Top

Tag: Vulnerability


Threats & Malware, Vulnerabilities

Zoom stomps critical privilege escalation bug plus 6 other flaws

February 15, 2024

Via: The Register

Video conferencing giant Zoom today opened up about a fresh batch of security vulnerabilities affecting its products, including a critical privilege escalation flaw. Tracked as CVE-2024-24691 with a CVSS score of 9.6, Zoom says the vulnerability may enable privilege escalation […]


Cyber-crime, Identity theft

Meta says risk of account theft after phone number recycling isn’t its problem to solve

February 13, 2024

Via: The Register

Meta has acknowledged that phone number reuse that allows takeovers of its accounts “is a concern,” but the ad biz insists the issue doesn’t qualify for its bug bounty program and is a matter for telecom companies to sort out. […]


Threats & Malware, Virus & Malware

Cybercrime duo accused of picking $2.5M from Apple’s orchard

February 8, 2024

Via: The Register

A cybersecurity researcher and his pal are facing charges in California after they allegedly defrauded an unnamed company, almost certainly Apple, out of $2.5 million. Noah Roskin-Frazee and Keith Latteri are alleged to have gained access to Apple’s systems via […]


Threats & Malware, Vulnerabilities

JetBrains urges swift patching of latest critical TeamCity flaw

February 7, 2024

Via: The Register

JetBrains is encouraging all users of TeamCity (on-prem) to upgrade to the latest version following the disclosure of a critical vulnerability in the CI/CD tool. Tracked as CVE-2024-23917, the vulnerability has been assigned a provisional 9.8 CVSS score and allows […]


Threats & Malware, Vulnerabilities

Critical vulnerability in Mastodon is pounced upon by fast-acting admins

February 2, 2024

Via: The Register

Mastodon has called admins to action following the disclosure of a critical vulnerability affecting the decentralized social network favored by erstwhile Twitter lovers. With a 9.4 severity score, exploiting CVE-2024-23832 potentially allows attackers to take over Mastodon accounts remotely. While […]


Threats & Malware, Vulnerabilities

Nearly 4-year-old Cisco vuln linked to recent Akira ransomware attacks

January 31, 2024

Via: The Register

Security researchers believe the Akira ransomware group could be exploiting a nearly four-year-old Cisco vulnerability and using it as an entry point into organizations’ systems. In eight of security company TrueSec’s most recent incident response engagements that involved Akira and […]


Threats & Malware, Vulnerabilities

Using GoAnywhere MFT for file transfers? Patch now – an exploit’s out for a critical bug

January 24, 2024

Via: The Register

Security experts are wasting no time in publishing working exploits for a critical vulnerability in Fortra GoAnywhere MFT, which was publicly disclosed just over a day ago. Customers were first advised by Fortra on the mitigations for the critical authentication […]


Threats & Malware, Vulnerabilities

SEC X Account Hack: SIM Swap Exposed Vulnerability

January 24, 2024

Via: SecureWorld

On January 9, during a period of heightened anticipation surrounding the potential approval of Bitcoin exchange-traded funds (ETFs), an unauthorized post appeared on the SEC’s X account claiming the approval had been granted. This triggered a surge in Bitcoin’s price […]


Access control, Security

IT consultant fined for daring to expose shoddy security

January 19, 2024

Via: The Register

A security researcher in Germany has been fined €3,000 ($3,300, £2,600) for finding and reporting an e-commerce database vulnerability that was exposing almost 700,000 customer records. Back in June 2021, according to our pals at Heise, an contractor identified elsewhere […]


Threats & Malware, Vulnerabilities

Patch time: Critical GitLab vulnerability exposes 2FA-less users to account takeovers

January 16, 2024

Via: The Register

GitLab admins should apply the latest batch of security patches pronto given the new critical account-bypass vulnerability just disclosed. Tracked as CVE-2023-7028, the maximum-severity bug exploits a change introduced in version 16.1.0 back in May 2023 that allowed users to […]


