SolarWinds Issues Patch for Critical ARM Vulnerability Enabling RCE Attacks

September 17, 2024 at 01:15AM SolarWinds released fixes for two security flaws in its Access Rights Manager (ARM) software. The critical vulnerability (CVE-2024-28991) with a 9.0 CVSS score allows remote code execution. A medium-severity flaw (CVE-2024-28990) was also addressed. Security researcher Piotr Bazydlo discovered the flaws, and updates to ARM version 2024.3.1 are recommended to … Read more

Progress WhatsUp Gold Exploited Just Hours After PoC Release for Critical Flaw

September 13, 2024 at 08:15AM Malicious actors are leveraging publicly available proof-of-concept exploits for security flaws in Progress Software WhatsUp Gold, leading to opportunistic attacks shortly after the release. The attacks involved bypassing authentication and exploiting PowerShell scripts to download remote access tools, indicating potential involvement of ransomware actors. This is the second active weaponization … Read more

Top Travel Sites Have Some First-Class Security Issues to Clean Up

August 29, 2024 at 03:45PM Top travel and hospitality companies face serious security vulnerabilities, exposing customers to potential risks. An investigation by security vendor Cequence revealed significant flaws in major booking sites including Orbitz, Kayak, Skyscanner, and Travelocity, with 91% containing the most serious vulnerabilities and potential for man-in-the-middle attacks. Cloud infrastructure issues and PCI … Read more

Google increases Chrome bug bounty rewards up to $250,000

August 28, 2024 at 01:28PM Google has increased payouts for Google Chrome security flaws through its Vulnerability Reward Program, with the maximum reward for a single bug now over $250,000, more than doubling the previous amount. Based on the meeting notes, it seems that Google has increased its payouts for security flaws reported through its … Read more

GitHub Patches Critical Security Flaw in Enterprise Server Granting Admin Privileges

August 22, 2024 at 02:00AM GitHub has addressed three security flaws in its Enterprise Server product, including a critical bug (CVE-2024-6800) that could grant an attacker site administrator privileges. Two medium-severity flaws have also been resolved (CVE-2024-7711, CVE-2024-6337). Users are urged to update to the latest versions (3.13.3, 3.12.8, 3.11.14, and 3.10.16) to mitigate potential … Read more

GiveWP WordPress Plugin Vulnerability Puts 100,000+ Websites at Risk

August 21, 2024 at 12:51AM A critical security flaw (CVE-2024-5932) in WordPress GiveWP plugin allows remote code execution, affecting over 100,000 websites. Researchers also disclosed vulnerabilities in other WordPress plugins (e.g., InPost PL, JS Help Desk). Patching against these flaws is crucial to prevent attacks. Website owners are advised against using nulled plugins and themes … Read more

Plane-tracking app admits user passwords, SSNs exposed for over 3 years

August 20, 2024 at 10:39AM FlightAware recently admitted to exposing users’ data for over three years in a configuration error. Personal data including user ID, password, email, addresses, social security number, and more were compromised. The exact number of affected users is unknown, but FlightAware has 12 million registered users. Affected individuals are being prompted … Read more

Cisco, Microsoft Disagree on Severity of macOS App Vulnerabilities 

August 20, 2024 at 08:24AM Cisco discovered vulnerabilities in multiple Microsoft applications for macOS, including Outlook, Teams, PowerPoint, OneNote, Excel, and Word. Attackers could exploit these flaws to bypass system permissions, allowing unauthorized activities such as sending emails, recording audio or video, and accessing sensitive information. Microsoft acknowledges the bugs but considers them low risk, … Read more

Microsoft Issues Patches for 90 Flaws, Including 10 Critical Zero-Day Exploits

August 14, 2024 at 02:03AM Microsoft shipped fixes for 90 security flaws, including 10 zero-days with active exploitation. Notable updates include addressing CVE-2024-38189, 38178, 38193, 38106, 38107, and 38213. Furthermore, CISA added the flaws to its Known Exploited Vulnerabilities catalog. The update from Microsoft also includes addressing CVE-2024-38200, 38199, 21302, and 38198. Other vendors have … Read more

Microsoft Reveals Four OpenVPN Flaws Leading to Potential RCE and LPE

August 9, 2024 at 02:51PM Microsoft disclosed medium-severity security flaws in OpenVPN, enabling attackers to achieve remote code execution and local privilege escalation. The vulnerabilities, affecting versions prior to 2.6.10 and 2.5.10, can lead to data breaches and system compromise. Exploitation requires user authentication and advanced understanding of OpenVPN’s inner workings. Vulnerabilities can be exploited … Read more