Poor integration of the Ransack library into Ruby on Rails (RoR) applications could allow attackers to steal information from backend databases, security firm Positive Security has warned.
IoT vendors are making slow progress in making it easy for security researchers to report security bugs, with only 27.1% of suppliers offering a vulnerability disclosure policy.
In a blog post dated January 17, Datadog Security Labs senior researcher Nick Frichette said the vulnerability impacts the CloudTrail event logging service, a data source for defenders examining API activities.
Tracked as CVE-2022-3738, the vulnerability is described as a PHP error in the WAGO web admin interface file download.php, as some lines are commented on using a multi-line comment.
Security researcher Abdulraheem Khaled has discovered a coding scheme that can allow attackers to perform prototype pollution-like attacks on Python programs. He calls it ‘class pollution’ in a blog post documenting his findings.
The Proof of Concept (PoC) was posted to GitHub and YouTube yesterday (January 5) by Numan Türle, security engineer at Turkish infosec outfit Gais Security. The flaw has now been designated as CVE-2022-44877 with a CVSS severity rating still pending.
Tesla is one of several organizations to remedy cross-origin resource sharing (CORS) misconfigurations after security researchers proved they could exfiltrate data from the carmaker’s internal network.
Zoom has patched a cross-site scripting (XSS) bug that worked in both the desktop and web versions of its Whiteboard app. The XSS bug in Zoom Whiteboard was discovered by security researcher Eugene Lim (aka ‘spaceraccoon’).
Web cache poisoning involves malicious clients forcing content delivery networks (CDN) or web servers to cache malicious content and later serve it to other clients requesting the same resource.
Safeurl, a one-line drop-in replacement for Go’s native net/http.Client, validates incoming HTTP requests against allow and block lists, as well as defends against DNS rebinding attacks.
Cyware is the leading provider of cyber fusion solutions that power threat intelligence sharing , end-to-end automation and 360-degree threat response.