Advisories

  • Smashing Security podcast #394: Digital arrest scams and stream-jacking

    In our latest episode we discuss how a woman hid under the bed after scammers told her she was under “digital arrest”, how hackers are hijacking YouTube channels through malicious sponsorship deals, and how one phone company is turning the tables on fraudsters through deepfake AI. All this and much more is discussed in the…

    Read More

  • Multiple Vulnerabilities in Apple Products Could Allow for Arbitrary Code Execution

    Multiple vulnerabilities have been discovered in Apple products, the most severe of which could allow for arbitrary code execution. Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution in the context of the logged on user. Depending on the privileges associated with the user, an attacker could then install…

    Read More

  • Drupal core – Moderately critical – Gadget chain – SA-CORE-2024-008

    Project:  Drupal core Date:  2024-November-20 Security risk:  Moderately critical 14 ∕ 25 AC:Complex/A:Admin/CI:All/II:All/E:Theoretical/TD:Uncommon Vulnerability:  Gadget chain Affected versions:  >= 8.0.0 < 10.2.11 || >= 10.3.0 < 10.3.9 Description:  Drupal core contains a potential PHP Object Injection vulnerability that (if combined with another exploit) could lead to Remote Code Execution. It is not directly exploitable. This issue is…

    Read More

  • Drupal core – Moderately critical – Gadget chain – SA-CORE-2024-007

    Project:  Drupal core Date:  2024-November-20 Security risk:  Moderately critical 14 ∕ 25 AC:Complex/A:Admin/CI:All/II:All/E:Theoretical/TD:Uncommon Vulnerability:  Gadget chain Affected versions:  >= 8.0.0 < 10.2.11 || >= 10.3.0 < 10.3.9 || >= 11.0.0 < 11.0.8 Description:  Drupal core contains a potential PHP Object Injection vulnerability that (if combined with another exploit) could lead to Remote Code Execution. It is not…

    Read More

  • Drupal core – Less critical – Gadget chain – SA-CORE-2024-006

    Project:  Drupal core Date:  2024-November-20 Security risk:  Less critical 8 ∕ 25 AC:Complex/A:User/CI:None/II:Some/E:Theoretical/TD:Uncommon Vulnerability:  Gadget chain Affected versions:  >= 8.0.0 < 10.2.11 || >= 10.3.0 < 10.3.9 || >= 11.0.0 < 11.0.8 Description:  Drupal core contains a potential PHP Object Injection vulnerability that (if combined with another exploit) could lead to Artbitrary File Deletion. It is not…

    Read More

  • Drupal core – Critical – Cross Site Scripting – SA-CORE-2024-005

    Project:  Drupal core Date:  2024-November-20 Security risk:  Critical 17 ∕ 25 AC:None/A:None/CI:Some/II:Some/E:Theoretical/TD:Default Vulnerability:  Cross Site Scripting Description:  Drupal 7 core’s Overlay module doesn’t safely handle user input, leading to reflected cross-site scripting under certain circumstances. Only sites with the Overlay module enabled are affected by this vulnerability. Solution:  Install the latest version: If you are using Drupal…

    Read More

  • Drupal core – Moderately critical – Access bypass – SA-CORE-2024-004

    Project:  Drupal core Date:  2024-November-20 Security risk:  Moderately critical 10 ∕ 25 AC:Basic/A:User/CI:None/II:Some/E:Theoretical/TD:Default Vulnerability:  Access bypass Affected versions:  >= 8.0.0 < 10.2.11 || >= 10.3.0 < 10.3.9 || >= 11.0.0 < 11.0.8 Description:  Drupal’s uniqueness checking for certain user fields is inconsistent depending on the database engine and its collation. As a result, a user may be…

    Read More

  • Drupal core – Moderately critical – Cross Site Scripting – SA-CORE-2024-003

    Project:  Drupal core Date:  2024-November-20 Security risk:  Moderately critical 13 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Default Vulnerability:  Cross Site Scripting Affected versions:  >= 8.8.0 < 10.2.11 || >= 10.3.0 < 10.3.9 || >= 11.0.0 < 11.0.8 Description:  Drupal uses JavaScript to render status messages in some cases and configurations. In certain situations, the status messages are not adequately sanitized. Solution: …

    Read More

  • Five Privilege Escalation Flaws Found in Ubuntu needrestart

    Five LPE flaws in Ubuntu’s needrestart utility enable attackers to gain root access in versions prior to 3.8 Read More

    Read More

  • 60% of Emails with QR Codes Classified as Spam or Malicious

    60% of QR code emails are spam according findings from Cisco Talos, who also identified attackers using QR code art to bypass security filters Read More

    Read More