Security News
Cisco has patched several vulnerabilities affecting its Expressway Series collaboration gateways, two of them rated as critical severity and exposing vulnerable devices to cross-site request forgery attacks.Unauthenticated attackers can exploit the two critical CSRF vulnerabilities patched today to target unpatched Expressway gateways remotely.
The action of adding a page was vulnerable to CSRF. My pen test attack not only created a new page, but also stole administrative credentials from the site, using some unorthodox HTML. Now, the start of any CSRF attack is always the payload. The first thing to note here is that when an iframe loads, it sends a GET request to whatever is specified in the 'src' parameter. How would an attacker get the payload to fill the whole page? Well, as we demonstrated in our test, we can interact with the height and width properties of iframes using JavaScript.
Chrome 84 was released in the stable channel this week with a total of 38 patches, but also with additional security improvements, including the rollout of a previously announced SameSite cookie change. The release of Chrome 84 resumes the gradual rollout of the protection.
Google last week announced that it has started rolling back a cross-site request forgery protection introduced in early February with the release of Chrome 80 in the stable channel. Initially announced in May 2019, the protection involves Chrome enforcing a new secure-by-default cookie classification system, where cookies that haven't declared a SameSite value being treated as SameSite=Lax cookies.
read more
Mozilla announced this week that the upcoming Firefox 60 will introduce support for the same-site cookie attribute in an effort to protect users against cross-site request forgery (CSRF) attacks. read more
WordPress fixed six vulnerabilities with version 4.7.5 and announced a bug bounty program with HackerOne this week.
Siemens line RUGGEDCOM NMS products suffers from vulnerabilities that could allow an attacker to perform administrative actions.
A new WordPress update, pushed this week, resolves eight security issues, including a handful of XSS and CSRF bugs.
Obihai Technology recently patched a slew of issues in its ObiPhone IP phone products that could have led to memory corruption, a buffer overflow, and denial of service conditions, among other outcomes.