Cybersecurity Vulnerabilities news & analysis | SC Media

Vulnerabilities News and Analyis

RCE flaw found in firmware of commonly used Wi-Fi chipset


ThreadX, a real-time operating system (RTOS) that serves as firmware for the Marvell Avastar Wi-Fi chipset, contains a major vulnerability that can enable remote code execution on affected systems, a researcher has reported. Product lines that use Marvell Avastar and thus are potentially endangered by the vulnerability include the Sony PlayStation 4 and Xbox One…

Adobe releases third update in less than a month


Adobe today announced security updates for its vulnerabilities in its Experience Manager product that could result in sensitive information disclosure. The updates address a Moderate rated reflected cross-site scripting vulnerability and an Important rated stored cross-site scripting vulnerability in Adobe Experience Manager version 6.0 through version 6.4 across all platforms, according to a Jan. 22…

Critical vulnerability issued for Cisco switches


Cisco has revealed a critical-rated vulnerability in its small business switches software that if exploited can allow a remote attacker to bypass the device’s user authentication mechanism. The vulnerability in version of the Cisco software exists because under specific circumstances, the affected software enables a privileged user account without notifying administrators of the system.…

Drupal patches two critical security issues


Drupal released two critical security updates that if exploited could allow an attacker to take control of an affected system. The patches are for Drupal versions 7.x, 8.5.x, and 8.6.x and can be rectified by updating to Drupal 7.62, 8.5.9 or 8.6.6. The first critical vulnerability, CVE-2018-1000888, and has to do with a third-party component…

Fixed Fortnite flaws could have enabled account takeovers


A series of vulnerabilities in the hugely popular online survival game Fortnite could have allowed malicious actors to take over players’ accounts, prompting developer Epic Games to fix the issues before a major incident transpired, according to researchers who discovered the program. Had the flaws been exploited, attackers could have victimized gamers by viewing their…

Researchers develop proof-of-concept malware for attacking Building Automation Systems


Researchers have developed proof-of-concept malware capable of compromising Building Automation Systems after discovering two critical bugs in a BAS programmable logic controller (PLC). Created by experts at ForeScout, the malware exploits both vulnerabilities in combination with several older flaws that were previously known to the public, according to a ForeScout white paper released today in…

Amadeus booking system flaw could have exposed info on millions of travelers


A recently discovered vulnerability in the Amadeus online reservation system made it possible to access and change reservations with just a booking number. The bug, in the booking system which has 44 percent of the international carriers’market, was uncovered by hacker and activist Noam Rotem, who tried to book a flight on Israel’s ELAL airline.…

Bluehost and other popular web hosting sites found to be full of flaws


The web-hosting platform Bluehost was found to contain multiple account takeover and information leak vulnerabilities. Independent researcher and bug-hunter Paulos Yibelo has identified four vulnerabilities, one of which is a “High” severity information leak through CORS misconfigurations that could allow attackers to steal personally identifiable information, partial payment details and tokens that can give access…

Report: Flaws in PremiSys access system could literally open door for physical intruders


In a case of cybersecurity converging with physical security, researchers have disclosed four vulnerabilities in IDenticard Corp.’s PremiSys building access control system that attackers could exploit to sneak into restricted locations. In a corporate blog post, Tenable, Inc. reported today its researcher Jimi Sebree discovered the zero-day flaws in September 2018, after which time the company…

Next post in Security News