22 matches found
OpenRefine's SQLite integration allows filesystem access, remote code execution (RCE)
Summary In the database extension, the "enableloadextension" property can be set for the SQLite integration, enabling an attacker to load local or remote extension DLLs and so run arbitrary code on the server. The attacker needs to have network access to the OpenRefine instance. Details The...
Attackers are mailing USB sticks to drop ransomware on victims’ computers
Physical objects as security threats are in the news at the moment. The oft-touched upon tale of rogue USB sticks is a common one. Being wary of random devices found on the floor, or handed out at events is a smart move. You simply don’t know what’s lurking, and it’s hard to find out safely witho...
U.S. Dept Of Defense: IDOR on https://██████ via POST UID enables database scraping
Summary: The UID parameter on █████████ in the ██████ ███████ system, with ███████, does not validate that the caller has permission to view information on the UID entered, thereby enabling personnel and student data extraction. Description: The user operations API endpoint for the ███ ██████████...
Server secret was included in static assets and served to clients
Impact Server JWT signing secret was included in static assets and served to clients. This ALLOWS Flood's builtin authentication to be bypassed. Given Flood is granted access to rTorrent's SCGI interface which is unprotected and ALLOWS arbitrary code execution and usually wide-ranging privileges ...
FDA Warns of Potentially Fatal Flaws in Medtronic Insulin Pumps
The Food and Drug Administration FDA has issued an emergency alert, warning that Medtronic MiniMed insulin pumps are vulnerable to potentially life-threatening cyberattacks. Specifically impacted are Medtronic’s MiniMed insulin pumps, the MiniMed 508 insulin pump and MiniMed Paradigm series insul...
Security IQ: How to Survive the Holiday Phishing Season
Now that we’ve officially entered the holiday season it’s time to be especially mindful of the ways that an attacker may use this to their advantage. In fact, recent Carbon Black data noted a 20.5% uptick in attempted cyberattacks during the holiday season. “Good” Deals If you’re looking to find...
Two US State Election Systems Hacked to Steal Voter Databases — FBI Warns
A group of unknown hackers or an individual hacker may have breached voter registration databases for election systems in at least two US states, according to the FBI, who found evidence during an investigation this month. Although any intrusion in the state voting system has not been reported, t...
CentOS 6 / 7 : ImageMagick (CESA-2016:0726) (ImageTragick)
An update for ImageMagick is now available for Red Hat Enterprise Linux 6 and Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is...
HackBack - A DIY Guide for those without the patience to wait for whistleblowers
HackBack - A DIY Guide for those without the patience to wait for whistleblowers. Papers exploit for Multiple platform | | | | | | | | | | | | || |/ |/ | |/ / | \ / |/ | |/ / | | | | | | | | | | | | || || ||,|||\ |/ ,|||\ A DIY Guide for those without the patience to wait for whistleblowers --...
Beware of Fraudulent Sites, phishing for Twitter accounts
There's a scam spreading through Twitter Direct messages DMs and fake emails, appealing users to visit a fake twitter phishing site i.e "twittler.com". Scam uses a hijacked Twitter account to send out direct messages that appear completely legitimate. Security blogger, Janne Ahlberg blogged about...
Personal Data Belonging to New Mexico Retirees at Risk After Laptop Theft
The personal information of some 100,000 members of the New Mexico Public Employees Retirement Association PERA is at risk after a thief broke into a truck belonging to an employee working for the company hired to perform PERA’s annual audit and stole a laptop containing the sensitive data. The...
VolksBank Online Banking Cross Site Scripting / Redirection
Title: ====== VolksBank Online Banking - Multiple Web Vulnerabilities Date: ===== 2012-02-07 References: =========== http://www.vulnerability-lab.com/getcontent.php?id=172 VL-ID: ===== 172 Introduction: ============= Die Volksbank AG trifft eine Reihe von Sicherheitsvorkehrungen, die einen...
TripAdvisor Warns Customers of Data Breach
TripAdvisor, the popular travel-planning site, is warning customers that some portion of the company’s customer email database was stolen recently by attackers. The company is not saying how many customers are affected or how the breach occurred. TripAdvisor posted a message on its site warning...
Debian Security Advisory DSA 279-1 (metrics)
The remote host is missing an update to metrics announced via advisory DSA 279-1. SPDX-FileCopyrightText: 2008 E-Soft Inc. Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...
Debian Security Advisory DSA 331-1 (imagemagick)
The remote host is missing an update to imagemagick announced via advisory DSA 331-1. SPDX-FileCopyrightText: 2008 E-Soft Inc. Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only...
Debian: Security Advisory (DSA-302)
The remote host is missing an update for the Debian SPDX-FileCopyrightText: 2008 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...
Debian: Security Advisory (DSA-341)
The remote host is missing an update for the Debian SPDX-FileCopyrightText: 2008 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...
Debian: Security Advisory (DSA-340)
The remote host is missing an update for the Debian SPDX-FileCopyrightText: 2008 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...
DSA-488 logcheck - insecure temporary directory
Bulletin has no description...
DSA-339 semi - insecure temporary file
Bulletin has no description...