December 3, 2024 at 08:57AM Cisco has updated its advisory regarding a decade-old vulnerability (CVE-2014-2120) in its Adaptive Security Appliance, which is being actively exploited. The flaw allows cross-site scripting attacks via the WebVPN login page. Users are urged to update their systems as it was added to the CISA’s KEV catalog for urgent remediation. … Read more
November 26, 2024 at 09:39AM VMware released a high-severity bulletin addressing five security vulnerabilities in its Aria Operations product, affecting versions 8.x and VMware Cloud Foundation 4.x and 5.x. Patches are available to fix local privilege escalation and cross-site scripting exploits. Users are urged to apply patches urgently as no workarounds exist. ### Meeting Takeaways … Read more
November 19, 2024 at 02:43PM Apple has addressed two security vulnerabilities in visionOS 2.1.1 for the Apple Vision Pro, with release set for November 19, 2024. CVE-2024-44308 involves potential arbitrary code execution from malicious web content, while CVE-2024-44309 addresses cookie management issues that could lead to cross-site scripting attacks. ### Meeting Notes Takeaways 1. **Upcoming … Read more
November 19, 2024 at 01:54PM Apple has addressed two security vulnerabilities in macOS Sequoia 15.1.1 (CVE-2024-44308 and CVE-2024-44309), which involve arbitrary code execution and cross-site scripting attacks, respectively. Both issues may have been actively exploited on Intel-based Mac systems, with updates now available. Release date is November 19, 2024. **Meeting Takeaways:** 1. **Release Information:** – … Read more
October 13, 2024 at 02:30PM A security update for tvOS 18, available for Apple TV HD and 4K models, addresses multiple CVEs, including input validation and integrity issues, which could lead to app termination, denial-of-service, unauthorized Bluetooth access, cross site scripting, and data exfiltration. Release date is September 16, 2024. ### Meeting Takeaways **Release Information:** … Read more
October 4, 2024 at 06:00AM A high-severity security flaw in the LiteSpeed Cache plugin for WordPress (CVE-2024-47374) allows for arbitrary JavaScript code execution. The flaw was patched in version 6.5.1 on September 25, 2024, after being responsibly disclosed. This vulnerability could enable privilege escalation and affects all versions up to 6.5.0.2, potentially impacting the over … Read more
July 12, 2024 at 11:57AM Netgear issues urgent firmware update for multiple WiFi 6 router models to address stored XSS and authentication bypass vulnerabilities. Successful exploitation can lead to session hijacking, information theft, and unauthorized access, posing significant security risks. Users are strongly advised to immediately update their router firmware through Netgear Support to mitigate … Read more
May 23, 2024 at 01:50PM GitLab addressed a high-severity XSS vulnerability allowing unauthenticated attackers to compromise user accounts. Additionally, six medium-severity flaws were fixed, including a CSRF issue and a denial-of-service bug. These vulnerabilities allowed for account takeovers and disruption of services. GitLab urged immediate software updates due to potential impacts on sensitive data and … Read more
March 22, 2024 at 10:03AM Cybersecurity researchers detailed a security vulnerability in AWS Managed Workflows for Apache Airflow that’s now fixed by AWS, named FlowFixation by Tenable. It could allow a threat actor to hijack sessions, achieve code execution, and perform same-site attacks, impacting AWS, Azure, and Google Cloud. Both AWS and Azure have addressed … Read more
March 11, 2024 at 11:15AM High-severity vulnerability in Ultimate Member plugin (CVE-2024-2123) enables injection of malicious scripts into WordPress sites. Insufficient input sanitization and output escaping in the plugin’s members directory list functionality allow unauthenticated attackers to inject web scripts and potentially gain administrative user access. Patch released on March 6, impacting versions 2.8.3 and … Read more