##Timeline :*Bug sent to vendor : 17-02-2020*No Response after 10 days* Public disclosure: 27-02-020The Comtrend VR-3033 is prone to Multiple Authenticated Command Injectionvulnerability via ping and traceroute diagnostic page.Remote attackers are able to get full control and compromise the networkmanaged by the router.Note : This bug may exist in other Comt

Cisco says it will release patches for wireless devices affected by the recently disclosed Wi-Fi chip vulnerability named Kr00k. The company says the flaw impacts some of its routers, firewalls, access points and phones.Cybersecurity firm ESET revealed on Wednesday that over one billion Wi-Fi-capable devices were at one point affected by a vulnerability that

A white hat hacker has earned $8,500 for a serious vulnerability that exposed the email addresses of HackerOne users.Earlier this month, a hacker who uses the online moniker msdian7 discovered that a new feature introduced by the HackerOne bug bounty platform had resulted in a vulnerability that could have been exploited to obtain any HackerOne user’s email

The United States’ National Security Agency (NSA) has put together a short guidance document on mitigating vulnerabilities for cloud computing. At only eight pages, it is an accessible primer for cloud security and a great place to start before taking on something like the comprehensive NIST 800-53 security controls.As a guidance document, it doesn’t attempt

A recently disclosed zero-day vulnerability in Zyxel network-attached storage (NAS) devices also impacts over twenty of the vendor’s firewalls.The security flaw, which was issued CVE identifier CVE-2020-9054, can be exploited remotely, without authentication to execute arbitrary code on the affected devices.Residing in the weblogin.cgi CGI program, the issue

A new vulnerability, which may have affected over one billion Wi-Fi-capable devices before patches were released, could have allowed hackers to obtain sensitive information from wireless communications, cybersecurity firm ESET revealed on Wednesday.Dubbed Kr00k and tracked as CVE-2019-15126, the vulnerability caused devices to use an all-zero encryption key

Routers and devices with Broadcom and Cypress Wi-Fi chipsets could be forced to sometimes use encryption keys consisting of all zeroes. Now patched, the issue affected a billion devices, including those from Amazon, Apple, Google, and Samsung.RSA Conference 2020 – San Francisco – A vulnerability in the way that two Wi-Fi chipsets handled network

An update released this week for the OpenSMTPD mail server addresses an out-of-bounds read vulnerability that could lead to arbitrary command execution.OpenSMTPD is the open source implementation of the Simple Mail Transfer Protocol (SMTP) in OpenBSD, and its portable version can run on multiple Linux distributions, and Apple’s Mac OS X platform.Tracked as C

Tech vendor Zyxel addresses a critical vulnerability in several network-attached storage (NAS) devices that is already being exploited in the wild. Zyxel has released security patches to address a critical remote code execution vulnerability, tracked as CVE-2020-9054, that affects several NAS devices. The flaw can be exploited by an unauthenticated attack

Networking devices vendor Zyxel has released patches for several network attached storage (NAS) devices to address a critical vulnerability that is already being exploited by cybercriminals.Tracked as CVE-2020-9054, the issue is a remote code execution flaw that can be exploited without authentication and which resides in the weblogin.cgi CGI executable fail

A Chrome 80 update released on Monday patches three high-severity vulnerabilities, including one that Google says has been exploited in the wild.The zero-day vulnerability, tracked as CVE-2020-6418, has been described as a type confusion issue affecting the V8 open source JavaScript engine used by Chrome. Google has credited Clement Lecigne of its Threat Ana

D-Link DGS-1250 header injection vulnerability==============================================The latest version of this advisory is available at:https://sintonen.fi/advisories/d-link-dgs-1250-header-injection.txtOverview--------D-Link DGS-1250 switch is susceptible to a header injection vulnerability enablingattacker to steal the switch configuration.Descript

Let’s face it: Vulnerability management is not what it used to be a decade ago. Actually, it is not what it used to be a couple of years ago. Vulnerability management is one of those ever-evolving processes. Whether it is because of compliance mandates, board demands, an overall desire to reduce risk, all of these objectives or none, almost every organ

byJohn E DunnFirefox version 73 has only been out for a week but already Mozilla has had to update it to version 73.0.1 to fix a range of browser problems and crashes, including when running on Linux machines.The list of issues is surprisingly long for a point release but, in most cases, the issues only happen in specific contexts. Despite this, some of the

The TrustedInstaller service running on the Windows operating systemhosts a COM service called Sxs Store Class; its ISxsStore interfaceprovides methods to install/uninstall assemblies via applicationmanifests files into the WinSxS store. These API methods were meant tobe available for users with administrative privileges only, but thelogic was unintentionall