EUVD-2024-34217

Malicious code in bioql PyPI...

ABB M2M Gateway Abitrary Code Execution in embedded Git (CVE-2023-25652)

Git is a revision control system. Prior to versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1, by feeding specially crafted input to git apply --reject, a path outside the working tree can be overwritten with partially controlled contents...

CVE-2019-13066

Sahi Pro 8.0.0 has a script manager arena located at s/dyn/pro/DBReports with many different areas that are vulnerable to reflected XSS, by updating a script's Script Name, Suite Name, Base URL, Android, iOS, Scripts Run, Origin Machine, or Comment field. The sql parameter can be used to trigger...

Amazon Linux 2023 : python3.12-pip, python3.12-pip-wheel (ALAS2023-2025-957)

It is, therefore, affected by a vulnerability as referenced in the ALAS2023-2025-957 advisory. Requests is a HTTP library. Prior to 2.32.0, when making requests through a Requests Session, if the first request is made with verify=False to disable cert verification, all subsequent requests to the...

CVE-2025-1042

An insecure direct object reference vulnerability in GitLab EE affecting all versions from 15.7 prior to 17.6.5, 17.7 prior to 17.7.4, and 17.8 prior to 17.8.2 allows an attacker to view repositories in an unauthorized way...

U.S. Dept Of Defense: Blind Sql Injection in https://████

A SQL injection vulnerability was discovered in the User-Agent parameter of the website "https://██████████/". The vulnerability allowed an attacker to inject SQL commands through the User-Agent HTTP header...

U.S. Dept Of Defense: Path traversal leads to reading of local files on ███████ and ████

A directory traversal vulnerability was discovered in the downloadForm endpoint of a web application, allowing an attacker to read files on the system by adding "../" to the filename parameter. This could potentially lead to the disclosure of sensitive information or system compromise. The...

Securing Port 443: The Gateway To A New Universe

At Wordfence our business is to secure over 4 million WordPress websites and keep them secure. My background is in network operations, and then I transitioned into software development because my ops role was at a scale where I found myself writing a lot of code. This led me to founding startups,...

WordPress Download Manager 3.2.42 Cross Site Scripting Vulnerability

Description: Reflected Cross-Site Scripting Affected Plugin: Download Manager Plugin Slug: download-manager Plugin Developer: codename065 Affected Versions: = 3.2.42 CVE ID: CVE-2022-1985 CVSS Score: 6.1 Medium CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Researcher/s: Rafie Muhammad...

The Importance of Defining Secure Code

The developers who create the software, applications and programs that drive digital business have become the lifeblood of many organizations. Most modern businesses would not be able to profitably function, without competitive applications and programs, or without 24-hour access to their website...

Poorly Configured Apache Airflow Instances Leak Credentials for Popular Services

Cybersecurity researchers on Monday discovered misconfigurations across older versions of Apache Airflow instances belonging to a number of high-profile companies across various sectors, resulting in the exposure of sensitive credentials for popular platforms and services such as Amazon Web...

AMD RESPONSE TO “I see dead µops: leaking secrets via Intel/AMD micro-op caches” RESEARCH PAPER

Bulletin ID: AMD-SB-1006 Summary AMD has reviewed the research paper and believes existing mitigations were not being bypassed and no new mitigations are required. AMD recommends its existing side-channel mitigation guidance and standard secure coding practices be followed. CVE Details None...

SQLInjectionWiki

This is a comprehensive wiki on SQL injection, a type of web application security vulnerability. The wiki is maintained by NetSPI and is available in both English and Chinese versions. The wiki covers various aspects of SQL injection, including detection, exploitation, and mitigation. The wiki...

Barracuda and Microsoft: Securing applications in public cloud

This blog post is part of the Microsoft Intelligence Security Association guest blog series. To learn more about MISA, go here. Barracuda Cloud Application Protection CAP platform features integrations with Microsoft Azure Active Directory Azure AD and Azure Security Center. A component of CAP,...

Measuring the Security of IoT Devices

In August, CyberITL completed a large-scale survey of software security practices in the IoT environment, by looking at the compiled software. Data Collected: 22 Vendors 1,294 Products 4,956 Firmware versions 3,333,411 Binaries analyzed Date range of data: 2003-03-24 to 2019-01-24 varies by vendo...

What Does PCI 3.0 Mean to Security Practitioners?

Cybercrime, identity theft, and frauds are on the rise; and in most cases, the data breaches are associated with credit cards and cardholder data. The impact of data breach not only affects your organization, but also your customers. A common observation cites that organizations that are PCI...

[OWASP Bricks] Modular Deliberately Vulnerable Web Application

Bricks is a deliberately vulnerable web application built on PHP and MySQL. The project focuses on variations of commonly seen application security vulnerabilities and exploits. Each 'brick' has some sort of vulnerability which can be exploited using tools Mantra and ZAP. The mission is to 'break...

Privacy of Millions of HTC devices at risk

More than 18 million smartphones and other mobile devices made by HTC are at risk vulnerable to many security and privacy issue. The Federal Trade Commission charged HTC with customizing the software on its Android- and Windows based phones in ways that let third-party applications install softwa...

Mobile Apps Space A 'Wild West' For Enterprises

SAN FRANCISCO – Companies that are hoping to catch a ride on the mobile wave should pay close attention to the application development firms they choose to work with, unless they want to be saddled with a buggy and insecure albatross bearing their corporate logo, a leading application security...

Opinion: Complete failure of Oracle security response and utter neglect of their responsibility to their customers

Dear security community and Oracle users, Many of my customers run Oracle. Much of the U.K. Critical National Infrastructure relies on Oracle; indeed this is true for many other countries as well. I know that there's a lot of private information about me stored in Oracle databases out there. I ha...