Aggregator

A vulnerability was found in Oracle Agile PLM 9.3.4/9.3.5. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the component File Folders/Attachment. The manipulation leads to an unknown weakness. This vulnerability is known as CVE-2016-3539. The attack can be launched remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability, which was classified as critical, has been found in Oracle Agile PLM 9.3.4/9.3.5. This issue affects some unknown processing of the component File Load. The manipulation leads to an unknown weakness. The identification of this vulnerability is CVE-2016-3557. The attack may be initiated remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability has been found in Oracle Agile PLM 9.3.4/9.3.5 and classified as critical. Affected by this vulnerability is an unknown functionality of the component PGC/Excel Plugin. The manipulation leads to an unknown weakness. This vulnerability is known as CVE-2016-3555. The attack can be launched remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability was found in Oracle Agile PLM 9.3.4/9.3.5. It has been rated as critical. This issue affects some unknown processing of the component PC Core. The manipulation leads to an unknown weakness. The identification of this vulnerability is CVE-2016-3553. The attack may be initiated remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability classified as critical has been found in Oracle Agile PLM 9.3.4/9.3.5. Affected is an unknown function of the component SDK. The manipulation leads to information disclosure. This vulnerability is traded as CVE-2016-3560. It is possible to launch the attack remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability has been found in Oracle Agile PLM 9.3.4/9.3.5 and classified as problematic. This vulnerability affects unknown code of the component File Folders/Attachment. The manipulation leads to information disclosure. This vulnerability was named CVE-2016-5473. The attack can be initiated remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability was found in Oracle Agile PLM 9.3.4/9.3.5. It has been declared as problematic. This vulnerability affects unknown code of the component Folders/Files/Attachments. The manipulation leads to information disclosure. This vulnerability was named CVE-2016-5510. The attack can be initiated remotely. There is no exploit available. It is recommended to upgrade the affected component.

PowerSchool paid ransom after a major data breach; now hackers are targeting teachers and schools with direct extortion…

Cisco IOS XE Wireless Controllers Vulnerable to Unauthenticated Root Exploits via JWT (CVE-2025-20188)

May 08, 2025 - Lina Romero - In the current landscape, we are seeing an upward trend of attacks, and this is only continuing to rise. The way we’ve been approaching applications needs to change drastically to address the growing risk vectors. In this blog, we’ll talk about what the responsibility of SaaS vendors is towards their customers, and what needs to change.The Software as a Service, or “SaaS” model has led to enterprise organizations relying on a number of external providers, and while this system can be efficient in developing new applications and models, it can also be a security liability. Now, if one customer of a SaaS platform has a breach, there’s a good chance the other customers who used the same platform will also be affected. The potential for incidents to have ripple effects that could expand on a global scale is now a very real issue.“At JPMorganChase, we've seen the warning signs firsthand. Over the past three years, our third-party providers experienced a number of incidents within their environments. These incidents across our supply chain required us to act swiftly and decisively, including isolating certain compromised providers, and dedicating substantial resources to threat mitigation.”-Patrick OpetAccording to Opet, SaaS models have effectively “reshaped” how companies integrate services. Before SaaS, security teams would enforce segmentation, boundaries, and more around applications and access to the data into those applications. However, modern integration patterns rely heavily on identity protocols such as OAuth to create “direct, often unchecked interactions between third-party services and sensitive internal resources” (Patrick Opet). This means that the likelihood of compromise can be much higher, since companies are depending on already-existing technologies to secure their new technologies, potentially leading to many issues falling through the cracks. Patrick states that, “the most effective way to begin change is to reject these integration models without better solutions.”Automated or AI-powered integration models will overly simplify functions authentication and authorization, “effectively creating single-factor explicit trust between systems,” which is obviously a problem for a number of reasons. And the effects it could have on so many applications is staggering.So what does FireTail do differently?FireTail builds security into our applications from code to cloud. We take application security seriously because it’s what we do!FireTail is built on APIs and designed to protect APIs. So when it comes time to secure FireTail, we run it on FireTail! Dogfooding our product and being “customer one” has allowed us to stay on top of API-based authentication and authorization and create the leading tool in the space.And while we do allow customers to use single sign-on (SSO), we require multi-factor authentication (MFA) of all users, whether they are administrators on the FireTail platform or not.We also run the detection and response aspects of FireTail on FireTail, to find suspicious API usage and unauthorized activity. We follow industry best practices around vulnerability management, continuous pentesting, and other security practices.At FireTail, we take customer data seriously.Not only do we encrypt your data both in motion AND at rest, we also offer two separate locations to use FireTail, depending on your data sovereignty requirements- the US or the EU. We even offer dedicated customer deployments of FireTail for customers who prefer a private instance of FireTail!Finally, we operate with an audited SOC2 Type 2 certification and handle all data in accordance with GDPR.See how FireTail can work for you by scheduling a demo here or starting with our free tier, today.

