A recent vulnerability known as CVE-2024-12642 has been discovered in the TenderDocTransfer application by Chunghwa Telecom. This vulnerability is classified as a Relative Path Traversal issue, allowing attackers to write arbitrary files anywhere on a user’s system. The implications of this vulnerability are serious, as it opens the door for unauthorized access to sensitive data…
CVE-2024-12641 is a significant vulnerability found in the TenderDocTransfer component of Chunghwa Telecom. This vulnerability allows for cross-site scripting (XSS) and command injection attacks, creating serious security risks for users. Identified in December 2024, this flaw can lead to unauthorized access and data manipulation, highlighting the importance of security measures in modern applications. Overview of…
A recent vulnerability, CVE-2024-12643, has surfaced within the tbm-client developed by Chunghwa Telecom. This vulnerability is particularly alarming as it allows for Arbitrary File Deletion, stemming from inadequate Cross-Site Request Forgery (CSRF) protection in the application’s APIs. Since its discovery on December 16, 2024, cybersecurity experts have urged users to take immediate action to secure…
The Radare2 Pebble Application Command Injection Vulnerability, identified as CVE-2024-11858, was disclosed on December 13, 2024. This serious vulnerability impacts the widely-used Radare2 reverse-engineering framework. Known for its versatility across various platforms, Radare2 is a favorite among security researchers and forensic analysts. Unfortunately, the vulnerability allows attackers to inject malicious commands, which poses a significant…
In recent weeks, a critical vulnerability known as CVE-2024-22461 has emerged within Dell’s RecoverPoint for Virtual Machines. This command injection vulnerability could allow attackers to execute arbitrary commands on affected systems. Discovered in late November 2024, it has raised serious concerns among users, especially those in sectors like finance, healthcare, and critical infrastructure. The risk…
The Apache Host Header Stored XSS Vulnerability, identified as CVE-2024-11986, is a recently uncovered security flaw impacting Apache HTTP Server versions 2.4.51 and 2.4.52. This vulnerability allows attackers to exploit the Host header in HTTP requests, injecting malicious scripts that can lead to cross-site scripting (XSS) attacks. Reported on December 6, 2024, the flaw poses…
Iran-Linked IOCONTROL Malware Threatening IoT and OT Environments Iran-affiliated threat actors are now associated with new custom malware called IOCONTROL. This malware specifically targets IoT and operational technology (OT) environments, particularly in Israel and the United States. The cybersecurity company Claroty has identified this significant threat, noting its capability to infiltrate various devices used in…
The ComfyUI-Ace Code Injection Vulnerability, known as CVE-2024-21577, poses a serious threat to users relying on the platform. Discovered on December 13, 2024, this vulnerability exists within the ACE_ExpressionEval node. This specific node includes an unsafe eval() function, which permits arbitrary user input. Consequently, this opens doors for attackers to inject malicious code, leading to…
The recent discovery of a vulnerability in the MainWP Child WordPress plugin, identified as CVE-2024-10783, has raised significant concerns in the WordPress community. This security flaw allows unauthorized users to escalate their privileges to administrator level. Undoubtedly, this is troubling news for anyone managing multiple WordPress sites using this plugin. This issue primarily affects versions…
A critical vulnerability known as CVE-2024-9290 has emerged in the Super Backup & Clone – Migrate for WordPress plugin. This vulnerability allows unauthenticated users to upload arbitrary files, posing significant risks to website security. Disclosed on December 12, 2024, this flaw stems from inadequate file type validation and a missing capability check in the ibk_restore_migrate_check()…