September 6, 2024 at 01:39AM A high-severity vulnerability (CVE-2024-45195) in Apache OFBiz ERP system allows unauthenticated remote code execution. The flaw, impacting all versions before 18.12.16, lets attackers execute arbitrary code and has been used to deploy the Mirai botnet malware. The latest patch also tackles a critical SSRF vulnerability (CVE-2024-45507). Key takeaways from the … Read more
August 21, 2024 at 12:36PM Researchers have uncovered a critical security flaw in Microsoft’s Copilot Studio (CVE-2024-38206) that allows unauthorized access to sensitive information. Microsoft has addressed the vulnerability and stated no customer action is required. The disclosure follows the announcement of security flaws in Microsoft’s Azure Health Bot Service and the upcoming enforcement of … Read more
August 13, 2024 at 02:40PM Multiple privilege escalation issues in Microsoft Azure’s Health Bot service allowed server-side request forgery and potential access to cross-tenant resources. Quickly patched by Microsoft, these vulnerabilities highlight concerns about chatbot risks, specifically regarding access to sensitive health information. Tenable Research found that exploitation could lead to management capabilities for other … Read more
February 12, 2024 at 11:32AM Hackers are exploiting a server-side request forgery (SSRF) vulnerability in Ivanti products to deploy the DSLog backdoor, allowing remote command execution. The vulnerability, known as CVE-2024-21893, affects SAML components and enables bypassing authentication. Successful attacks have been reported, prompting the release of security updates to mitigate the risk. Key takeaways … Read more
February 6, 2024 at 03:15AM A server-side request forgery (SSRF) vulnerability in Ivanti products is being widely exploited, leading to mass attacks from over 170 unique IP addresses. The exploit allows unauthorized access to restricted resources. Security firm Rapid7 released a proof-of-concept exploit, and outdated open-source components in Ivanti VPN appliances pose further security risks. … Read more
February 5, 2024 at 11:00AM Ivanti Connect Secure and Policy Secure are being exploited through an SSRF vulnerability, tracked as CVE-2024-21893, allowing attackers to bypass authentication and access restricted resources on vulnerable devices. The exploitation volume is significantly high, leading to U.S. CISA’s directive for federal agencies to disconnect and upgrade affected appliances to the … Read more
October 10, 2023 at 10:48AM German software maker SAP has released a total of seven new and two updated security notes as part of its October 2023 Security Patch Day. The most severe note updates the Chromium browser in SAP Business Client, fixing 37 vulnerabilities, including two critical ones. One critical flaw, CVE-2023-4863, is already … Read more