Aggregator

A vulnerability was found in actionpack Gem on Ruby and classified as problematic. This issue affects the function redirect_to. The manipulation leads to cross site scripting. The identification of this vulnerability is CVE-2023-28362. The attack may be initiated remotely. There is no exploit available. It is recommended to upgrade the affected component.

Microsoft says it will soon fix a known issue causing CPU spikes when typing messages in recent versions of its classic Outlook email client. [...]

A vulnerability, which was classified as problematic, has been found in LibTIFF. Affected by this issue is some unknown functionality of the file tif_dir.c. The manipulation leads to null pointer dereference. This vulnerability is handled as CVE-2023-2908. The attack may be launched remotely. There is no exploit available.

A vulnerability was found in LibTIFF 4.5.0. It has been rated as critical. Affected by this issue is the function rotateImage of the file /tools/tiffcrop.c. The manipulation leads to heap-based buffer overflow. This vulnerability is handled as CVE-2023-25433. The attack may be launched remotely. There is no exploit available. It is recommended to apply a patch to fix this issue.

A vulnerability was found in Western Digital My Cloud OS up to 5.26.202 and classified as critical. This issue affects some unknown processing of the component CGI File Handler. The manipulation leads to command injection. The identification of this vulnerability is CVE-2023-22815. The attack may be initiated remotely. There is no exploit available. It is recommended to upgrade the affected component.

Detectify announced new Asset Classification and Scan Recommendations capabilities. This innovation directly addresses a critical challenge for security teams: knowing what else, beyond their core applications, requires in-depth testing. The new features automatically classify discovered web assets based on attacker reconnaissance techniques and deliver recommendations on where to run DAST, helping organizations bridge the gap between broad and deep vulnerability testing across their entire attack surface. Security teams know they must test their main applications, … More →

The post Detectify Asset Classification and Scan Recommendations improves vulnerability testing appeared first on Help Net Security.

俄罗斯安全公司 Dr.Web 披露了针对前线军人的新 Android 间谍软件。该间谍软件会窃取感染设备的联系人信息并跟踪他们的位置。间谍软件隐藏在修改版的地图软件 Alpine Quest 中，该软件的用户包括了在乌克兰前线作战的俄罗斯军人。软件可以显示各种地形图，可以离线或在线使用。植入了间谍软件的 Alpine Quest 通过 Telegram 频道和非官方的 Android 应用库推广。Dr.Web 的研究人员将其恶意模块命名为 Android.Spy.1292.origin 中，它窃取的信息包括：手机号码及其账户、通讯录、当前日期、当前地理位置、存储文件相关信息——如果存在攻击者感兴趣的文件他们会进行窃取。

The Federal Bureau of Investigation (FBI), in partnership with the U.S. Department of State, has announced a reward of up to $10 million for information leading to the identification or location of individuals connected to the recent “Salt Typhoon” cyberattacks. The campaign, which is believed to be linked to actors affiliated with the People’s Republic […]

The post FBI Offers $10 Million Reward for information on Salt Typhoon Hackers appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.

Rubrik announced its upcoming solution, Identity Resilience, designed to secure the entire identity landscape alongside data. Identity Resilience aims to protect the most common entry points for attackers – human and non-human identities (NHIs) – to help organizations maintain operations with minimal downtime. Identity Resilience aims to address a blindspot in enterprise security. A critical piece of infrastructure utilized by a vast majority of organizations, identity remains a consistent target for hackers. When compromised, these … More →

The post Rubrik Identity Resilience protects vulnerable authentication infrastructure appeared first on Help Net Security.

Hackers Deploying Infostealers for Data and Credential Theft
Hacks targeting cloud infrastructure rose significantly last year, with attackers exploiting misconfiguration and single sign-on features to deploy infostealers for data and credential theft. Hackers target centralized cloud assets secured with single sign-ons.

Experts Say White House AI Plan May Spur Innovation But Leave School Data at Risk
The White House issued an executive order Wednesday to expand the use of new artificial intelligence tools in U.S. K–12 schools, drawing expert warnings over the lack of cybersecurity safeguards to prevent data leaks or misuse by AI firms for model training.

通过LLM构建的、基于问题的安全事件标准化调查方案

电信运营商、银行金融机构、高校研究机构以及腾讯云在内的多位专家分享了金融电信网络诈骗真实案例、金融反诈最佳实践、AI应用技术方案，并共同发起体系化金融反诈联合倡议。

Microsoft делает ход конем, невольно блокируя обновления.

BreachLock AEV automates multistep, threat-intelligence-led attack scenarios—helping security teams uncover real exposures and prioritize what matters most. Going beyond just showing security teams their risk, BreachLock Adversarial Exposure Validation simulates how real-world adversaries would exploit it by mirroring their behavior with business-aware context throughout each phase of the BreachLock AEV workflow –– from discovery to exploitation. BreachLock AEV enables enterprises to launch automated multi-stage, complex red teaming engagements supercharged by generative AI across multiple threat … More →

The post BreachLock AEV simulates real attacks to validate and prioritize exposures appeared first on Help Net Security.

A vulnerability, which was classified as problematic, was found in Shopizer 1.1.5. This affects an unknown part. The manipulation of the argument Status leads to cross site scripting. This vulnerability is uniquely identified as CVE-2014-4965. It is possible to initiate the attack remotely. Furthermore, there is an exploit available.