Security News

Magento 2.3.4 was released this week with patches for six vulnerabilities, including three that are considered critical. Another critical flaw that could allow for the execution of arbitrary code is CVE-2020-3718, which Adobe describes as a security bypass issue.

Critical vulnerabilities in Adobe's Magento e-commerce platform - a favorite target of the Magecart cybergang - could lead to arbitrary code execution. Out of the flaws, Adobe has fixed three that it rates as critical in severity, meaning that successful exploits could "Allow malicious native code to execute, potentially without a user being aware."

Qualys researchers have discovered a critical vulnerability in OpenBSD's OpenSMTPD mail server, which can allow attackers to execute arbitrary shell commands on the underlying system as root. OpenSMTPD is an open source implementation of the Simple Mail Transfer Protocol.

Dave DeWalt, former CEO of FireEye and McAfee, has been appointed vice chair of the board of Onapsis, a vendor focused on securing business-critical applications, such as ERP and CRM. In this exclusive interview with Information Security Media Group, DeWalt opens up on business application vulnerabilities, the evolution of the nation-state threat and technologies to watch in 2020. "When you look at business-critical applications, they have become one of the main areas of attack," DeWalt says.

A critical vulnerability in the Cisco Firepower Management Center could allow a remote attacker to bypass authentication and execute arbitrary actions on affected devices as administrator. The issue, Cisco explains, emerges from the improper handling of Lightweight Directory Access Protocol authentication responses from an external server.

A collection of six cybersecurity vulnerabilities in a range of GE Healthcare devices for hospitals has been discovered. Dubbed "MDhex" by the researchers at CyberMDX who discovered them, the bugs would allow attackers to disable the devices, harvest personal health information, change alarm settings and alter device functionality.

A critical Cisco vulnerability exists in its administrative management tool for Cisco network security solutions. The flaw exists in the web-based management interface of the Cisco Firepower Management Center, which is its platform for managing Cisco network security solutions, like firewalls or its advanced malware protection service.

Most state CIOs see innovation as a major part of their job - 83% said innovation is an important or very important part of their day-to-day leadership responsibilities - while only 14% reported extensive innovation initiatives within their organizations, Accenture and the National Association of State Chief Information Officers reveal. Previously, NASCIO had highlighted innovation as a top ten current issue facing state CIOs.

Citrix has quickened its rollout of patches for a critical vulnerability in the Citrix Application Delivery Controller and Citrix Gateway products, on the heels of recent proof-of-concept exploits and skyrocketing exploitation attempts. While Citrix originally said some versions would get a patch Jan. 31, it has now also shortened that timeframe, saying fixes are forthcoming on Jan 24.

Citrix has started rolling out security patches for the recently revealed Citrix Application Delivery Controller and Citrix Gateway vulnerability. The issue impacts versions 13.0, 12.1, 12.0, 11.1, and 10.5 of both Citrix ADC and Gateway.