The Daily Swig

Ruby on Rails apps vulnerable to data theft through Ransack search

Poor integration of the Ransack library into Ruby on Rails (RoR) applications could allow attackers to steal information from backend databases, security firm Positive Security has warned.

IoT vendors faulted for slow progress in setting up vulnerability disclosure programs

IoT vendors are making slow progress in making it easy for security researchers to report security bugs, with only 27.1% of suppliers offering a vulnerability disclosure policy.

AWS patches bypass bug in CloudTrail API monitoring tool

In a blog post dated January 17, Datadog Security Labs senior researcher Nick Frichette said the vulnerability impacts the CloudTrail event logging service, a data source for defenders examining API activities.

WAGO fixes config export flaw threatening data leak from industrial devices

Tracked as CVE-2022-3738, the vulnerability is described as a PHP error in the WAGO web admin interface file download.php, as some lines are commented on using a multi-line comment.

Prototype pollution-like bug variant discovered in Python

Security researcher Abdulraheem Khaled has discovered a coding scheme that can allow attackers to perform prototype pollution-like attacks on Python programs. He calls it ‘class pollution’ in a blog post documenting his findings.

Exploit drops for remote code execution bug in Control Web Panel

The Proof of Concept (PoC) was posted to GitHub and YouTube yesterday (January 5) by Numan Türle, security engineer at Turkish infosec outfit Gais Security. The flaw has now been designated as CVE-2022-44877 with a CVSS severity rating still pending.

Tesla tackles CORS misconfigurations that left internal networks vulnerable

Tesla is one of several organizations to remedy cross-origin resource sharing (CORS) misconfigurations after security researchers proved they could exfiltrate data from the carmaker’s internal network.

Zoom Whiteboard patches XSS bug

Zoom has patched a cross-site scripting (XSS) bug that worked in both the desktop and web versions of its Whiteboard app. The XSS bug in Zoom Whiteboard was discovered by security researcher Eugene Lim (aka ‘spaceraccoon’).

Akamai wrestles with AWS S3 web cache poisoning bug

Web cache poisoning involves malicious clients forcing content delivery networks (CDN) or web servers to cache malicious content and later serve it to other clients requesting the same resource.

Safeurl HTTP library brings SSRF protection to Go applications

Safeurl, a one-line drop-in replacement for Go’s native net/http.Client, validates incoming HTTP requests against allow and block lists, as well as defends against DNS rebinding attacks.

Defend Against Threats with Cyber Fusion

Cyware is the leading provider of cyber fusion solutions that power threat intelligence sharing , end-to-end automation and 360-degree threat response.

Trending Tags