Hard to Read, Easy to Jailbreak: How Visual Degradation Bypasses MLLM Safety Alignment

Recent advancements in visual context compression enable MLLMs to process ultra-long contexts efficiently by rendering text into images. However, we identify a critical vulnerability inherent to this paradigm: lowering image resolution inadvertently catalyzes jailbreaking. Our experiments reveal...

Understanding Password Preferences, Memorability, and Security through a Human-Centered Lens

Passwords remain the primary authentication method, yet user-created passwords are often the weakest due to the security-usability trade-off. Although AI-based password generators are emerging, little is known about their effectiveness and user perceptions. This eye-tracking study examined how...

CISO Spotlight: Lefteris Tzelepis on Leadership, Strategy, and the Modern Security Mandate

Lefteris Tzelepis, CISO at Steelmet /Viohalco Companies, was shaped by cybersecurity. From his early exposure to real-world attacks at the Greek Ministry of Defense to building and leading security programs inside complex enterprises, his career mirrors the evolution of the CISO role itself. Now ...

EUVD-2016-10374

Malware in sbrugna...

Automated Reasoning for Vulnerability Management by Design

For securing systems, it is essential to manage their vulnerability posture and design appropriate security controls. Vulnerability management allows to proactively address vulnerabilities by incorporating pertinent security controls into systems designs. Current vulnerability management approach...

The Everyday Security of Living with Conflict

When cyber' is used as a prefix, attention is typically drawn to the technological and spectacular aspects of war and conflict -- and, by extension, security. We offer a different approach to engaging with and understanding security in such contexts, by foregrounding the everyday -- mundane --...

CISA and FBI Release Secure by Design Alert Urging Manufacturers to Eliminate Defects in SOHO Routers

Today, CISA and the Federal Bureau of Investigation FBI published guidance on Security Design Improvements for SOHO Device Manufacturers as a part of the new Secure by Design SbD Alert series that focuses on how manufacturers should shift the burden of security away from customers by integrating...

Rockwell ArmorStart Improper Input Validation (CVE-2023-29030)

A cross site scripting vulnerability was discovered in Rockwell Automation's ArmorStart ST product that could potentially allow a malicious user to view and modify sensitive data or make the web page unavailable. User interaction, such as a phishing attack, is required for successful exploitation...

World Password Day must die

The continued existence of World Password Day is a tell that something has gone badly wrong in cybersecurity. Now in its tenth year, the day is supposed to act as an annual reminder for people to follow good password hygiene: Dont reuse passwords; use long passwords; no, longer passwords than tha...

Nedi Consulting Nedi User Enumeration Vulnerability

Nedi Consulting NeDi is a suite of open source software from Nedi Consulting, Switzerland that supports discovery and mapping of network devices. A user enumeration vulnerability exists in Nedi, which stems from the insecure design of the Nedi login and community login web UI, and can be exploite...

A Taxonomy of Access Control

My personal definition of a brilliant idea is one that is immediately obvious once its explained, but no one has thought of it before. I cant believe that no one has described this taxonomy of access control before Ittay Eyal laid it out in this paper. The paper is about cryptocurrency wallet...

PT-2022-4220 · Yokogawa · Exaopc +5

Name of the Vulnerable Software and Affected Versions: CENTUM CS 3000 versions R3.08.10 through R3.09.00 CENTUM VP versions R4.01.00 through R4.03.00 CENTUM VP versions R5.01.00 through R5.04.20 CENTUM VP versions R6.01.00 through R6.09.00 Exaopc versions R3.72.00 through R3.80.00 B/M9000 CS...

Design/Logic Flaw

An attacker may obtain the user credentials from the communication between the PLC and the software. As a result, the PLC user program may be uploaded, altered, and/or downloaded...

Shopify: Ability to Disable the Login Attempt of any Shopify Owner for 24 hrs (Zero_Click)

Hello Team, I Found a Bug in which Hacker Have Ability to Disable the Login Attempt of any Shopify Owner With ZeroClick Summary: ---------- Proof of Concept; ------------------- Credentials: ------------- Victim = ███████.com ████████ Hacker = █████████.com Victim Sceanrio: ----------------- Step...

Our journey to API security at Raiffeisen Bank International

This article was written by Peter Gerdenitsch, Group CISO at Raiffeisen Bank International, and is based on a presentation given during Imvision's Executive Education Program, a series of events focused on how enterprises are taking charge of the API security lifecycle. Launching the "Security in...

CVE-2021-36061

Adobe Connect version 11.2.2 and earlier is affected by a secure design principles violation vulnerability via the 'pbMode' parameter. An unauthenticated attacker could leverage this vulnerability to edit or delete recordings on the Connect environment. Exploitation of this issue requires user...

CVE-2021-22449

There is a logic vulnerability in Elf-G10HN 1.0.0.608. An unauthenticated attacker could perform specific operations to exploit this vulnerability. Due to insufficient security design, successful exploit could allow an attacker to add users to be friends without prompting in the target device...

Security feature bypass

There is a logic vulnerability in Elf-G10HN 1.0.0.608. An unauthenticated attacker could perform specific operations to exploit this vulnerability. Due to insufficient security design, successful exploit could allow an attacker to add users to be friends without prompting in the target device...

CVE-2021-22449

CVE-2021-22449 affects Elf-G10HN 1.0.0.608 and Huawei WATCH Kid (1.0.0.608) with a logic vulnerability allowing an unauthenticated attacker to perform operations that add friends without prompting. root cause: insufficient security design. Impact described as enabling friend-adding actions on tar...

CVE-2021-22298

There is a logic vulnerability in Huawei Gauss100 OLTP Product. An attacker with certain permissions could perform specific SQL statement to exploit this vulnerability. Due to insufficient security design, successful exploit can cause service abnormal. Affected product versions include: ManageOne...