CVE-2023-6868

In some instances, the user-agent would allow push requests which lacked a valid VAPID even though the push manager subscription defined one. This could allow empty messages to be sent from unauthorized parties. This bug only affects Firefox on Android. This vulnerability affects Firefox 121...

Security Vulnerabilities fixed in Firefox 121 — Mozilla

The WebGL DrawElementsInstanced method was susceptible to a heap buffer overflow when used on systems with the Mesa VM driver. This issue could allow an attacker to perform remote code execution and sandbox escape. Multiple NSS NIST curves were susceptible to a side-channel attack known as...

A week in security (December 11 – December 17)

Last week on Malwarebytes Labs: PikaBot distributed via malicious search ads Chrome starts the countdown to the end of tracking cookies Apple to introduce new feature that makes life harder for iPhone thieves Recently-patched Apache Struts vulnerability used in worldwide attacks ALPHV ransomware...

Apple now requires a judge’s order to hand over your push notification data

Last week, we reported on how US government agencies have been asking Apple and Google for metadata related to push notifications, but the companies arent allowed to tell users about it happening. The content of the notifications is diverse. It ranges from a weather app warning you about rain to ...

FreeBSD : Gitlab -- vulnerabilities (e2fb85ce-9a3c-11ee-af26-001b217b3468)

The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by multiple vulnerabilities as referenced in the e2fb85ce-9a3c-11ee-af26-001b217b3468 advisory. - Gitlab reports: Smartcard authentication allows impersonation of arbitrary user using user's...

Gitlab -- vulnerabilities

Gitlab reports: Smartcard authentication allows impersonation of arbitrary user using user's public certificate When subgroup is allowed to merge or push to protected branches, subgroup members with the Developer role may gain the ability to push or merge The GitLab web interface does not ensure...

Spying through Push Notifications

When you get a push notification on your Apple or Google phone, those notifications go through Apple and Google servers. Which means that those companies can spy on them--either for their own reasons or in response to government demands. Sen. Wyden is trying to get to the bottom of this: In a...

Array is push()ed but not pop()ed, and is iterated over

Lines of code 96, 485, 485, 485, 485, 485, 485, 485, 485, 485, 485https://github.com/Tapioca-DAO/ta...

Array is push()ed but not pop()ed, and is iterated over

Lines of code 96, 485, 485, 485, 485, 485, 485, 485, 485, 485, 485https://github.com/Tapioca-DAO/ta...

CVE-2023-5620

The Web Push Notifications WordPress plugin before 4.35.0 does not prevent visitors on the site from changing some of the plugin options, some of which may be used to conduct Stored XSS attacks...

CVE-2023-5620

The Web Push Notifications WordPress plugin before 4.35.0 does not prevent visitors on the site from changing some of the plugin options, some of which may be used to conduct Stored XSS attacks...

Cross site scripting

The Web Push Notifications WordPress plugin before 4.35.0 does not prevent visitors on the site from changing some of the plugin options, some of which may be used to conduct Stored XSS attacks...

CVE-2023-5620 Webpushr < 4.35.0 - Unauthenticated Stored XSS

The Web Push Notifications WordPress plugin before 4.35.0 does not prevent visitors on the site from changing some of the plugin options, some of which may be used to conduct Stored XSS attacks...

CVE-2023-5620

CVE-2023-5620 concerns Web Push Notifications (Webpushr) for WordPress, pre-4.35.0. The vulnerability is an unauthenticated Stored XSS due to insufficient protection when visitors can alter plugin settings, enabling an attacker to inject scripts via settings like price_drop_icon. The Red Hat/patc...

WordPress plugin Web Push Notifications security vulnerability

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. WordPress is a blogging platform developed using the PHP language, which supports personal blogs on PHP and MySQL servers.WordPress plugin is an...

How to stop fake System notifications on macOS

Scammers are abusing an Apple feature that allows websites to create push notifications that look like theyre coming from macOS, or apps. The notifications try to scare users into clicking a link with fake virus alerts or messages saying their account has been hacked. Years ago we warned our...

Automattic: Timeline API returns private post when target of a push notification

The Timeline API was able to return private posts when the target of a push notification, even though the user did not have access to the post...

Scattered Spider ransomware gang falls under government agency scrutiny

As you may have read in our November Ransomware Review, Scattered Spider is a relatively new, albeit dangerous, ransomware gang who made headlines in September for attacking MGM Resorts and Caesar Entertainment. For small security teams, one of the most important findings about the group is their...

CVE-2023-35041

Cross-Site Request Forgery CSRF vulnerability leading to Local File Inclusion LF in Webpushr Web Push Notifications Web Push Notifications – Webpushr plugin = 4.34.0 versions...

Cross site request forgery (csrf)

Cross-Site Request Forgery CSRF vulnerability leading to Local File Inclusion LF in Webpushr Web Push Notifications Web Push Notifications – Webpushr plugin = 4.34.0 versions...