There was not much news this week, but all the important ones are in our digest. A couple of updates for the Linux kernel and an old-new vulnerability from Microsoft that has been around for several years. In addition, a little about malware and good news for the victims of REvil. Vulnerabilities: unfixable Microsoft bug, … Continue reading Old vulnerabilities in new format (unfixable) →
Multiple cross-site scripting (XSS) vulnerabilities in the 'old' and 'new' interfaces in Viprinet Multichannel VPN Router 300 allow remote attackers to inject arbitrary web script or HTML via the username when (1) logging in or (2) creating an account in old interface, (3) username when creating an account in the new interface, (4) hostname in the old interface, (5) inspect parameter in the config module, (6) commands parameter in the atcommands tool, or (7) host parameter in the ping tool.
Google Chrome is updated every week with new vulnerabilities/malicious extensions/zero-day and other stuff, which is why it needs to be updated regularly, just like other important software. Also this week, a sequel to the SonicWall story came out. Google launched a cool new vulnerability service OSV, which the Vulners team immediately automated it – “Stay … Continue reading New robot from Vulners, strong vulnerabilities and new malicious activity. →
Discourse is an option source discussion platform. Prior to version 2.8.14 on the `stable` branch and version 3.0.0.beta16 on the `beta` and `tests-passed` branches, when a user requests for a password reset link email, then changes their primary email, the old reset email is still valid. When the old reset email is used to reset the password, the Discourse account's primary email would be re-linked to the old email. If the old email address is compromised or has transferred ownership, this leads to an…