Coldfusion Hosting

Security Bulletin 26 Oct 2022 – Cyber Security Agency of Singapore

Security Bulletin 26 Oct 2022 – Cyber Security Agency of Singapore

CVE Number Description Base Score Reference CVE-2018-3839 An exploitable code execution vulnerability exists in the XCF image rendering functionality of Simple DirectMedia Layer SDL2_image-2.0.2. A specially crafted XCF image can cause an out-of-bounds write on the heap, resulting in code execution. An attacker can display a specially crafted image to trigger this vulnerability. 8.8 https://nvd.nist.gov/vuln/detail/CVE-2018-3839 CVE-2019-7280 Prima Systems FlexAir, Versions 2.3.38 and prior. The session-ID is of an insufficient length and can be exploited by brute force, which may allow a remote attacker to obtain a valid session… Source link

Read More »

Security Bulletin 26 Oct 2022 – Cyber Security Agency of Singapore

Security Bulletin 26 Oct 2022 – Cyber Security Agency of Singapore

CVE Number Description Base Score Reference CVE-2018-3839 An exploitable code execution vulnerability exists in the XCF image rendering functionality of Simple DirectMedia Layer SDL2_image-2.0.2. A specially crafted XCF image can cause an out-of-bounds write on the heap, resulting in code execution. An attacker can display a specially crafted image to trigger this vulnerability. 8.8 https://nvd.nist.gov/vuln/detail/CVE-2018-3839 CVE-2019-7280 Prima Systems FlexAir, Versions 2.3.38 and prior. The session-ID is of an insufficient length and can be exploited by brute force, which may allow a remote attacker to obtain a valid session… Source link

Read More »

Security Bulletin 19 Oct 2022 – Cyber Security Agency of Singapore

Security Bulletin 26 Oct 2022 – Cyber Security Agency of Singapore

CVE Number Description Base Score Reference CVE-2019-5924 Cross-site request forgery (CSRF) vulnerability in Smart Forms 2.6.15 and earlier allows remote attackers to hijack the authentication of administrators via a specially crafted page. 8.8 https://nvd.nist.gov/vuln/detail/CVE-2019-5924 CVE-2019-6727 This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the XFA remerge method. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of… Source link

Read More »

Security Bulletin 19 Oct 2022 – Cyber Security Agency of Singapore

Security Bulletin 26 Oct 2022 – Cyber Security Agency of Singapore

CVE Number Description Base Score Reference CVE-2019-5924 Cross-site request forgery (CSRF) vulnerability in Smart Forms 2.6.15 and earlier allows remote attackers to hijack the authentication of administrators via a specially crafted page. 8.8 https://nvd.nist.gov/vuln/detail/CVE-2019-5924 CVE-2019-6727 This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the XFA remerge method. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of… Source link

Read More »

Researchers Detail Critical RCE Flaw Reported in Popular vm2 JavaScript Sandbox

Researchers Detail Critical RCE Flaw Reported in Popular vm2 JavaScript Sandbox

A now-patched security flaw in the vm2 JavaScript sandbox module could be abused by a remote adversary to break out of security barriers and perform arbitrary operations on the underlying machine. “A threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox,” GitHub said in an advisory published on September 28, 2022. The issue, tracked as CVE-2022-36067 and codenamed Sandbreak, carries a maximum severity rating of 10 on the CVSS vulnerability scoring system. It has been addressed in version 3.9.11 released on August 28, 2022. vm2 is a popular Node library that’s used to run untrusted code with allowlisted built-in modules. It’s also one of the most widely downloaded software, accounting for nearly 3.5 million downloads per… Source link

Read More »

Researchers Detail Critical RCE Flaw Reported in Popular vm2 JavaScript Sandbox

Researchers Detail Critical RCE Flaw Reported in Popular vm2 JavaScript Sandbox

A now-patched security flaw in the vm2 JavaScript sandbox module could be abused by a remote adversary to break out of security barriers and perform arbitrary operations on the underlying machine. “A threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox,” GitHub said in an advisory published on September 28, 2022. The issue, tracked as CVE-2022-36067 and codenamed Sandbreak, carries a maximum severity rating of 10 on the CVSS vulnerability scoring system. It has been addressed in version 3.9.11 released on August 28, 2022. vm2 is a popular Node library that’s used to run untrusted code with allowlisted built-in modules. It’s also one of the most widely downloaded software, accounting for nearly 3.5 million downloads per… Source link

Read More »

Sexy/Unsexy, Practical/Impractical: There Are Mutts & Magnificent Beasts In Energy

What’s a day without a provocative quadrant chart that makes many people howl with outrage (or at least mutter at their screen)? Well, not this day. Over on LinkedIn, Peter Clarkson of Woodside Energy in Australia triggered me with the idea of a way to categorize various decarbonization solutions, a standard quadrant chart with sexy/unsexy and practical/impractical as the options. He okayed me stealing the idea, saying that as he hadn’t actually done anything with the idea at all, he couldn’t claim it as intellectual capital. Thank you, Peter. For those interested in other areas I’ve spent time on, such as ground transportation, aviation, and marine shipping, you’ll be either pleased or displeased to know that I have charts on those subjects already in hand and two more in… Source link

Read More »

Supersonic Jet Hyper Sting would fly from NYC to London in just 80 minutes

A newly designed supersonic jet would be able to fly passengers from New York City to London in just 80 minutes. Dubbed the Hyper Sting, the conceptual plane would be nearly twice as large and travel twice as fast as the world’s last commercial supersonic jet, Concorde, which was retired in 2003. The Hyper Sting, at 328 feet long with a 168-foot wingspan, would dart up to 170 passengers across the Atlantic and beyond at speeds of 2,486mph — more than three times the speed of sound. “Concorde was a brilliant piece of machinery, a noble experiment, but it put too many emissions in the environment, too much noise into our communities, and was too expensive to operate,” the Spanish designer of the craft, Oscar Viñals, told The U.S. Sun. Two… Source link

Read More »

Security Bulletin 10 Aug 2022 – Cyber Security Agency of Singapore

Security Bulletin 26 Oct 2022 – Cyber Security Agency of Singapore

CVE Number Description Base Score Reference CVE-2020-7352 The GalaxyClientService component of GOG Galaxy runs with elevated SYSTEM privileges in a Windows environment. Due to the software shipping with embedded, static RSA private key, an attacker with this key material and local user permissions can effectively send any operating system command to the service for execution in this elevated context. The service listens for such commands on a locally-bound network port, localhost:9978. A Metasploit module has been published which exploits this vulnerability. This issue affects the 2.0.x branch of the software 2.0.12 and earlier as well as the 1.2.x branch 1.2.64 and earlier . A fix was issued for the 2.0.x branch of the affected software. 8.8 Source link

Read More »

NIST Post-Quantum Algorithm Finalist Cracked Using a Classical PC

NIST Post-Quantum Algorithm Finalist Cracked Using a Classical PC

An algorithm submitted to the NIST post-quantum encryption competition – and one that made it to the fourth round – has been defeated. The algorithm, Supersingular Isogeny Key Encapsulation (SIKE), was broken by Wouter Castryck and Thomas Decru at KU Leuven, and the process described in a paper written at the end of July 2022. Cryptographers are not surprised by such an event; but security leaders concerned about their ability to protect secrets after the arrival of quantum computers, need to consider the implications. For cryptographers The defeat of SIKE follows a key recovery attack on the Supersingular Isogeny Diffie-Hellman key exchange protocol and its instantiation as SIKE in the NIST competition. The attack is based on the ‘glue and split’ theorem developed in 1997 by… Source link

Read More »