Hudson (aka org.jvnet.hudson.main:hudson-core) before 3.3.2 allows XXE attacks.
Daily Archives: July 18, 2022
Passwordless company claims to offer better password security solution
Stytch, a company founded to spread the adoption of passwordless authentication, has announced what it’s calling a modern upgrade to passwords. The cloud-based solution addresses four common problems with passwords that create security risks and account friction.
Password reuse. When someone tries to access an account covered by the Stytch solution, the password is automatically vetted at HaveIBeenPwnd, a dataset of 12 billion compromised passwords. A password reset is automatically triggered if the password is in the dataset.
Strength assessment. When someone creates a password, its strength is automatically assessed using Dropbox’s zxcvbn password strength estimator and a suggestion made that a stronger password should be chosen.
Account de-duplicating. Users might forget what authentication method they used to access their account. Did they use Facebook or Google? Did they use an email address? Choosing the wrong method can result in creating a duplicate account. Stytch prevents that by permitting an email login that allows an account to be accessed regardless of the original authentication method.
Better reset. Someone wants to access their account, but their password isn’t immediately available. Rather than reset their password to access their account, Stytch offers an email alternative that allows a user to access an account without a password reset.
Enthusiasm, hesitancy for passwordless authentication
Stytch co-founder and CEO Reed McGinley-Stempel explains that his company was started with a negative view of passwords. “We still have a negative view of traditional password systems and a lot of the assumptions baked into them,” he says, “but if you’re a passwordless company that wants to drive passwordless adoption, you can’t ignore password innovation.”
DCMS Sets Out Proposal For New AI Rulebook
The policy paper published today outlines the government’s approach to regulating AI technology in the UK, with proposed rules addressing future risks and opportunities
TikTok Engaging in Excessive Data Collection
Latest industry whitepaper from Internet 2.0 claims TikTok data harvesting is excessive and uses China based server connection
Re: AnyDesk Public Exploit Disclosure – Arbitrary file write by symbolic link attack lead to denial-of-service attack on local machine
Posted by chan chan on Jul 18
Hi FullDisclosure,
May I know if there is any update?
Please note that Mitre has assigned and reserved a CVE number
“CVE-2022-32450” for this vulnerability.
Regards,
Erwin
chan chan <siuchunc.03 () gmail com> 於 2022年6月22日週三 下午5:42寫道:
[CFP] 2nd International Workshop on Cyber Forensics and Threat Investigations Challenges CFTIC 2022 (Virtual)
Posted by Andrew Zayine on Jul 18
2nd International Workshop on Cyber Forensics and Threat
Investigations Challenges
October 10-11, 2022, Taking Place Virtually from the UK
https://easychair.org/cfp/CFTIC2022
Cyber forensics and threat investigations has rapidly emerged as a new
field of research to provide the key elements for maintaining
security, reliability, and trustworthiness of the next generation of
emerging technologies such as the internet of things, cyber-physical…
Builder XtremeRAT v3.7 / Insecure Crypto Bypass
Posted by malvuln on Jul 18
Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2022
Original source:
https://malvuln.com/advisory/7f314e798c150aedd9ce41ed39318f65_B.txt
Contact: malvuln13 () gmail com
Media: twitter.com/malvuln
Threat: Builder XtremeRAT v3.7
Vulnerability: Insecure Crypto Bypass
Description: The malware builds backdoors and requires authentication to
access the GUI using credentials stored in the “user.info” config file.
XtremeRAT…
Builder XtremeRAT v3.7 / Insecure Permissions
Posted by malvuln on Jul 18
Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2022
Original source:
https://malvuln.com/advisory/7f314e798c150aedd9ce41ed39318f65.txt
Contact: malvuln13 () gmail com
Media: twitter.com/malvuln
Threat: Builder XtremeRAT v3.7
Vulnerability: Insecure Permissions
Description: The malware builds and writes a PE file to c drive granting
change (C) permissions to the authenticated user group. Standard users can
rename the executable…
Backdoor.Win32.HoneyPot.a / Weak Hardcoded Password
Posted by malvuln on Jul 18
Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2022
Original source:
https://malvuln.com/advisory/e3bb503f9b02cf57341695f30e31128f.txt
Contact: malvuln13 () gmail com
Media: twitter.com/malvuln
Threat: Backdoor.Win32.HoneyPot.a
Vulnerability: Weak Hardcoded Password
Description: The malware listens on various TCP ports of which one can be
port 21 when enabled. Authentication is required, however the credentials…
SCHUTZWERK-SA-2022-003: Remote Command Execution in Spryker Commerce OS
Posted by David Brown via Fulldisclosure on Jul 18
Title
=====
SCHUTZWERK-SA-2022-003: Remote Command Execution in Spryker Commerce OS
Status
======
PUBLISHED
Version
=======
1.0
CVE reference
=============
CVE-2022-28888
Link
====
https://www.schutzwerk.com/en/43/advisories/schutzwerk-sa-2022-003/
Text-only version:
https://www.schutzwerk.com/advisories/SCHUTZWERK-SA-2022-003.txt
Affected products/vendor
========================
Spryker Commerce OS by Spryker Systems GmbH, with…