CVE-2020-9448 – XSS Vulnerability in the Digital Guardian Management Console
CVE-2020-9448 – Authenticated Cross-Site Scripting in the Digital Guardian Management Console DeepCode reported a Cross-Site Scripting vulnerability in the Digital Guardian Management Console on 25th February 2020. The vulnerability results from a lack of input validation in the filtering feature of the “Policies & Rules” menu of the management console. Vulnerability in Filters The filtering […]
CVE 2020-6171 – Cross-Site Scripting in CLink Office v2
DeepCode discovered a Cross-Site Scripting (XSS) vulnerability in CLink Office via parameter injection. As of 18 January 2020, a simple Google search returned 2,500 web servers using the application, mostly in Hong Kong.
Software Exploit Development – Fuzzing with AFL
It’s quite impressive to look back in the past to the early days of software vulnerabilities and observe the ongoing dance between new mitigation and new exploitation techniques. Powerful fuzzing tools are now commonplace and operated on a daily basis by IT corporations and security labs; either to find crashes in their software or others’ […]
Firefox Javascript Vulnerability
Once again, Javascript is the source of a new exploit that has been recently discovered on Firefox1. The vulnerability can be exploited by crafting malicious Javascript code on a Firefox 3.5 browser and leads to the execution of arbitrary code on the user’s machine. This is due to a vulnerability in the JIT engine of […]
A Quick Amex XSS
Here is a quick description of a cross-site script exploit that was fixed today on the American Express website. The vulnerability was in the search engine of the site, which didn’t sanitized the input keywords. Therefore anyone could insert JavaScript into the search and use this to trick people into sending their cookies to the […]
Microsoft’s Security Hole Framework
Since a few days, news about the Internet Explorer exploit has been sweeping the Internet (see previous post Internet Explorer 7 Attack in the Wild). It has not been confirmed that Internet Explorer 5, 6 and 7 are affected and the problem reside in the data binding of objects. Basically, the array containing objects in […]
Internet Explorer 7 Attack in the Wild
Bits of information about the new 0-day exploit are surfacing on the web. This exploit provokes a heap overflow in the XML parser of Internet Explorer 7. The exploit works with the fully patched version of Windows XP, Windows Server 2008 and Windows Vista SP1[1]. The Infection The exploit is initiated by a JavaScript file […]
ENISA releases list of mobile phones vulnerabilities
The European Network and Information Security Agency (ENISA) release a paper about general vulnerabilities that is affecting or will affect mobile communications. The organization surveyed experts via different medias to gather concerns from the industry about the future of wireless communications. The document discusses security issues about three different types of devices, each using wireless […]
New Kid on the Block: Downadup
Many reports on the last few days mention a new worm growing on the back of the Windows’ MS08-067 vulnerability. The worm named Downadup, also being dubbed Conficker.A by Microsoft, as now spread to alarming levels: “We think 500,000 is a ball park figure” said Ivan Macalintal, a senior research engineer with Trend Micro Inc[1]. […]
First Internet Worm is 20 years old Sunday
In 1988, the computer world faced a new cyber menace that is still very well alive today. The first computer worm, written by a student called Robert Tappan Morris. From Wikipedia: “The original intent, according to him, was to gauge the size of the Internet. He released the worm from the Massachusetts Institute of Technology […]