Application security, Security

Beware, all Windows and Mac devices possibly at risk – dangerous Opera security flaw could have allowed hackers to run any file they want

January 16, 2024

Via: TechRadar

Opera, a popular Chromium-based browser, was found carrying a vulnerability that would allow hackers to install pretty much any file on both Windows and macOS operating systems. The vulnerability was discovered by cybersecurity researchers from Guardio Labs, who notified the […]


Threats & Malware, Vulnerabilities

Terrapin attack allows to downgrade SSH protocol security

January 2, 2024

Via: Security Affairs

Security researchers from Ruhr University Bochum (Fabian Bäumer, Marcus Brinkmann, Jörg Schwenk) discovered a vulnerability, called Terrapin (CVE-2023-48795, CVSS score 5.9), in the Secure Shell (SSH) cryptographic network protocol. An attacker can trigger the flaw to downgrade the connection’s security […]


Mobile, Mobile security

Kaspersky reveals previously unknown hardware ‘feature’ exploited in iPhone attacks

December 28, 2023

Via: The Register

Kaspersky’s Global Research and Analysis Team (GReAT) has exposed a previously unknown “feature” in Apple iPhones that allowed malware to bypass hardware-based memory protection. Addressed as CVE-2023-38606, which was patched in July 2023, the issue affected iPhones running iOS versions […]


Threats & Malware, Vulnerabilities

Four in five Apache Struts 2 downloads are for versions featuring critical flaw

December 21, 2023

Via: The Register

Security vendor Sonatype believes developers are failing to address the critical remote code execution (RCE) vulnerability in the Apache Struts 2 framework, based on recent downloads of the code. The vulnerability, tracked as CVE-2023-50164, is rated 9.8 out of 10 […]


Threats & Malware, Vulnerabilities

SSH shaken, not stirred by Terrapin vulnerability

December 20, 2023

Via: The Register

A vulnerability in the SSH protocol can be exploited by a well-placed adversary to weaken the security of people’s connections, if conditions are right. In a successful man-in-the-middle attack, the adversary may be able to force SSH clients to use […]


Data loss, Threats & Malware

Millions of Xfinity customers’ info, hashed passwords feared stolen in cyberattack

December 19, 2023

Via: The Register

Millions of Comcast Xfinity subscribers’ personal data – including potentially their usernames, hashed passwords, contact details, and secret security question-answers – was likely stolen by one or more miscreants exploiting Citrix Bleed in October. The internet, voice, and cable TV […]


Threats & Malware, Vulnerabilities

Lazarus APT Continues to Exploit Log4j Vulnerability

December 13, 2023

Via: SecureWorld

Lazarus, the notorious North Korean hacking group, has once again made headlines, this time by exploiting the Log4j vulnerability, despite it being disclosed two years ago. The Log4j vulnerability, officially known as CVE-2021-44228, continues to pose significant risks to organizations […]


Threats & Malware, Vulnerabilities

Atlassian security advisory reveals four fresh critical flaws – in mail with dead links

December 6, 2023

Via: The Register

Atlassian has emailed its customers to warn of four critical vulnerabilities, but the message had flaws of its own – the links it contained weren’t live for all readers at the time of despatch. The email, seen by The Register, […]


Threats & Malware, Vulnerabilities

A year on, CISA realizes debunked vuln actually a dud and removes it from must-patch list

December 6, 2023

Via: The Register

A security vulnerability previously added to CISA’s Known Exploited Vulnerability catalog (KEV), which was recognized by CVE Numbering Authorities (CNA), and included in reputable threat reports is now being formally rejected by infosec organizations. CISA removed CVE-2022-28958 from its KEV […]


Mobile, Mobile security

Google fixed critical zero-click RCE in Android

December 5, 2023

Via: Security Affairs

Google December 2023 Android security updates addressed 85 vulnerabilities, including a critical zero-click remote code execution (RCE) flaw tracked as CVE-2023-40088. The vulnerability resides in Android’s System component, it doesn’t require additional privileges to be triggered. An attacker can exploit […]