohibiting Facebook from collecting user data on German WhatsApp users, calling the company’s actions misleading and in violation of the nation’s data protection law. The move comes a few weeks after a recent WhatsApp policy change that said t...

How to back up deduplicated volumes with Veeam Endpoint Backup

This article describes the best practice of backing up deduplicated volumes...

August 2016 security update release

Today we released security updates to provide additional protections against malicious attackers. As a best practice, we encourage customers to apply security updates as soon as they are released. More information about this month’s security updates and advisories can be found in the Security...

July 2016 security update release

Today we released security updates to provide additional protections against malicious attackers. As a best practice, we encourage customers to apply security updates as soon as they are released. More information about this month’s security updates and advisories can be found in the Security...

Malicious Pokémon Go Features Backdoor, RAT

Researchers are warning would-be Pokémon Trainers that a malicious, backdoored version of the massively popular game Pokémon Go could be making the rounds soon. An APK Android application package file of the game has been rigged with a remote access tool RAT called Droidjack that if installed,...

Gratipay: don't leak Server version for assets.gratipay.com

Hi i found that server version are being disclosed on the response header on this URL: https://assets.gratipay.com , this is a low risk but you can consider this as best practice because it is important to keep secret of server versions. See similar reports here: 141125 Feel free to close this as...