The post An open letter to FireTail customers about security and data privacy – FireTail Blog appeared first on Security Boulevard.

Three vulnerabilities in SMA 100 gateways could facilitate root RCE attacks, and one of the vulnerabilities has already been exploited in the wild.

May 08, 2025 - Lina Romero - In 2025, AI security is a relevant issue. With the landscape changing so rapidly and new risks emerging every day, it is difficult for developers and security teams to stay on top of AI security. The OWASP Top 10 Risks for LLM attempts to break down the most prevalent vulnerabilities we are seeing in cyberspace, in order to better understand where the gaps are. In the last post in this series, we explored Prompt Injection, the number one issue on the OWASP list. Today, we’ll be talking about another key issue: Sensitive Information Disclosure.What is Sensitive Information Disclosure?As the name suggests, Sensitive Information Disclosure stems from information that was not intended to be public becoming available to other parties, including malicious parties. The information in question can include Personally Identifiable Information (PII), health records, financial data, and more.LLMs may inadvertently expose this sensitive information because of issues such as poor configuration, data leaks, or even other types of attacks including prompt injection to the LLM.Mitigation Techniques for Sensitive Information DisclosureThere are a variety of strategies that can be used to mitigate the risk of sensitive information disclosure. The OWASP Top 10 for LLM gives us a brief checklist of the most important methods, but these alone may not be enough to prevent the possibility of SID.Data sanitization: Data sanitization involves altering the data to make it difficult for attackers to get access to it, or even removing sensitive data altogether, effectively, cleaning it out.Input validation: Require and enforce strict formats for inputs, ensuring that the model detects and filters out malicious requests and does not compromise the information.Access controls: Limit access using the principle of least privilege, essentially only giving access to those who absolutely need itRestrict data sources: In addition to requiring specific formats, also requiring specific data sources helps to limit inputs, further narrowing the chances of sensitive information disclosure.Differential Privacy: Apply noises to the data, making it difficult for attackers to reverse-engineer the data points.Educate users: Ensure users are up-to-date on best practices and offer regular training on safe LLM usage to stay current.Transparency: Be upfront about data usage. Allow users to opt out of having their data used in the training process.LLM02: Sensitive Information Disclosure is a critical issue for LLMs and a contributing cause of some recent AI breaches. There are many ways an LLM’s sensitive information can be disclosed, whether from poor configuration of the model itself, standard data leaks, and other types of attacks including Prompt Injection. When sensitive information is disclosed to bad actors, they can use it for malicious purposes and to launch further attacks. However, there are a variety of steps and measures users can implement to mitigate the risk of an SID, including data sanitization, input validation, access controls and more.If you’re new to AI security, or struggling to keep up, the OWASP Top 10 for LLM is a great resource on the biggest risks in today’s landscape. If you’re looking for more in-depth information, check out FireTail’s recent report on the State of AI & API Security. We’ll see you next week for the third installment in this blog series on LLM03: Supply Chain.In the meantime, if you want to see how FireTail can simplify your AI security posture, schedule a demo here, or start trying it out for free, today!

The post LLM02: Sensitive Information Disclosure – FireTail Blog appeared first on Security Boulevard.

A vulnerability classified as critical has been found in Oracle Agile PLM 9.3.1.1/9.3.1.2/9.3.2/9.3.3. Affected is an unknown function of the component Security. The manipulation leads to an unknown weakness. This vulnerability is traded as CVE-2016-3420. It is possible to launch the attack remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability classified as critical was found in Oracle Agile PLM 9.3.1.1/9.3.1.2/9.3.2/9.3.3. Affected by this vulnerability is an unknown functionality of the component Security. The manipulation leads to an unknown weakness. This vulnerability is known as CVE-2016-3431. The attack can be launched remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability has been found in Oracle Agile PLM 9.3.4/9.3.5 and classified as critical. This vulnerability affects unknown code of the component SDK. The manipulation leads to information disclosure. This vulnerability was named CVE-2016-3526. The attack can be initiated remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability was found in Oracle Agile PLM 9.3.4/9.3.5. It has been rated as critical. Affected by this issue is some unknown functionality of the component PGC/Import. The manipulation leads to an unknown weakness. This vulnerability is handled as CVE-2016-3530. The attack may be launched remotely. There is no exploit available. It is recommended to upgrade the affected component.