October 31, 2024 at 12:50PM The LiteSpeed Cache plugin for WordPress fixed a high-severity privilege elevation flaw (CVE-2024-50550) enabling unauthenticated users to gain admin rights. The vulnerability stemmed from weak hash checks in the role simulation feature. A patch was released on October 17, 2024, but millions remain potentially exposed. ### Meeting Takeaways: 1. **Vulnerability … Read more
October 13, 2024 at 06:20PM Google’s Chrome Web Store warns that the uBlock Origin ad blocker may soon be blocked due to the deprecation of the Manifest V2 extension specification in favor of Manifest V3. Users are encouraged to switch to compatible alternatives, as advanced functionality may be limited with new versions. Manifest V2 will … Read more
October 13, 2024 at 02:30PM Apple released updates for Safari 18 on September 16, 2024, addressing three cross-origin vulnerabilities (CVE-2024-40866, CVE-2024-44187, CVE-2024-40857) that could lead to data exfiltration and universal cross-site scripting. Updates are available for macOS Ventura and macOS Sonoma. ### Meeting Takeaways: **Apple ID:** 121241 **Release Date:** September 16, 2024 **Security Vulnerabilities Identified:** … Read more
October 10, 2024 at 04:00AM Researchers have uncovered a new malware campaign involving the Mongolian Skimmer, using Unicode obfuscation to hide its code. Targeting e-commerce, the skimmer collects sensitive data via an inline script. It employs various techniques to evade detection and ensure broad browser compatibility, even coordinating with other threat actors for profit sharing. … Read more
October 8, 2024 at 07:28AM An innovative web security solution saved a global online retailer and its customers from an “evil twin” attack, where malicious redirects led shoppers to fake checkout pages to steal payment information. Reflectiz’s advanced deobfuscation tool detected and averted the threat, highlighting the need for continuous web security monitoring to protect … Read more
October 4, 2024 at 06:00AM A high-severity security flaw in the LiteSpeed Cache plugin for WordPress (CVE-2024-47374) allows for arbitrary JavaScript code execution. The flaw was patched in version 6.5.1 on September 25, 2024, after being responsibly disclosed. This vulnerability could enable privilege escalation and affects all versions up to 6.5.0.2, potentially impacting the over … Read more
September 18, 2024 at 08:24AM Google released Chrome 129 in the stable channel, addressing nine vulnerabilities, with the most severe being a type confusion bug in the V8 JavaScript engine. The update also resolves medium and low-severity vulnerabilities, with $13,000 in bug bounty payouts. Chrome 129 is now rolling out for Windows, macOS, and Linux, … Read more
September 17, 2024 at 11:57AM C/side, a startup focusing on protecting against malicious browser-side third-party scripts, raised $6M in seed funding. It has raised a total of $7.7M. The new investment round included Uncork Capital, Mantis VC, PrimeSet, Roar Ventures, and Scribble Ventures. They aim to help businesses monitor, optimize, and secure third-party scripts using … Read more
September 16, 2024 at 08:21AM Rapidly evolving PCI DSS landscape with v4.0 introduces rigorous requirements, particularly sections 6.4.3 and 11.6.1, necessitating strict monitoring and management of payment page scripts. Reflectiz offers a dedicated PCI dashboard with real-time, remote visibility, script-level monitoring, and a smart approval mechanism, ensuring efficient compliance and reduced risks. Access a 30-day … Read more
September 13, 2024 at 01:11PM Hackers are focusing on Oracle WebLogic servers to inject them with a new Linux malware called “Hadooken.” This malware initiates a cryptominer and a tool for distributed denial-of-service (DDoS) attacks. Based on the meeting notes, it is evident that there is a significant security concern related to hackers targeting Oracle … Read more