CVE-2024-4367 - Arbitrary JavaScript execution in PDF.js — Codean Labs
This post details CVE-2024-4367, a vulnerability in PDF.js found by Codean Labs. PDF.js is a JavaScript-based PDF viewer maintained by Mozilla. This bug allows an attacker to execute arbitrary JavaScript code as soon as a malicious PDF file is opened. This affects all Firefox users (<126) because PDF.js is used by Firefox to show PDF files, but also seriously impacts many web- and Electron-based a
Critical Jenkins Vulnerability Exposes Servers to RCE Attacks - Patch ASAP!
The maintainers of the open-source continuous integration/continuous delivery and deployment (CI/CD) automation software Jenkins have resolved nine security flaws, including a critical bug that, if successfully exploited, could result in remote code execution (RCE). The issue, assigned the CVE identifier CVE-2024-23897, has been described as an arbitrary file read vulnerability through the built-i
Common Vulnerability Scoring System
CVSS version 4.0 is the next generation of the Common Vulnerability Scoring System standard. Some of the changes incorporated into CVSS v4.0 include: Reinforce the concept that CVSS it not just the Base score New nomenclature has been added to identify combinations of Base (CVSS-B), Base + Threat (CVSS-BT), Base + Environmental (CVSS-BE), and Base + Threat + Environmental (CVSS-BTE) Finer granular
Severity HIGH security problem to be announced with curl 8.4.0 on Oct 11 · curl/curl · Discussion #12026
We are cutting the release cycle short and will release curl 8.4.0 on October 11, including fixes for a severity HIGH CVE and one severity LOW. The one rated HIGH is probably the worst curl security flaw in a long time. The new version and details about the two CVEs will be published around 06:00 UTC on the release day. CVE-2023-38545: severity HIGH (affects both libcurl and the curl tool) CVE-202
Basecamp disclosed on HackerOne: AWS keys and user cookie leakage...
Basecamp supports uploading SVG pictures as avatars. Apparently, they are converted via an outdated librsvg version at Basecamp's servers. This version contains a vulnerability that allows leakage of the contents of an uninitialized memory block (that is, something is malloced, never initialized, and then used to build the preview image). Since it seems to be performed in the same unix process...
Alert: Apache Superset Vulnerabilities Expose Servers to Remote Code Execution Attacks
Patches have been released to address two new security vulnerabilities in Apache Superset that could be exploited by an attacker to gain remote code execution on affected systems. The update (version 2.1.1) plugs CVE-2023-39265 and CVE-2023-37941, which make it possible to conduct nefarious actions once a bad actor is able to gain control of Superset's metadata database. Outside of these weaknesse
Compromised Microsoft Key: More Impactful Than We Thought | Wiz Blog
Microsoft and CISA recently disclosed a security incident impacting multiple customers of Exchange Online and Outlook.com. According to Microsoft, this incident stemmed from a threat actor attributed to China, Storm-0558, acquiring a private encryption key (MSA key) and using it to forge access tokens for Outlook Web Access (OWA) and Outlook.com. Additionally, the threat actor reportedly exploited
Critical OAuth Vulnerability in Expo Framework Allows Account Hijacking
A critical security vulnerability has been disclosed in the Open Authorization (OAuth) implementation of the application development framework Expo.io. The shortcoming, assigned the CVE identifier CVE-2023-28131, has a severity rating of 9.6 on the CVSS scoring system. API security firm Salt Labs said the issue rendered services using the framework susceptible to credential leakage, which could th
リリース、障害情報などのサービスのお知らせ
最新の人気エントリーの配信
j次のブックマーク
k前のブックマーク
lあとで読む
eコメント一覧を開く
oページを開く
OXO vulnerability scanning orchestrator for the modern age
Critical GitHub Enterprise Server Flaw Allows Authentication Bypass
多くのプログラミング言語に危険な脆弱性 ~Windows環境の引数エスケープ処理に不備「Rust」「PHP」「Node.js」「Haskell」などに影響/
GitHub - vusec/ghostrace
GitHub - Speykious/cve-rs: Blazingly 🔥 fast 🚀 memory vulnerabilities, written in 100% safe Rust. 🦀
New Critical RCE Vulnerability Discovered in Apache Struts 2 - Patch Now
Design Flaw in Google Workspace Could Let Attackers Gain Unauthorized Access
NVD - CVE-2023-5129
Stable Channel Update for Desktop
Release Metabase v0.46.6.1 · metabase/metabase
Amazon Inspector announces the general availability of Code Scans for AWS Lambda function
New initiatives to reduce the risk of vulnerabilities and protect researchers