Aggregator

A security flaw has been disclosed in OpenWrt's Attended Sysupgrade (ASU) feature that, if successfully exploited, could have been abused to distribute malicious firmware packages. The vulnerability, tracked as CVE-2024-54143, carries a CVSS score of 9.3 out of a maximum of 10, indicating critical severity. Flatt Security researcher RyotaK has been credited with discovering and reporting the

Для рекордной памяти не нужны токсичные металлы.

随着漏洞大爆发时代的来临以及黑产、暗网交易等盛行，如何以更全面、更有针对性的漏洞情报帮助企业在与攻击者的较量中占据高位，成为了业界关注的重点课题之一。在FCIS 2024网络安全创新大会上，斗象科技C

A vulnerability, which was classified as critical, has been found in Node.js up to 6.14.x/8.13.x/10.13.x/10.2.x. Affected by this issue is the function url.parse of the component javascript URL Handler. The manipulation leads to misinterpretation of input. This vulnerability is handled as CVE-2018-12123. The attack may be launched remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability, which was classified as critical, was found in Mattermost Server up to 8.1.10/9.5.0. Affected is an unknown function of the component Call Handler. The manipulation leads to improper access controls. This vulnerability is traded as CVE-2024-21848. It is possible to launch the attack remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability has been found in Mattermost Server up to 8.1.10/9.3.2/9.4.3/9.5.1/9.6.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /api/v4/users/me/teams of the component Add Member Handler. The manipulation leads to improper access controls. This vulnerability is known as CVE-2024-29221. The attack can be launched remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability classified as critical was found in Mattermost up to 8.1.10/9.3.2/9.4.3/9.5.1/9.6.0. Affected by this vulnerability is an unknown functionality of the component Post Action Handler. The manipulation leads to improper access controls. This vulnerability is known as CVE-2024-2447. The attack can be launched remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability has been found in AMD μProf Tool and classified as critical. This vulnerability affects unknown code. The manipulation leads to out-of-bounds write. This vulnerability was named CVE-2023-31341. An attack has to be approached locally. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability has been found in TOTOLINK AC1200 T8 4.1.5cu.862_B20230228 and classified as critical. Affected by this vulnerability is the function setDiagnosisCfg. The manipulation leads to os command injection. This vulnerability is known as CVE-2024-8075. The attack can be launched remotely. There is no exploit available. The vendor was contacted early about this disclosure but did not respond in any way. The vendor was contacted early about this disclosure but did not respond in any way.

A vulnerability classified as critical has been found in GitLab Enterprise Edition up to 17.1.5/17.2.3/17.3.0. This affects an unknown part of the component IP Restriction Handler. The manipulation leads to improper access controls. This vulnerability is uniquely identified as CVE-2024-3127. It is possible to initiate the attack remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability was found in AMD Radeon RX 6000 Graphics Cards and Radeon PRO W6000 Graphics Cards. It has been classified as problematic. Affected is an unknown function of the component Power Management Firmware. The manipulation leads to denial of service. This vulnerability is traded as CVE-2023-31307. Attacking locally is a requirement. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability was found in urllib3. It has been rated as problematic. Affected by this issue is some unknown functionality of the component HTTP Header Handler. The manipulation of the argument Cookie leads to permissive cross-domain policy with untrusted domains. This vulnerability is handled as CVE-2023-43804. The attack may be launched remotely. There is no exploit available. It is recommended to upgrade the affected component.

error code: 521

Last week, we saw a supply-chain attack against the Ultralytics AI library on GitHub. A quick summary:

On December 4, a malicious version 8.3.41 of the popular AI library ultralytics ­—which has almost 60 million downloads—was published to the Python Package Index (PyPI) package repository. The package contained downloader code that was downloading the XMRig coinminer. The compromise of the project’s build environment was achieved by exploiting a known and previously reported GitHub Actions script injection.

Lots more details at that link. Also ...

The post Ultralytics Supply-Chain Attack appeared first on Security Boulevard.

Il Garante per la privacy ha approvato il codice di condotta per il trattamento dei dati personali e

AbstractIn the intricate landscape of cybersecurity, the ability to uncover hidde

AbstractCybercriminals now have unprecedented ease in creating their own remote a

IntroductionAfter installing the payload, the shell script inst.sh runs a backdoo