Paid Memberships Pro : CVE-2023-23488 - Unauthenticated SQL Injection
Easy Digital Downloads: CVE-2023-23489 - Unauthenticated SQL Injection
Survey Maker: CVE-2023-23490 - Authenticated SQL Injection
Google includes or removes CA certificates within the Chrome Root Store as it deems appropriate for user safety in accordance with our policies. The selection and ongoing inclusion of CA certificates is done to enhance the security of Chrome and promote interoperability.
On 2022-12-11, I decided to setup Secure Boot on my new desktop with a help of sbctl. Unfortunately I have found that my firmware was… accepting every OS image I gave it, no matter if it was trusted or not. It wasn't the first time that I have been self-signing Secure Boot, I wasn't doing it wrong.
As I have later discovered on 2022-12-16, it wasn't just broken firmware, MSI had changed their Secure Boot defaults to allow booting on security violations(!!).
How Finland Is Teaching a Generation to Spot Misinformation
The Nordic country is testing new ways to teach students about propaganda. Here’s what other countries can learn from its success.
CircleCI’s chief technology officer said malicious hackers infected one of their engineer’s laptops and stole elevated account privileges to breach the company’s systems and data late last year.
SweepWizard, an app that law enforcement used to coordinate raids, left sensitive information about hundreds of police operations publicly accessible.
As part of our research into the cryptomining botnet kmsdbot, we rendered it useless.
The Record by Recorded Future gives exclusive, behind-the-scenes access to leaders, policymakers, researchers, and the shadows of the cyber underground.
Postal service has been unable to send letters and parcels overseas since Wednesday due to hacking
Royal Mail has been hit by a ransomware attack by a criminal group, which has threatened to publish the stolen information online.
The postal service has received a ransom note purporting to be from LockBit, a hacker group widely thought to have close links to Russia.
In the name of Russia's war in Ukraine, NoName057(16) abuses GitHub and Telegram in an ongoing campaign to disrupt NATO's critical infrastructure.
ESET researchers uncover an active StrongPity campaign that spreads a trojanized version of the Android Telegram app posing as the Shagle video chat app.
Researchers have found that Kinsing malware gained access to Kubernetes servers by exploiting misconfigured and exposed PostgreSQL servers. The threat actors gained
Video messaging giant Zoom has released patches for multiple security vulnerabilities that expose both Windows and macOS users to malicious hacker attacks.
Raspberry Robin appears to be a type of Pay-Per-Install botnet, likely to be used by cybercriminals to distribute other malware.
We see that one of our vulnerabilities is exploited in the wild Link. So we decided to public the detail analysis of our two bug chains. Any customer has enough information to mitigate these bugs. The vendor also released all patches a week ago. This blog post shares the detail
This is a statement on the NZZ news article from January 9, 2023 about alleged weaknesses in Threema's encryption. But these are completely impractical and theoretical.
Threema is a Swiss encrypted messaging application. It has more than 10 million users and more than 7000 on-premise customers. Prominent users of Threema include the Swiss Government and the Swiss Army, as well as the current Chancellor of Germany, Olaf Scholz. Threema has been widely advertised as a secure alternative to other messengers.
In our work, we present seven attacks against the cryptographic protocols used by Threema, in three distinct threat models. All the attacks are accompanied by proof-of-concept implementations that demonstrate their feasibility in practice.
On 29 December 2022, the CNIL's restricted committee imposed an administrative fine of 8 million euros on the company APPLE DISTRIBUTION INTERNATIONAL because it did not collect the consent of iPhone's French users (iOS 14.6 version) before depositing and/or writing identifiers used for advertising purposes on their terminals.
After inadvertently finding that InfoSys leaked an AWS key on PyPi I wanted to know how many other live AWS keys may be present on Python package index. After scanning every release published to PyPi I found 57 valid access keys from organisations like:
Amazon themselves 😅
Intel
Stanford, Portland and Louisiana University
The Australian Government
General Atomics fusion department
Terradata
Delta Lake
And Top Glove, the worlds largest glove manufacturer 🧤
