Aggregator

A vulnerability classified as critical was found in code-projects Job Recruitment 1.0. This vulnerability affects unknown code of the file /_parse/_call_job/search_ajax.php of the component Job Post Handler. The manipulation of the argument n leads to sql injection. This vulnerability was named CVE-2024-13092. The attack can be initiated remotely. Furthermore, there is an exploit available.

OverFlame Targeted the Website of National Guard of Ukraine

Submit #472442 / VDB-289901

Submit #472441 / VDB-289900

by Source Defense A sophisticated attack chain targeting e-commerce payment flows has been prematurely exposed in a concerning development, highlighting the delicate balance between responsible disclosure and public safety. Discovered initially by Source Defense’s research team and responsibly disclosed to Google on November 19, 2024 (Issue ID: 379818473), this critical vulnerability has now been publicly

The post CRITICAL ALERT: Sophisticated Google Domain Exploitation Chain Unleashed appeared first on Source Defense.

The post CRITICAL ALERT: Sophisticated Google Domain Exploitation Chain Unleashed appeared first on Security Boulevard.

A vulnerability classified as critical has been found in PacoVK tapir 0.9.0/0.9.1. This affects an unknown part. The manipulation leads to improper authorization. This vulnerability is uniquely identified as CVE-2024-56802. It is possible to initiate the attack remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability was found in cabraviva path-sanitizer up to 3.0.x. It has been rated as very critical. Affected by this issue is some unknown functionality. The manipulation leads to path traversal. This vulnerability is handled as CVE-2024-56198. The attack may be launched remotely. There is no exploit available. It is recommended to upgrade the affected component.

Submit #472626 / VDB-256897

Submit #472610 / VDB-256897

Submit #472439 / VDB-257155

A vulnerability, which was classified as problematic, was found in Linux Kernel up to 5.10.37/5.11.21/5.12.4. This affects the function rdo_index of the component ucsi. The manipulation of the argument position leads to improper validation of array index. This vulnerability is uniquely identified as CVE-2021-46980. It is possible to initiate the attack remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability was found in VW Themes VW Automobile Lite Plugin up to 2.1 on WordPress. It has been rated as problematic. This issue affects some unknown processing. The manipulation leads to missing authorization. The identification of this vulnerability is CVE-2024-56234. The attack may be initiated remotely. There is no exploit available.

Register now: 2024 MITRE ATT&CK Enterprise Evaluation Result Breakdown Webinar.

Back in the summer I wrote a blog around capability versus usability, in which I highlighted that typically industry testing focuses on capability, despite one of the key challenges in the industry being skills. EDR by its nature, is a technical capability and as such the skills gap in this space is even greater. I will always remember a good friend sharing in his keynote, a number of years ago, that there is little point in buying a best of breed solution if you don’t have the people powers to actually use it.

In our recent SoC optimizationresearch we saw that on average only 50-80% of alerts are processed the same day, false positives being a significant challenge and distraction for SoC analysts.

The post “Out-of-the-Box” Detection Coverage: A Critical Metric for Endpoint Security appeared first on Security Boulevard.

🧨“芯”岁启封 美好送达，山石网科祝大家元旦快乐！

DXPLOIT Defaced the Website of IFF Fund

A vulnerability was found in CentOS-WebPanel.com CentOS Web Panel 0.9.8.836. It has been rated as critical. Affected by this issue is some unknown functionality of the file /tmp of the component Session File. The manipulation leads to unrestricted upload. This vulnerability is handled as CVE-2019-13359. The attack may be launched remotely. Furthermore, there is an exploit available.

9 Telcos Have Been Breached by Beijing-Backed 'Salt Typhoon,' White House Says
U.S. telecommunications giants AT&T and Verizon Communications believe they have finally ejected Chinese cyber espionage hackers from their networks. The White House said the "Salt Typhoon" nation-state hackers infiltrated at least nine U.S. telcos' infrastructure, and have been hard to eject.

via Photographer Marjory Collins in New York City, NY, USA, January 1943, Blowing Horns on Bleeker Street, New Year's Day

The post A Happy, Prosperous & Safe New Year Wish For All appeared first on Security Boulevard.