CVE-2025-41390

An arbitrary code execution vulnerability exists in the git functionality of Truffle Security Co. TruffleHog 3.90.2. A specially crafted repository can lead to a arbitrary code execution. An attacker can provide a malicious respository to trigger this vulnerability...

LockBit ransomware gang blames victim for DDoS attack on its website

By Deeba Ahmed LockBit Ransomware Gang claims its leak site was hit by a massive DDoS attack allegedly carried out by security company Entrust. This is a post from HackRead.com Read the original post: LockBit ransomware gang blames victim for DDoS attack on its website...

Thousands of Borrowers' Data Exposed from ENCollect Debt Collection Service

An ElasticSearch server instance that was left open on the Internet without a password contained sensitive financial information about loans from Indian and African financial services. The leak, which was discovered by researchers from information security company UpGuard, amounted to 5.8GB and...

FIN7 Lures Unwitting Security Pros to Carry Out Ransomware Attacks

The financially motivated cybercrime gang behind the Carbanak backdoor malware, FIN7, has hit upon a genius idea for maximizing profit from ransomware: Hire real pen-testers to do some of their dirty work instead of striking partnerships with other criminals. According to a report from Gemini...

Weak Password Vulnerability in Reporter System of Shanghai Newton Technology Co.

Ltd. is a professional security company with "network security" as its main axis and "making the network safer" as its mission to provide customers with total network security solutions. Ltd. Reporter system has a weak password vulnerability, which can be used by attackers to log into the system...

The FTC Cracks Down on Bot-Wielding Ticket Scalpers

Plus: A security company creeper, Biden’s cyberteam, and the rest of this week’s security news...

SQL Injection Vulnerability in Dr.ID Access Control and Time Attendance System of ZTE Security Co.

Dr.ID Access Control & Time Attendance System is a system of ZTE Security Co. Dr.ID Access Control & Attendance System of ZTE Security Co. Ltd. suffers from a SQL injection vulnerability, which can be exploited by attackers to obtain sensitive information from the database...

Credit card skimmer masquerades as favicon

Malware authors are notorious for their deceptive attempts at staying one step ahead of defenders. As their schemes get exposed, they always need to go back to their bag of tricks to pull out a new one. When it comes to online credit card skimmers, we have already seen a number of evasion...

Critical Flaws Found in VxWorks RTOS That Powers Over 2 Billion Devices

Security researchers have discovered almost a dozen zero-day vulnerabilities in VxWorks, one of the most widely used real-time operating systems RTOS for embedded devices that powers over 2 billion devices across aerospace, defense, industrial, medical, automotive, consumer electronics, networkin...

Email Phishers Using New Way to Bypass Microsoft Office 365 Protections

Phishing works no matter how hard a company tries to protect its customers or employees. Security researchers have been warning of a new phishing attack that cybercriminals and email scammers are using in the wild to bypass the Advanced Threat Protection ATP mechanism implemented by widely used...

TippingPoint Threat Intelligence and Zero-Day Coverage – Week of June 18, 2018

As I pull together the list of zero-day filters for this blog, I see all types of vulnerabilities from various vendors. My interest is always piqued when I see a vulnerability affecting a security company. The Zero Day Initiative’s ZDI interest was also piqued when the researcher Pagefault...

Carbon Black Selected as a Finalist in the Best Security Company and Best Emerging Technology Categories for the 2018 SC Awards

We are honored to be recognized as an Excellence Award finalist in the Best Emerging Technology category for Cb Defense and as a finalist in the Best Security Company category for the 2018 SC Awards. Now in its 21st year, SC Awards is recognized as the industry gold standard of accomplishment for...

HubSpot: Reflected XSS and Server Side Template Injection in all HubSpot CMSes

Really I don't know why BugCrowd team closed my submission as N/A F337815 They mentioned that Not in Scope ?! So I reported it again in another submission But this Time I messaged the Security Company Directly and triaged and Fixed in 2 Days . Full Poc : I was found in this path /hcms/cta so this...

Office discovered zero vulnerabilities hackers can use the Word document to install malicious software-vulnerability warning-the black bar safety net

According to foreign media reports, recently a period of time, you when opening a Word document may have to be careful because the security company MCAfee researchers in Microsoft Office software found in a zero vulnerabilities, hackers can use it quietly in your computer system to install...

Hand to hand teach you how to construct the office exploits EXP（the second period）-bug warning-the black bar safety net

On a period I shared office classic Vulnerability CVE-2 0 1 2-0 1 5 8 that demonstrates how a stack-based buffer overflow in the principles of construction to trigger the vulnerability document. The current share of the vulnerability is CVE-2 0 1 3-3 9 0 6, is also a typical overflow type office...

Google AdMob filter vulnerabilities, malicious ads sneak into the application-vulnerability warning-the black bar safety net

! There are Android app developers complained, because the official advertising network poorly regulated, resulting in this pollution-free Android application infected with malicious ads. Android app strange is implanted in the third-party advertising From Sydney, two bus the Android app Arrivo a...

Security researcher exposure FireEye core product 0day vulnerabilities-vulnerability warning-the black bar safety net

Recently, researchers Kristian Erik Hermansen from the FireEye core product found a 0day vulnerability will result in unauthorized file disclosure. He also provides a short trigger vulnerability of the examples and the user database file copy. In addition, he also disclosed selling three other...

Guest blog: PCI audits and how to recognize a good QSA auditor and partner

Many organizations approach a PCI audit with fear and trepidation. There are a lot of stories out there about how difficult, expensive and disruptive a PCI audit can be, but I want to see if I can add some balance to this view. I believe that when it comes to a PCI auditor it matters a great deal...

Wekby APT 18 Exploiting Hacking Team Flash Zero Day

The Wekby APT group, implicated in a number of targeted attacks against health care organizations such as Community Health Systems and major pharmaceutical companies, is reportedly making use of the Adobe Flash Player zero-day found in the Hacking Team data dump. According to Virginia-based...

Malvertising Abuses Real-Time Bidding on Ad Networks

Dark corners of the Internet harbor trouble. They’re supposed to. But what about when Yahoo, CNN.com, TMZ and other busy destination sites heave disaster upon visitors? That’s the challenge posed by malvertising, the latest hacker Golden Goose used in cybercrime operations and even in some target...