Cybersecurity researchers have discovered a new campaign that's exploiting a recently disclosed security flaw in Fortinet FortiClient EMS devices to deliver ScreenConnect and Metasploit Powerfun payloads.
The activity entails the exploitation of CVE-2023-48788 (CVSS score: 9.3), a critical SQL injection flaw that could permit an unauthenticated attacker to execute unauthorized code or
WordPress users of miniOrange's Malware Scanner and Web Application Firewall plugins are being urged to delete them from their websites following the discovery of a critical security flaw.
The flaw, tracked as CVE-2024-2172, is rated 9.8 out of a maximum of 10 on the CVSS scoring system and discovered by Stiofan. It impacts the following versions of the two plugins -
Malware Scanner (
One of the most common misconceptions in file upload cybersecurity is that certain tools are βenoughβ on their ownβthis is simply not the case. In our latest whitepaper OPSWAT CEO and Founder, Benny Czarny, takes a comprehensive look at what it takes to prevent malware threats in todayβs ever-evolving file upload security landscape, and a big part of that is understanding where the
Web Application Security consists of a myriad of security controls that ensure that a web application:
Functions as expected.
Cannot be exploited to operate out of bounds.
Cannot initiate operations that it is not supposed to do.
Web Applications have become ubiquitous after the expansion of Web 2.0, which Social Media Platforms, E-Commerce websites, and email clients saturating the internet
Apache has released a security advisory warning of a critical security flaw in the Struts 2 open-source web application framework that could result in remote code execution.
Tracked as CVE-2023-50164, the vulnerability is rooted in a flawed "file upload logic" that could enable unauthorized path traversal and could be exploited under the circumstances to upload a malicious file
Modern web app development relies on cloud infrastructure and containerization. These technologies scale on demand, handling millions of daily file transfers β it's almost impossible to imagine a world without them. However, they also introduce multiple attack vectors that exploit file uploads when working with public clouds, vulnerabilities in containers hosting web applications, and many other
The threat actor known asΒ Winter VivernΒ has been observed exploiting a zero-day flaw in Roundcube webmail software on October 11, 2023, to harvest email messages from victims' accounts.
"Winter Vivern has stepped up its operations by using a zero-day vulnerability in Roundcube," ESET security researcher Matthieu FaouΒ saidΒ in a new report published today. Previously, it was using known
APIs, also known as application programming interfaces, serve as the backbone of modern software applications, enabling seamless communication and data exchange between different systems and platforms. They provide developers with an interface to interact with external services, allowing them to integrate various functionalities into their own applications.
However, this increased reliance on
Firewall and distributed denial-of-service (DDoS) attack prevention mechanisms in Cloudflare can be circumvented by exploiting gaps in cross-tenant security controls, defeating the very purpose of these safeguards, it has emerged.
"Attackers can utilize their own Cloudflare accounts to abuse the per-design trust-relationship between Cloudflare and the customers' websites, rendering the
Well, you shouldnβt. It may already be hiding vulnerabilities.
It's the modular nature of modern web applications that has made them so effective. They can call on dozens of third-party web components, JS frameworks, and open-source tools to deliver all the different functionalities that keep their customers happy, but this chain of dependencies is also what makes them so vulnerable.
Many of
Cybercriminals will be as busy as ever this year. Stay safe and protect your systems and data by focusing on these 4 key areas to secure your environment and ensure success in 2023, and make sure your business is only in the headlines when you WANT it to be.Β 1 β Web application weaknesses
Web applications are at the core of what SaaS companies do and how they operate, and they can store some of
A new attack method can be used to circumvent web application firewalls (WAFs) of various vendors and infiltrate systems, potentially enabling attackers to gain access to sensitive business and customer information.
Web application firewalls are aΒ key line of defenseΒ to help filter, monitor, and block HTTP(S) traffic to and from a web application, and safeguard against attacks such as cross-site
API attacks are on the rise. One of their major targets is eCommerce firms like yours.Β
APIs are a vital part of how eCommerce businesses are accelerating their growth in the digital world.Β
ECommerce platforms use APIs at all customer touchpoints, from displaying products to handling shipping. Owing to their increased use, APIs are attractive targets for hackers, as the following numbers expose
What is the OWASP Top 10, and β just as important β what is it not? In this review, we look at how you can make this critical risk report work for you and your organisation.
What is OWASP?
OWASPΒ is the Open Web Application Security Project, an international non-profit organization dedicated to improving web application security.Β
It operates on the core principle that all of its materials are
Security threats are always a concern when it comes to APIs. API security can be compared to driving a car. You must be cautious and review everything closely before releasing it into the world. By failing to do so, you're putting yourself and others at risk.
API attacks are more dangerous than other breaches. Facebook had a 50M user account affected by an API breach, and an API data breach on
Businesses know they need to secure their client-side scripts. Content security policies (CSPs) are a great way to do that. But CSPs are cumbersome. One mistake and you have a potentially significant client-side security gap. Finding those gaps means long and tedious hours (or days) in manual code reviews through thousands of lines of script on your web applications. Automated content security