Security News

Critical Firefox Vulnerability Can Allow Code Execution If Chained With Other Bugs
2021-02-09 14:09

An update released last week by Mozilla for Firefox 85 patches a critical information disclosure vulnerability that can be chained with other security flaws to achieve arbitrary code execution. In its advisory for the vulnerability - the bug currently does not have a CVE identifier - Mozilla described it as a "Buffer overflow in depth pitch calculations for compressed textures." The issue, reported by researchers Abraruddin Khan and Omair through Trend Micro's Zero Day Initiative, apparently only impacts Firefox running on Windows - other operating systems are not affected.

Critical WordPress Plugin Flaw Allows Site Takeover
2021-02-08 21:11

Researchers are urging WordPress websites that utilize the NextGen Gallery plugin to apply a patch addressing critical and high-severity flaws. Researchers discovered two cross-site request forgery flaws - one critical and one high-severity - in the plugin.

Critical vulnerability fixed in WordPress plugin with 800K installs
2021-02-08 20:05

NextGen Gallery, a WordPress plugin used for creating image galleries, currently has over 800,000 active installs, making this security update a top priority for all site owners that have it installed. Both of them are Cross-Site Request Forgery bugs which, in the case of the critical vulnerability tracked as CVE-2020-35942, can lead to Reflected Cross-Site Scripting and remote code execution attacks via file upload or Local File Inclusion.

Fortinet fixes critical vulnerabilities in SSL VPN and web firewall
2021-02-07 14:31

The vulnerabilities range from Remote Code Execution to SQL Injection, to Denial of Service and impact the FortiProxy SSL VPN and FortiWeb Web Application Firewall products. Multiple advisories published by FortiGuard Labs this month and in January 2021 mention various critical vulnerabilities that Fortinet has been patching in their products.

Cisco reveals critical bug in small biz VPN routers when half the world is stuck working at home
2021-02-05 07:05

Cisco has addressed a clutch of critical vulnerabilities in its small business and VPN routers that can be exploited by an unauthenticated, remote attacker to execute arbitrary code as the root user. Some of the affected devices are also Wi-Fi routers, so could well be in everyday use.

Critical Flaws Reported in Cisco VPN Routers for Businesses—Patch ASAP
2021-02-05 00:02

Cisco has rolled out fixes for multiple critical vulnerabilities in the web-based management interface of Small Business routers that could potentially allow an unauthenticated, remote attacker to execute arbitrary code as the root user on an affected device. The flaws - tracked from CVE-2021-1289 through CVE-2021-1295 - impact RV160, RV160W, RV260, RV260P, and RV260W VPN routers running a firmware release earlier than Release 1.0.01.02.

Cisco Patches Critical Vulnerabilities in Small Business Routers, SD-WAN
2021-02-04 20:23

Cisco this week released software updates to address multiple vulnerabilities across its product portfolio, including critical severity bugs in several small business VPN routers and SD-WAN products. The company warned that the web-based management interface of small business RV160, RV160W, RV260, RV260P, and RV260W VPN routers is affected by seven severe vulnerabilities that could be abused by unauthenticated, remote attackers to execute arbitrary code as root.

Critical Cisco Flaws Open VPN Routers Up to RCE Attacks
2021-02-04 15:59

Cisco is rolling out fixes for critical holes in its lineup of small-business VPN routers. The flaws exist in the web-based management interface of Cisco's small-business lineup of VPN routers.

Hackers Exploiting Critical Zero-Day Bug in SonicWall SMA 100 Devices
2021-02-04 01:50

"A few thousand devices are impacted," SonicWall said in a statement, adding, "SMA 100 firmware prior to 10.x is unaffected by this zero-day vulnerability." On January 22, The Hacker News exclusively revealed that SonicWall had been breached as a consequence of a coordinated attack on its internal systems by exploiting "Probable zero-day vulnerabilities" in its SMA 100 series remote access devices.

Critical Bugs Found in Popular Realtek Wi-Fi Module for Embedded Devices
2021-02-04 00:36

Major vulnerabilities have been discovered in the Realtek RTL8195A Wi-Fi module that could have been exploited to gain root access and take complete control of a device's wireless communications. The Realtek RTL8195A module is a standalone, low-power-consumption Wi-Fi hardware module targeted at embedded devices used in several industries such as agriculture, smart home, healthcare, gaming, and automotive sectors.