Toggle navigation
Ethical Hacking Bootcamp
Cyber Range
Contact
News
Top 5 Weakest Security Configurations and How to Fix Them
Thu, 02 Jan 2025 14:50:00 -0500
In H2 2024, the CIS CTI team found weak security configurations through passive scans of customers' external networks. Here's how to stay secure.
Looking Glass Cyber
Malware Patrol
InfoSec Articles (12/31/24 – 01/14/25)
InfoSec Articles (12/03/24 – 12/17/24)
SecList
Mercedes-Benz Head Unit security research report
Kaspersky experts analyzed the Mercedes-Benz head unit, its IPC protocols and firmware, and found new vulnerabilities via physical access.
securingtomorrow.mcafee.com
Quick Heal
Threat Post
Student Loan Breach Exposes 2.5M Records
Watering Hole Attacks Push ScanBox Keylogger
Tentacles of ‘0ktapus’ Threat Group Victimize 130 Firms
Ransomware Attacks are on the Rise
Cybercriminals Are Selling Access to Chinese Surveillance Cameras
Twitter Whistleblower Complaint: The TL;DR Version
Firewall Bug Under Active Attack Triggers CISA Warning
Fake Reservation Links Prey on Weary Travelers
iPhone Users Urged to Update to Patch 2 Zero-Days
Google Patches Chrome’s Fifth Zero-Day of the Year
Naked Security
Security Affairs
U.S. Treasury Sanctions Chinese cybersecurity firm and actor over federal agency breach tied to Salt Typhoon
EU privacy non-profit group filed complaints against TikTok, SHEIN, AliExpress, and other Chinese companies
U.S. CISA adds Aviatrix Controllers vulnerability to its Known Exploited Vulnerabilities catalog
ESET detailed a flaw that could allow a bypass of the Secure Boot in UEFI systems
Russia-linked APT Star Blizzard targets WhatsApp accounts
Prominent US law firm Wolf Haldenstein disclosed a data breach
Clop Ransomware exploits Cleo File Transfer flaw: dozens of claims, disputed breaches
MikroTik botnet relies on DNS misconfiguration to spread malware
Threat actor leaked config files and VPN passwords for over Fortinet Fortigate devices
Microsoft Patch Tuesday updates for January 2025 fixed three actively exploited flaws
Security Awareness Tips of the week
Exploits
[webapps] SOPlanning 1.52.01 (Simple Online Planning Tool) - Remote Code Execution (RCE) (Authenticated)
[webapps] reNgine 2.2.0 - Command Injection (Authenticated)
[webapps] openSIS 9.1 - SQLi (Authenticated)
[webapps] dizqueTV 1.5.3 - Remote Code Execution (RCE)
[webapps] NoteMark < 0.13.0 - Stored XSS
[webapps] Gitea 1.22.0 - Stored XSS
[webapps] Invesalius3 - Remote Code Execution
[dos] Windows TCP/IP - RCE Checker and Denial of Service
[webapps] Aurba 501 - Authenticated RCE
[webapps] HughesNet HT2000W Satellite Modem - Password Reset
[webapps] Elber Wayber Analog/Digital Audio STL 4.00 - Device Config Disclosure
[webapps] Elber Wayber Analog/Digital Audio STL 4.00 - Authentication Bypass
[webapps] Elber ESE DVB-S/S2 Satellite Receiver 1.5.x - Device Config
[webapps] Elber ESE DVB-S/S2 Satellite Receiver 1.5.x - Authentication Bypass
[webapps] Helpdeskz v2.0.2 - Stored XSS
[webapps] Calibre-web 0.6.21 - Stored XSS
[webapps] Devika v1 - Path Traversal via 'snapshot_path'
[local] Genexus Protection Server 9.7.2.10 - 'protsrvservice' Unquoted Service Path
[local] SolarWinds Kiwi Syslog Server 9.6.7.1 - Unquoted Service Path
[local] Oracle Database 12c Release 1 - Unquoted Service Path
[webapps] Ivanti vADC 9.9 - Authentication Bypass
[local] Bonjour Service 'mDNSResponder.exe' - Unquoted Service Path Privilege Escalation
[webapps] Xhibiter NFT Marketplace 1.10.2 - SQL Injection
[webapps] Azon Dominator Affiliate Marketing Script - SQL Injection
[webapps] Microweber 2.0.15 - Stored XSS
[webapps] Customer Support System 1.0 - Stored XSS
[webapps] Automad 2.0.0-alpha.4 - Stored Cross-Site Scripting (XSS)
[webapps] SolarWinds Platform 2024.1 SR1 - Race Condition
[webapps] Flatboard 3.2 - Stored Cross-Site Scripting (XSS) (Authenticated)
[webapps] Poultry Farm Management System v1.0 - Remote Code Execution (RCE)
[webapps] Boelter Blue System Management 1.3 - SQL Injection
[webapps] WP-UserOnline 2.88.0 - Stored Cross Site Scripting (XSS) (Authenticated)
[webapps] PHP < 8.3.8 - Remote Code Execution (Unauthenticated) (Windows)
[webapps] AEGON LIFE v1.0 Life Insurance Management System - SQL injection vulnerability.
[webapps] XMB 1.9.12.06 - Stored XSS
[webapps] Carbon Forum 5.9.0 - Stored XSS
[webapps] AEGON LIFE v1.0 Life Insurance Management System - Stored cross-site scripting (XSS)
[webapps] appRain CMF 4.0.5 - Remote Code Execution (RCE) (Authenticated)
[webapps] CMSimple 5.15 - Remote Code Execution (RCE) (Authenticated)
[webapps] WBCE CMS v1.6.2 - Remote Code Execution (RCE)
[webapps] Monstra CMS 3.0.4 - Remote Code Execution (RCE)
[webapps] Dotclear 2.29 - Remote Code Execution (RCE)
[webapps] Serendipity 2.5.0 - Remote Code Execution (RCE)
[webapps] Sitefinity 15.0 - Cross-Site Scripting (XSS)
[webapps] FreePBX 16 - Remote Code Execution (RCE) (Authenticated)
[webapps] Akaunting 3.1.8 - Server-Side Template Injection (SSTI)
Last 20 Website Defacements - Zone-h
Advisories
Symantec Packet Stoem Security