April 3, 2024 at 05:06PM A security vendor reports that a China-linked threat actor gained access to a router configuration database, posing a significant risk of completely disrupting coverage. Based on the meeting notes, it is apparent that a China-linked threat actor had access to a router configuration database that posed a significant risk of … Read more
April 3, 2024 at 09:18AM A critical SQL injection vulnerability in the LayerSlider plugin, tracked as CVE-2024-2879 with a CVSS score of 9.8, allows unauthenticated attackers to extract sensitive information from website databases. The issue was reported through Defiant’s bug bounty program, and a $5,500 reward was given to the reporting researcher. Users are advised … Read more
April 3, 2024 at 02:03AM A critical security flaw (CVE-2024-2879) in LayerSlider plugin for WordPress, with a CVSS score of 9.8, could lead to information extraction from databases. The vulnerability, fixed in version 7.10.1, arose from SQL injection and could allow unauthenticated attackers to manipulate SQL queries. Other WordPress plugins have also disclosed security vulnerabilities … Read more
April 2, 2024 at 10:03AM Pentagrid reported a vulnerability in self check-in kiosks at Ibis Budget hotels, potentially exposing keypad codes used to enter rooms. The vulnerability was found in Germany, but likely impacted other European hotels. Accor, the brand owner, promptly addressed the issue. The flaw could have allowed unauthorized room access, posing a … Read more
April 2, 2024 at 09:39AM A supply chain compromise in the open-source library XZ Utils has led to a backdoor being inserted, facilitating remote code execution, with the perpetrator deliberately working to gain maintainership. The sophisticated attack, spanning years, has potentially compromised numerous systems. This discovery highlights the risks posed by reliance on open-source software … Read more
March 29, 2024 at 05:50PM A Linux privilege-escalation exploit affecting kernel versions 5.14 to 6.6.14 has been detailed by bug hunter Notselwyn. Dubbed CVE-2024-1086, the flaw allows unauthorized root access, posing risks of damage and system control. Highly severe, it has been patched, prompting essential updates. Notselwyn’s PoC source code enables simple exploitation, underscoring the … Read more
March 29, 2024 at 07:09AM A vulnerability in the “wall” command of the util-linux package, tracked as CVE-2024-28085, allows unprivileged users to manipulate other users’ terminals on certain Linux distributions. This could lead to password leaks or clipboard alteration. Users are advised to update to util-linux version 2.40 to address this issue. Another vulnerability, CVE-2024-1086, … Read more
March 27, 2024 at 03:00PM NVIDIA issued urgent patches for two high-risk vulnerabilities in its ChatRTX for Windows app, which could lead to code execution and data tampering attacks. The flaws, with severity scores of 8.2/10 and 6.5/10, impact versions 0.2 and earlier. The app is used for connecting PC LLMs to data using retrieval-augmented … Read more
March 27, 2024 at 12:30PM CISA warns of attackers exploiting a Microsoft SharePoint vulnerability, enabling remote code execution and admin privilege takeover. Nguyễn Tiến Giang earned $100,000 for demonstrating its exploitation. Multiple proof-of-concept exploits have emerged, prompting CISA to order patching by January 31. This poses a significant risk, emphasizing the need for quick patching … Read more
March 27, 2024 at 07:03AM Researchers warn that threat actors are actively exploiting an unpatched vulnerability in the open-source artificial intelligence platform Anyscale Ray to hijack computing power for illicit cryptocurrency mining, affecting various sectors. The vulnerability, CVE-2023-48022, allows remote attackers to execute arbitrary code, leading to the breach of sensitive data and potential long-term … Read more