Aggregator

A vulnerability was found in Firebase JavaScript SDK up to 10.8.x and classified as problematic. Affected by this issue is some unknown functionality of the component Cookie Handler. The manipulation of the argument _authTokenSyncURL leads to cross site scripting. This vulnerability is handled as CVE-2024-11023. The attack may be launched remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability has been found in Apache Tomcat up to 9.0.95/10.1.30/11.0.0-M26 and classified as critical. Affected by this vulnerability is an unknown functionality of the component ServerAuthContext Component. The manipulation leads to unchecked error condition. This vulnerability is known as CVE-2024-52316. The attack can be launched remotely. There is no exploit available. It is recommended to upgrade the affected component.

火力全开！

The Microsoft 365 Admin Portal is being abused to send sextortion emails, making the emails appear trustworthy and bypassing email security platforms. [...]

Cybersecurity is a fast-growing field, with a constant need for skilled professionals. But unlike other professions — like medicine or aviation — there’s no clear-cut pathway to qualifying for cybersecurity positions. For employers and job seekers alike, this can make the journey to building a team (or entering a successful cybersecurity career) feel uncertain. Enter the registered apprenticeship program — a proven method for developing skilled talent in cybersecurity that benefits both the employer and the new professional. Let’s commit to supporting this important talent development approach

CISA has added three new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.

• CVE-2024-1212 Progress Kemp LoadMaster OS Command Injection Vulnerability
• CVE-2024-0012 Palo Alto Networks PAN-OS Management Interface Authentication Bypass Vulnerability
• CVE-2024-9474 Palo Alto Networks PAN-OS Management Interface OS Command Injection Vulnerability

Users and administrators are also encouraged to review the Palo Alto Threat Brief: Operation Lunar Peek related to CVE-2024-0012, the Palo Alto Security Bulletin for CVE-2024-0012, and the Palo Alto Security Bulletin for CVE-2024-9474 for additional information. 

These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.

Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.

Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.

The lab focuses on advancing communications technology through research and development in core network technologies, next-generation wireless systems, public safety communications, smart infrastructure and spectrum sharing.

With Scytale's new partnership program, MSPs can seamlessly scale compliance offerings to their clients and increase efficiency.

The post Scytale Launches New Partnership Program with Managed Service Providers (MSPs), Helping Transform Compliance into a Competitive Advantage appeared first on Scytale.

The post Scytale Launches New Partnership Program with Managed Service Providers (MSPs), Helping Transform Compliance into a Competitive Advantage appeared first on Security Boulevard.

История о хакере-однофамильце вождя, который решил тряхнуть капитализм.

What do hijacked websites, fake job offers, and sneaky ransomware have in common? They’re proof that cybercriminals are finding smarter, sneakier ways to exploit both systems and people. This week makes one thing clear: no system, no person, no organization is truly off-limits. Attackers are getting smarter, faster, and more creative—using everything from human trust to hidden flaws in

BeaverTail malware has been used to target tech job seekers through fake recruiters, Palo Alto Networks’ Unit 42 has found

For the latest discoveries in cyber research for the week of 11th November, please download our Threat Intelligence Bulletin. TOP ATTACKS AND BREACHES The FBI and CISA issued a joint statement detailing a major Chinese cyber-espionage campaign targeting U.S. telecommunications infrastructure, led by the APT group Salt Typhoon. This operation compromised networks to steal call […]

The post 18th November – Threat Intelligence Report appeared first on Check Point Research.

数据安全领域实力获权威认可

360本地安全大脑「双子星体系」助推某区医疗系统开启智能运营时代

ITDR是否能够成为又一条全新独立的大赛道，让我们用时间来证明。

IT leaders know the drill—regulators and cyber insurers demand regular network penetration testing to keep the bad guys out. But here’s the thing: hackers don’t wait around for compliance schedules. Most companies approach network penetration testing on a set schedule, with the most common frequency being twice a year (29%), followed by three to four times per year (23%) and once per year (20%),

Google appears to be readying a new feature called Shielded Email that allows users to create email aliases when signing up for online services and better combat spam. The feature was first reported by Android Authority last week following a teardown of the latest version of Google Play Services for Android. The idea is to create unique, single-use email addresses that forward the messages to