CVE-2017-9821

The BHIM Android app (National Payments Corporation of India) v1.3 relies on three hardcoded strings (AK-NPCIMB, IM-NPCIBM, VK-NPCIBM) to validate OTP SMS, enabling authentication bypass. Public sources in connected documents confirm this vulnerability affecting BHIM Android 1.3 and outline the h...

October 17, 2017—KB4041685 (Preview of Monthly Rollup)

October 17, 2017—KB4041685 Preview of Monthly Rollup Improvements and fixes This non-security update includes improvements and fixes that were a part of KB4041693 released October 10, 2017 and also includes these new quality improvements as a preview of the next Monthly Rollup update: Addressed...

Sizing Up The Scourge of Credential Stuffing

Last year, 2.3 billion credentials were stolen from 51 different organizations, including Ancestry.com, Imgur and Virgin America. Where do all those user names go? In Shape Security’s second annual Credential Spill Report, it found that billions of stolen digital IDs are contributing to an epidem...

CVE-2017-7481

Ansible before versions 2.3.1.0 and 2.4.0.0 fails to properly mark lookup-plugin results as unsafe. If an attacker could control the results of lookup calls, they could inject Unicode strings to be parsed by the jinja2 templating system, resulting in code execution. By default, the jinja2...

CVE-2017-7481

Ansible before versions 2.3.1.0 and 2.4.0.0 fails to properly mark lookup-plugin results as unsafe. If an attacker could control the results of lookup calls, they could inject Unicode strings to be parsed by the jinja2 templating system, resulting in code execution. By default, the jinja2...

CVE-2017-7481

Ansible before versions 2.3.1.0 and 2.4.0.0 fails to properly mark lookup-plugin results as unsafe. If an attacker could control the results of lookup calls, they could inject Unicode strings to be parsed by the jinja2 templating system, resulting in code execution. By default, the jinja2...

CVE-2017-7481

Ansible before versions 2.3.1.0 and 2.4.0.0 fails to properly mark lookup-plugin results as unsafe. If an attacker could control the results of lookup calls, they could inject Unicode strings to be parsed by the jinja2 templating system, resulting in code execution. By default, the jinja2...

To crypt, or to mine – that is the question

Way back in 2013 our malware analysts spotted the first malicious samples related to the Trojan-Ransom.Win32.Rakhni family. That was the starting point for this long-lived Trojan family, which is still functioning to this day. During that time the malware writers have changed: the way their Troja...

Design/Logic Flaw

A flaw was found affecting the Linux kernel before version 4.17. By mmaping a FUSE-backed file onto a process's memory containing command line arguments or environment strings, an attacker can cause utilities from psutils or procps such as ps, w or any other program which makes a read call to the...

M4Ngl3M3 - Common Password Pattern Generator Using Strings List

Common password pattern generator using strings list. Quick Installation: $ git clone https://github.com/localh0t/m4ngl3m3 $ cd m4ngl3m3 $ ./main.py Basic Help: usage: main.py -h -fy FROMYEAR -ty TOYEAR -sy -nf NUMBERSFILE -sf SYMBOLSFILE -cf CUSTOMFILE -sbs -sap -mm MUTATIONMETHODS MUTATIONMODE...

DEBIAN-CVE-2017-7847

Crafted CSS in an RSS feed can leak and reveal local path strings, which may contain user name. This vulnerability affects Thunderbird 52.5.2...

CVE-2017-7790

On Windows systems, if non-null-terminated strings are copied into the crash reporter for some specific registry keys, stack memory data can be copied until a null is found. This can potentially contain private data from the local system. Note: This attack only affects Windows operating systems...

CVE-2017-7790

On Windows systems, if non-null-terminated strings are copied into the crash reporter for some specific registry keys, stack memory data can be copied until a null is found. This can potentially contain private data from the local system. Note: This attack only affects Windows operating systems...

CVE-2017-7790

On Windows systems, if non-null-terminated strings are copied into the crash reporter for some specific registry keys, stack memory data can be copied until a null is found. This can potentially contain private data from the local system. Note: This attack only affects Windows operating systems...

CVE-2017-7847

Crafted CSS in an RSS feed can leak and reveal local path strings, which may contain user name. This vulnerability affects Thunderbird 52.5.2...

Tkabber Parameter Injection Vulnerability

Tkabber is an instant messaging protocol GUI client based on XMPP. A security vulnerability exists in the default.tcl file in Tkabber version 1.1, which originates from the program failing to validate strings before starting the program. A remote attacker can exploit this vulnerability to perform...

Bob Hepple gjots2 Parameter Injection Vulnerability

Bob Hepple gjots2 is a suite of open source desktop notebook applications. A security vulnerability exists in the lib/gui.py file in Bob Hepple gjots2 version 2.4.1, which stems from the program failing to validate strings before starting the program. A remote attacker can exploit this...

OCaml Batteries Included Parameter Injection Vulnerability

OCaml Batteries Included a.k.a. ocaml-batteries is a set of development platforms based on the OCaml language maintained by the OCaml community. A security vulnerability exists in the batteriesConfig.mlp file in OCaml Batteries Included version 2.6, which stems from the program failing to validat...

GHSA-VWJC-Q9PX-R9VQ Denial of Service in ecstatic

Versions of ecstatic prior to 1.4.0 are affected by a denial of service vulnerability when certain input strings are sent via the Last-Modified or If-Modified-Since headers. Parsing certain inputs with new Date or Date.parse cases v8 to crash. As ecstatic passes the value of the affected headers...

Regular Expression Denial Of Service (ReDoS)

no-case is vulnerable to regular expression denial of service ReDoS attacks. The library does not properly sanitize user input strings, causing slowdown when matching strings that can lead to a ReDoS...