All tracked items across vulnerabilities, news, research, incidents, and regulatory updates.
CVE-2020-8615 is a CSRF vulnerability (cross-site request forgery, where an attacker tricks a user into performing unwanted actions on a website they're logged into) in the Tutor LMS plugin for WordPress before version 1.5.3. An attacker could exploit this to approve themselves as an instructor or block legitimate instructors without proper authorization.
Fix: Update the Tutor LMS plugin to version 1.5.3 or later.
NVD/CVE DatabaseTensorFlow versions before 1.15.2 and 2.0.1 have a bug where converting a string to a tf.float16 value (a 16-bit floating-point number) causes a segmentation fault (a crash where the program tries to access memory it shouldn't). This vulnerability can be exploited by attackers sending malicious data containing strings instead of the expected number format, leading to denial of service (making the system unavailable) during AI model training or inference (using a trained model to make predictions).
A directory traversal vulnerability (a type of attack where an attacker uses special path characters like '../' to access files outside the intended directory) in Ruckus Wireless Unleashed version 200.7.10.102.64 and earlier allows a remote attacker to escape the CLI (command-line interface, a text-based way to control software) by using '../../../bin/sh' as a parameter in the debug script execution function. This gives the attacker unauthorized access to the underlying system.
CVE-2019-8760 is a vulnerability in Face ID (Apple's facial recognition system) where a 3D model made to look like an enrolled user could trick the system into unlocking a device. The vulnerability is classified as an improper authentication issue (CWE-287, a weakness in how systems verify identity).
TensorFlow versions before 1.15 had a heap buffer overflow (a type of memory access bug where a program writes beyond the boundaries of allocated memory) in the UnsortedSegmentSum function when using 32-bit integers, causing some large numbers to be incorrectly converted to negative values and leading to out-of-bounds memory access. The vulnerability was considered unlikely to be exploitable and was fixed internally in TensorFlow 1.15 and 2.0.
This is an announcement for a book called 'Cybersecurity Attacks - Red Team Strategies' that teaches red teaming (simulated attack techniques used to test an organization's defenses) tactics and procedures. The book covers both team management aspects and technical content, but differs from typical penetration testing (authorized security testing where professionals try to break into systems to find vulnerabilities) books by focusing less on common tools and more on foundational strategies.
MITRE updated its ATT&CK Framework (a catalog of known hacker techniques and strategies) to include cloud-based attack methods, specifically focusing on stealing web session cookies (small files that store login information) and using them to move laterally (gain access to other systems within a network). The update documents two main techniques: stealing cookies during credential access attacks and using stolen cookies for lateral movement within a system.
Sourcecodester Online Grading System version 1.0 has a critical security flaw called SQL injection (a technique where attackers insert malicious database commands into user inputs). Attackers can exploit this vulnerability without needing to log in by targeting specific input fields like student ID or class ID, allowing them to run unauthorized commands on the system's database.
CVE-2019-2981 is a vulnerability in Oracle's JAXP component (a Java library for processing XML data) that affects multiple versions of Java SE and Java SE Embedded. An attacker with network access can exploit this vulnerability to cause a partial denial of service (temporary disruption of service), particularly in Java applications that run untrusted code from the internet.
CVE-2019-2973 is a vulnerability in Oracle Java SE's JAXP component (a tool for processing XML data) that affects versions 7u231, 8u221, 11.0.4, 13, and Java SE Embedded 8u221. An unauthenticated attacker with network access can exploit this flaw to cause a partial denial of service (temporary disruption where the system becomes partially unavailable), particularly in Java applications that run untrusted code from the internet.
CVE-2019-17206 is a vulnerability in rediswrapper (a Redis Wrapper library) before version 0.3.0 that allows attackers to execute arbitrary scripts through uncontrolled deserialization of pickled objects (a Python serialization format that can be exploited if data comes from an untrusted source). The vulnerability exists in the models.py file and is caused by unsafe handling of serialized data.
