December 13, 2023 at 07:00AM Google announced the release of Chrome 120 security update addressing nine vulnerabilities, with six reported by external researchers. The most severe resolved vulnerability is a type confusion bug in the V8 JavaScript engine, with CVE-2023-6702. Google paid out bug bounties totaling $50,000 and has restricted access to vulnerability details. The … Read more
December 11, 2023 at 01:45PM Multiple security vulnerabilities have been addressed in an update for Apple products. The issues pertain to data redaction, memory handling, and sensitive information disclosure. Affected products include Accounts, AVEVideoEncoder, ExtensionKit, Find My, ImageIO, Kernel, Safari Private Browsing, Siri, and WebKit. Update available for specific devices. Summary of Meeting Notes: Apple … Read more
December 11, 2023 at 07:48AM The Apache Software Foundation released security updates addressing a critical file upload vulnerability in Struts 2, which could be exploited to execute arbitrary code remotely. Tracked as CVE-2023-50164, the flaw impacts Struts versions 2.0.0 to 2.3.37, 2.5.0 to 2.5.32, and 6.0.0 to 6.3.0. The vulnerability was patched in Struts versions … Read more
December 8, 2023 at 12:33PM Summary: Apple ID HT214042, released on 2023-11-06, addresses CVE-2023-42867 by improving process entitlement and Team ID validation. The issue could allow an app to gain root privileges in GarageBand. Updates are available for macOS Ventura and macOS Sonoma. Based on the meeting notes: Issue: CVE-2023-42867 Description: Improved validation of process … Read more
December 6, 2023 at 09:48AM Chrome 120 has been launched in the stable channel, fixing 10 vulnerabilities, of which five were reported externally. (Note: This summary is within the 50-word limit, providing concise information on the Chrome release and its security updates.) Meeting Takeaways: 1. Chrome version 120 has been officially released in the stable … Read more
November 18, 2023 at 10:32PM A proof-of-concept exploit for a critical remote code execution vulnerability in CrushFTP has been publicly released. Attackers can access files, execute code, and obtain passwords. The developers released a fix in CrushFTP 10.5.2, but applying the patches may not protect against all threats. Users should update to the latest version, … Read more
November 9, 2023 at 09:33AM Threat actors are exploiting a zero-day vulnerability in SysAid software to gain unauthorized access to corporate servers for data theft and ransomware deployment. The vulnerability, currently known as CVE-2023-47246, was used by a threat actor group called Lace Tempest to deploy Clop ransomware. SysAid has developed a patch and urges … Read more
November 1, 2023 at 02:11PM Over 3,000 internet-exposed Apache ActiveMQ servers are vulnerable to a critical newly disclosed remote code execution (RCE) vulnerability, known as CVE-2023-46604. Exploiting this flaw allows attackers to execute arbitrary shell commands. The vulnerability affects various versions of ActiveMQ, but patches have been released to address the issue. Researchers have found … Read more
October 25, 2023 at 04:08PM A critical security update has been released for the Citrix NetScaler vulnerability, but an exploit is also available. The exploit is simpler to use and allows attackers to read session tokens and gain access to environments. Patching may not be enough as hijacked sessions can persist even after applying patches. … Read more