Real Apple notifications are being used to drive tech support scams

Scammers have found a way to abuse legitimate Apple account notification emails to trick targets into calling fake tech support numbers. According to a report from BleepingComputer, scammers create an Apple account and insert a phishing message into the personal information fields, then modify th...

PT-2026-26343

⚠️ Limited Disclosure — Full Details Pending A critical security vulnerability has been identified in Step CA. An updated version, v0.30.0, is available and all operators are strongly encouraged to upgrade immediately. Full details of this vulnerability will be published in this security advisory...

EUVD-2016-3639

Malware in sbrugna...

EUVD-2024-52016

Malicious code in bioql PyPI...

CVE-2023-43760

Certain WithSecure products allow Denial of Service via a fuzzed PE32 file. This affects WithSecure Client Security 15, WithSecure Server Security 15, WithSecure Email and Server Security 15, WithSecure Elements Endpoint Protection 17 and later, WithSecure Client Security for Mac 15, WithSecure...

Sylius has a security vulnerability via adjustments API endpoint

Impact A security vulnerability was discovered in the /api/v2/shop/adjustments/id endpoint, which retrieves order adjustments based on incremental integer IDs. The vulnerability allows an attacker to enumerate valid adjustment IDs and retrieve order tokens. Using these tokens, an attacker can...

Bullied by Bugcrowd over Kape CyberGhost disclosure

TL;DR The CyberGhost VPN client suffers from an elevation of privilege vulnerability and is filed under CVE-2023-30237. A specially crafted JSON payload sent to the CyberGhost RPC service can lead to command line injection when the OpenVPN process is launched, leading to full system compromise. T...

OpenZeppelin Contracts contains Improper Verification of Cryptographic Signature

Cause isvalidethsignature is missing a call to finalizekeccak after calling verifyethsignature. Impact As a result, any contract using isvalidethsignature from the account library such as the EthAccount preset is vulnerable to a malicious sequencer. Specifically, the malicious sequencer would be...

GHSA-6P8V-8CQ8-V2R3 Access to Unix domain socket can lead to privileges escalation in Cilium

Impact Users with host file system access on a node and the privileges to run as group ID 1000 can gain access to the per node API of Cilium via Unix domain socket on the host where Cilium is running. If a malicious user is able to gain unprivileged access to a user corresponding to this group,...

Basic-auth app bundle credential exposure in gatsby-source-wordpress

Impact The gatsby-source-wordpress plugin prior to versions 4.0.8 and 5.9.2 leaks .htaccess HTTP Basic Authentication variables into the app.js bundle during build-time. Users who are not initializing basic authentication credentials in the gatsby-config.js are not affected. Example affected...

GHSA-4C7M-VV47-7C69 Insecure Permissions in Gogs

In Gogs 0.11.91, MakeEmailPrimary in models/usermail.go lacks a "not the owner of the email" check...

CVE-2021-3188

phpList 3.6.0 allows CSV injection, related to the email parameter, and /lists/admin/ exports...

HackerOne: Security@ email forwarding and Embedded Submission drafts can be used to obtain copy of deleted attachments from other HackerOne users

HackerOne has a number of ways for hackers to submit security vulnerabilities to a program, two of which are through an embedded submission form and through security@ email forwarding. These two features can be exploited to update a report draft created through security@ email forwarding that doe...

HackerOne: Harvesting all private invites using leave program fast-tracked invitation and security@ email forwarding feature

Hi HackerOne, Summary: I have found a way that it is possible to harvest all private invitation using the new Leave Program feature together with the security@ email forwarding feature without any user interaction. --- Description: First, when the program activated the security@ email forwarding ...

Lexmark Scan To Network (SNF) 3.2.9 Information Disclosure

Summary ======= 1. Information exposure of network credentials in embedded printer application CVE-2017-13771 Vendor ====== "Lexmark creates innovative imaging solutions and technologies that help customers worldwide print, secure and manage information with ease, efficiency and unmatched value...

CVE-2016-2565

Samsung SecEmailSync on SM-G920F build G920FXXU2COH2 Galaxy S6 devices allows attackers to read sent e-mail messages, aka SVE-2015-5081...

Kinsey InforLawson ESBUS - SQL Injection

Kinsey InforLawson ESBUS - SQL Injection Exploit Title: Kinsey Infor / Lawson ESBUS - Multiple SQL Injections Date: 3/10/2017 Exploit Author: Michael Benich Vendor homepage: http://www.kinsey.com/infor-lawson.html Version: ALL Tested on: Windows Server 2008 R2; MySQL ver 5.5 CVE: CVE-2017-6550...

CVE-2016-2037

The cpiosafernamesuffix function in util.c in cpio 2.11 allows remote attackers to cause a denial of service out-of-bounds write via a crafted cpio file...

Threat Outbreak Alert RuleID17109: Email Messages Distributing Malicious Software on August 3, 2015

Medium Alert ID: 40309 First Published: 2015 August 3 19:52 GMT Version: 1 Summary Cisco Security has detected significant activity related to spam email messages distributing malicious software. Email messages that are related to this threat RuleID17109KVR may contain the following files: Name |...

Threat Outbreak Alert RuleID16118: Email Messages Distributing Malicious Software on June 23, 2015

Medium Alert ID: 39464 First Published: 2015 June 22 20:09 GMT Last Updated: 2015 June 24 13:24 GMT Version: 4 Summary Cisco Security has detected significant activity related to spam email messages distributing malicious software. Email messages that are related to this threat RuleID16118 and...