Coinbase was attacked using Firefox 0-days (previously unknown security flaws in Firefox) to steal browser session tokens, which are credentials stored in browser data files that let attackers access cloud services like Gmail without needing passwords. The attackers specifically targeted these token files through direct access to browser datastores (the storage locations where browsers save data), which is unusual behavior that could be detected by monitoring which processes access these files.
This article discusses 'Homefield Advantage' as a security concept, meaning that a mature security team should have natural advantages when defending their own systems, similar to how sports teams perform better at home. The author argues that security programs should recognize and leverage these inherent benefits, such as familiarity with their own environment and systems.
This is a disclaimer notice from a blog called WUNDERWUZZI stating that penetration testing (authorized attempts to find security weaknesses in systems) must have proper permission, and that the blog's content is for educational purposes to help people understand security attacks and defenses.
BashSpray is a password spray tool (a script that tests many accounts with common weak passwords to find security gaps) that red teams (security professionals hired to test defenses) can use to identify weak passwords in their organization. The tool works on both Mac and Windows systems, and ideally should be integrated into security response workflows so that affected users and security teams are notified to change passwords and investigate if needed.
This article discusses how to interact with Active Directory (a system that manages users and computers on networks) on macOS computers. It describes three approaches: using macOS's built-in Directory Utility, using Apache Directory Studio (a third-party tool), or writing custom scripts with LDAP (lightweight directory access protocol, the standard way to query directory systems) commands.
Google's login system leaks alternate email addresses to anyone who calls an unauthenticated endpoint (a service that doesn't require you to prove who you are) with just an email address. An attacker could use this to find backup accounts linked to a target email, then use those accounts for phishing (tricking people into giving up passwords) or to take over the main account if the alternate email is set up for password recovery.
Lyrebird is a security tool that takes a screenshot of your desktop and then monitors your computer by using the webcam to photograph anyone who tries to use it while you're away. The tool is designed to catch people who access an unattended workstation, helping you identify if someone has tampered with your computer.
Fix: Update to TensorFlow 1.15.1, 2.0.1, or 2.1.0, as the vulnerability is patched in these versions. The source states: 'Users are encouraged to switch to TensorFlow 1.15.1, 2.0.1 or 2.1.0.'
NVD/CVE DatabaseOracle Coherence, a caching component in Oracle Fusion Middleware, has a critical vulnerability (CVE-2020-2555) that allows attackers without credentials to take over the system through network access via T3 (a network protocol). The vulnerability affects versions 3.7.1.0, 12.1.3.0.0, 12.2.1.3.0, and 12.2.1.4.0, and has a CVSS score (a 0-10 rating of how severe a vulnerability is) of 9.8, indicating it is extremely serious.
Fix: This issue is fixed in iOS 13. The fix was addressed by improving Face ID machine learning models (the AI algorithms that help Face ID recognize faces).
NVD/CVE DatabaseFix: Update to TensorFlow 1.15 or 2.0, as the vulnerability was "detected and fixed internally in TensorFlow 1.15 and 2.0."
NVD/CVE DatabaseFix: Upgrade to rediswrapper version 0.3.0 or later. The fix is available in the release at https://github.com/frostming/rediswrapper/releases/tag/v0.3.0 and was implemented in pull request https://github.com/frostming/rediswrapper/pull/1.
NVD/CVE DatabaseAptana Jaxer version 1.0.3.4547 has a local file inclusion vulnerability (a weakness that lets attackers read files they shouldn't access) in its wikilite source code viewer. A remote attacker can exploit this by using a specially crafted URL with '../' characters to read internal files on the server.
Fix: A patch is available in the GitHub repository at https://github.com/aptana/Jaxer/commits/master.
NVD/CVE DatabaseFix: The source mentions two mitigations: (1) 'Remove all alternate account associations' and (2) 'Make sure that any alternate account is not your password recovery or 2FA to minimize attack surface.' However, these are user-level workarounds. Google declined to fix the issue itself after review.
Embrace The Red