Vulnerability

Hunting for Android Privilege Escalation with a 32 Line Fuzzer

Dec 22, 2023 By Trustwave In Trustwave

Trustwave SpiderLabs tested a couple of Android OS-based mobile devices to conduct the research on privilege escalation scenarios. Specifically, we wanted to show a straightforward process attackers may use to exploit vulnerabilities in an Android device’s system services and systems. The testing revealed that, in some cases, exploiting the issues we found were very easy.

Read Post

Trustwave

Read more about Hunting for Android Privilege Escalation with a 32 Line Fuzzer

CVE-2023-41727, CVE-2023-46220, CVE-2023-46261, and More: Multiple Critical Vulnerabilities Patched in Ivanti Avalanche

Dec 22, 2023 By Andres Ramos In Arctic Wolf

On December 20, 2023, Ivanti announced that 20 vulnerabilities in Ivanti Avalanche On-Prem were patched in the product’s latest update. Arctic Wolf has highlighted 13 of these vulnerabilities in this bulletin that were rated as critical severity and could lead to remote code execution (RCE) or Denial of Service (DoS).

Read Post

Arctic Wolf

Read more about CVE-2023-41727, CVE-2023-46220, CVE-2023-46261, and More: Multiple Critical Vulnerabilities Patched in Ivanti Avalanche

Xfinity Writhes; 36 Million Records Breached via Vendor Vulnerability

Dec 22, 2023 By Steven In IDStrong

Xfinity is the name of Comcast Communications’ internet, TV, and phone service; it is the most significant cabled internet service in the states, with more than 32 million residential customers. Available in 39 contiguous states and the capital, the service provides communication solutions for individuals, companies, institutions, and clinical networks. Xfinity’s vast influence has made them a target for cybercriminals.

Read Post

IDStrong

Read more about Xfinity Writhes; 36 Million Records Breached via Vendor Vulnerability

Apache Struts 2 Vulnerability CVE-2023-50164 Exposed

Dec 21, 2023 By Mohammed Ansari In Indusface

On December 7th, 2023, the Apache Struts project disclosed a significant vulnerability, CVE-2023-50164, in its Struts 2 open-source web framework. Rated at a critical CVSS score of 9.8, this flaw resides within the framework’s file upload logic. Exploiting this vulnerability empowers attackers to manipulate upload parameters, potentially leading to arbitrary file upload and, under specific conditions, code execution.

Read Post

Indusface

Read more about Apache Struts 2 Vulnerability CVE-2023-50164 Exposed

Vulnerability Remediation for Servers: Beyond Just Patching

Dec 21, 2023 By John Gates In CalCom

To understand vulnerability remediation one must first understand remediation in cyber. Remediation refers to the process of addressing and resolving security vulnerabilities or incidents that could potentially pose a threat to an organization’s information systems, data, or network.

Read Post

CalCom

Read more about Vulnerability Remediation for Servers: Beyond Just Patching

Command injection in Python: examples and prevention

Dec 21, 2023 By Rubaiat Hossain In Snyk

Despite Python's reputation for simplicity and versatility, ensuring the security of Python programs can be challenging if you or other team members neglect security best practices during development. Additionally, you’ll likely use libraries or other open source projects while building a Python application. However, these resources can introduce additional security issues that leave your program vulnerable to exploits such as command injection.

Read Post

Snyk

Read more about Command injection in Python: examples and prevention

Is your team on the security naughty or nice list?

Dec 20, 2023 By Mariah Gresham In Snyk

As kids, many of us felt anticipation, excitement, and maybe even nervousness during the holiday season. Had we been good enough to get the Gameboy, Barbie Dream House, or Etch a Sketch we’d been pining for, or were we just going to get a big ol’ lump of coal?

Read Post

Snyk

Read more about Is your team on the *security* naughty or nice list?

Release Spotlight: Qualys PCS

Dec 20, 2023 By Gil Azaria In Nucleus

In the culinary world, the adage “too many cooks spoil the broth” warns of the chaos and disarray that can arise from too many opinions and actions in the kitchen. However, this concept takes an intriguing twist in the realm of cybersecurity.

Read Post

Nucleus

Read more about Release Spotlight: Qualys PCS

How to Operationalize Vulnerability Threat Intelligence

Dec 20, 2023 By Nucleus In Nucleus

With so many vulnerabilities to address and potential threats looming, how can organizations prioritize and respond effectively? Enter Vulnerability Threat Intelligence (VTI). This knowledge not only aids in pinpointing vulnerabilities but also shapes strategies for risk acceptance and rapid responses to zero-day threats. Join our webinar where Patrick Garrity from Nucleus Security, Caleb Hoch from Google, and Jared Semrau from Mandiant, uncover how to effectively leverage vulnerability threat intelligence (VTI).

View Video

Nucleus

Read more about How to Operationalize Vulnerability Threat Intelligence

Under the hood of CVE patching

Dec 19, 2023 By Oshrat Nir In ARMO

Addressing Common Vulnerabilities and Exposures, known as CVE patching, is a practice of applying updates to software (patching) to address security vulnerabilities. CVE patching is your shield against the threat of malicious actors exploiting such weaknesses and is of crucial importance for every organization’s cybersecurity. This post will cover the basics of CVE patching: the roles and stakeholders, the step-by-step process, and common mistakes to avoid.

Read Post