Nicky Mouha discovered a buffer overflow in sha3, a Python library for
the SHA-3 hashing functions.
Monthly Archives: October 2022
DSA-5266 expat – security update
A heap use-after-free vulnerability after overeager destruction of a
shared DTD in the XML_ExternalEntityParserCreate function in Expat, an
XML parsing C library, may result in denial of service or potentially
the execution of arbitrary code.
CVE-2021-42777 (reports)
Stimulsoft (aka Stimulsoft Reports) 2013.1.1600.0, when Compilation Mode is used, allows an attacker to execute arbitrary C# code on any machine that renders a report, including the application server or a user’s local machine, as demonstrated by System.Diagnostics.Process.Start.
DSA-5263 chromium – security update
A security issue was discovered in Chromium, which could result in the
execution of arbitrary code.
DSA-5264 batik – security update
It was discovered that Apache Batik, a SVG library for Java, allowed
attackers to run arbitrary Java code by processing a malicious SVG file.
DSA-5265 tomcat9 – security update
Several security vulnerabilities have been discovered in the Tomcat
servlet and JSP engine.
Friday Squid Blogging: Chinese Squid Fishing
China claims that it is “engaging in responsible squid fishing”:
Chen Xinjun, dean of the College of Marine Sciences at Shanghai Ocean University, made the remarks in response to recent accusations by foreign reporters and actor Leonardo DiCaprio that China is depleting its own fish stock and that Chinese boats have sailed to other waters to continue deep-sea fishing, particularly near Ecuador, affecting local fish stocks in the South American nation.
As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered.
Read my blog posting guidelines here.
CVE-2021-36898
Auth. SQL Injection (SQLi) vulnerability in Quiz And Survey Master plugin <= 7.3.4 on WordPress.
CVE-2021-36864
Auth. (editor+) Reflected Cross-Site Scripting (XSS) vulnerability in ExpressTech Quiz And Survey Master plugin <= 7.3.4 on WordPress.
Phishing attacks increase by over 31% in third quarter: Report
Email security and threat detection company Vade has found that phishing emails in the third quarter this year increased by more than 31% quarter on quarter, with the number of emails containing malware in the first three quarters surpassing the 2021 level by 55.8 million.
Malware emails in the third quarter of 2022 alone increased by 217% compared to same period in 2021. Malware email volume peaked in July, reaching 19.2 million, before month-over-month declines in August and September, with numbers dropping to 16.8 million and 16.5 million respectively.