Aggregator

Submit #755218 / VDB-347220

Submit #755212 / VDB-347219

Submit #755211 / VDB-347218

Submit #755202 / VDB-347217

Submit #755201 / VDB-347216

Submit #755193 / VDB-347215

Submit #755167 / VDB-347214

A vulnerability described as critical has been identified in UTT HiPER 810G 1.7.7-171114. This affects the function strcpy of the file /goform/ConfigExceptAli. Executing a manipulation can lead to buffer overflow. This vulnerability is tracked as CVE-2026-2904. The attack can be launched remotely. Moreover, an exploit is present.

A vulnerability marked as problematic has been reported in Google Cloud Vertex AI SDK for Python up to 1.130.x. The impacted element is an unknown function of the component _evals_visualization. Performing a manipulation results in cross site scripting. This vulnerability is identified as CVE-2026-2472. The attack can be initiated remotely. There is not any exploit available. This product is a managed service. This means that users are not able to maintain vulnerability countermeasures themselves. It is suggested to upgrade the affected component.

A vulnerability labeled as very critical has been found in Google Cloud Vertex AI Experiments up to 1.132.x. The affected element is an unknown function of the component Bucket Naming Handler. Such manipulation leads to generation of predictable numbers or identifiers. This vulnerability is referenced as CVE-2026-2473. It is possible to launch the attack remotely. No exploit is available. This product is a managed service, therefore users are not responsible for maintaining vulnerability countermeasures. The affected component should be upgraded.

Submit #755113 / VDB-347213

A vulnerability identified as problematic has been detected in skvadrik re2c up to 4.4. Impacted is the function check_and_merge_special_rules of the file src/parse/ast.cc. This manipulation causes null pointer dereference. The identification of this vulnerability is CVE-2026-2903. The attack can only be executed locally. Furthermore, there is an exploit available. It is suggested to install a patch to address this issue.

Submit #755030 / VDB-347210

Most phishing websites are little more than static copies of login pages for popular online destinations, and they are often quickly taken down by anti-abuse activists and security firms. But a stealthy new phishing-as-a-service offering lets customers sidestep both of these pitfalls: It uses cleverly disguised links to load the target brand's real website, and then acts as a relay between the target and the legitimate site -- forwarding the victim's username, password and multi-factor authentication (MFA) code to the legitimate site and returning its responses.

The post ‘Starkiller’ Phishing Service Proxies Real Login Pages, MFA appeared first on Security Boulevard.

Most phishing websites are little more than static copies of login pages for popular online destinations, and they are often quickly taken down by anti-abuse activists and security firms. But a stealthy new phishing-as-a-service offering lets customers sidestep both of these pitfalls: It uses cleverly disguised links to load the target brand's real website, and then acts as a relay between the target and the legitimate site -- forwarding the victim's username, password and multi-factor authentication (MFA) code to the legitimate site and returning its responses.

Session 13A: JavaScript Security

Authors, Creators & Presenters: Darion Cassel (Carnegie Mellon University), Nuno Sabino (IST & CMU), Min-Chien Hsu (Carnegie Mellon University), Ruben Martins (Carnegie Mellon University), Limin Jia (Carnegie Mellon University)

PAPER
NodeMedic-FINE: Automatic Detection and Exploit Synthesis for Node.js Vulnerabilities

The Node.js ecosystem comprises millions of packages written in JavaScript. Many packages suffer from vulnerabilities such as arbitrary code execution (ACE) and arbitrary command injection (ACI). Prior work has developed automated tools based on dynamic taint tracking to detect potential vulnerabilities, and to synthesize proof-of-concept exploits that confirm them, with limited success. One challenge these tools face is that expected inputs to package APIs often have varied types and object structure. Failure to call these APIs with inputs of the correct type and with specific fields leads to unsuccessful exploit generation and missed vulnerabilities. Generating inputs that can successfully deliver the desired exploit payload despite manipulation performed by the package is also difficult. To address these challenges, we use a type and object-structure aware fuzzer to generate inputs to explore more execution paths during dynamic taint analysis. We leverage information generated by the taint analysis to infer the types and structure of the inputs, which are then used by the exploit synthesis engine to guide exploit generation. We implement NodeMedic-FINE and evaluate it on 33,011 npm packages that contain calls to ACE and ACI sinks. Our tool finds 2257 potential flows and automatically synthesizes working exploits in 766 packages.

ABOUT NDSS
The Network and Distributed System Security Symposium (NDSS) fosters information exchange among researchers and practitioners of network and distributed system security. The target audience includes those interested in practical aspects of network and distributed system security, with a focus on actual system design and implementation. A major goal is to encourage and enable the Internet community to apply, deploy, and advance the state of available security technologies.

Our thanks to the Network and Distributed System Security (NDSS) Symposium for publishing their Creators, Authors and Presenter’s superb NDSS Symposium 2025 Conference content on the Organizations' YouTube Channel.

Permalink

The post NDSS 2025 – NodeMedic-FINE: Automatic Detection And Exploit Synthesis For Node.js Vulnerabilities appeared first on Security Boulevard.

In court on Thursday, Catalin Dragomir pleaded guilty to obtaining information from a protected computer and one count of aggravated identity theft.

A vulnerability was found in Dell EMC PowerScale OneFS up to 9.1.0. It has been rated as critical. Affected is an unknown function of the component SmartLock Compliance Mode. Performing a manipulation results in os command injection. This vulnerability is identified as CVE-2021-21526. The attack is only possible with local access. There is not any exploit available.

A vulnerability classified as critical has been found in Dell EMC PowerScale OneFS up to 9.1.0. This vulnerability affects unknown code of the component Compliance Mode. This manipulation causes improper access controls. This vulnerability is handled as CVE-2021-21553. The attack can be initiated remotely. There is not any exploit available. It is recommended to upgrade the affected component.

A vulnerability, which was classified as problematic, has been found in Dell EMC PowerScale OneFS up to 9.1.0.3. Impacted is an unknown function of the component SmartConnect. Performing a manipulation results in resource consumption. This vulnerability was named CVE-2021-21565. The attack may be initiated remotely. There is no available exploit.