Security News

A recently identified security vulnerability in the official Homebrew Cask repository could have been exploited by an attacker to execute arbitrary code on users' machines that have Homebrew installed. The issue, which was reported to the maintainers on April 18 by a Japanese security researcher named RyotaK, stemmed from the way code changes in its GitHub repository were handled, resulting in a scenario where a malicious pull request - i.e., the proposed changes - could be automatically reviewed and approved.

An Indian security researcher has publicly published a proof-of-concept exploit code for a newly discovered flaw impacting Google Chrome and other Chromium-based browsers like Microsoft Edge, Opera, and Brave. Released by Rajvardhan Agarwal, the working exploit concerns a remote code execution vulnerability in the V8 JavaScript rendering engine that powers the web browsers.

Networking equipment major Cisco Systems has said it does not plan to fix a critical security vulnerability affecting some of its Small Business routers, instead urging users to replace the devices. The bug, tracked as CVE-2021-1459, is rated with a CVSS score of 9.8 out of 10, and affects RV110W VPN firewall and Small Business RV130, RV130W, and RV215W routers, allowing an unauthenticated, remote attacker to execute arbitrary code on an affected appliance.

A pair of unpatched vulnerabilities in QNAP small office/home office network attached storage devices could allow attackers to execute code remotely, according to a warning from security researchers at SAM Seamless Network. The bugs were found to affect QNAP TS-231 SOHO NAS devices running firmware version 4.3.6.1446, but potentially impact other QNAP devices as well, provided they use the same firmware release.

Two vulnerabilities recently patched by VMware in its vRealize Operations platform can be chained together to achieve unauthenticated remote code execution on the underlying operating system, Positive Technologies researchers have found. There is no PoC currently available and no mention of the vulnerabilities being exploited in the wild.

IT infrastructure management provider SolarWinds on Thursday released a new update to its Orion networking monitoring tool with fixes for four security vulnerabilities, counting two weaknesses that could be exploited by an authenticated attacker to achieve remote code execution. Chief among them is a JSON deserialization flaw that allows an authenticated user to execute arbitrary code via the test alert actions feature available in the Orion Web Console, which lets users simulate network events that can be configured to trigger an alert during setup.

The Apache Software Foundation on Friday addressed a high severity vulnerability in Apache OFBiz that could have allowed an unauthenticated adversary to remotely seize control of the open-source enterprise resource planning system. Tracked as CVE-2021-26295, the flaw affects all versions of the software prior to 17.12.06 and employs an "Unsafe deserialization" as an attack vector to permit unauthorized remote attackers to execute arbitrary code on a server directly.

A pair of critical vulnerabilities in a popular bulletin board software called MyBB could have been chained together to achieve remote code execution without the need for prior access to a privileged account. The flaws, which were discovered by independent security researchers Simon Scannell and Carl Smith, were reported to the MyBB Team on February 22, following which it released an update on March 10 addressing the issues.

F5 Networks is warning users to patch four critical remote command execution flaws in its BIG-IP and BIG-IQ enterprise networking infrastructure. The company released an advisory, Wednesday, on seven bugs in total, with two others rated as high risk and one rated as medium risk, respectively.

Application security company F5 Networks on Wednesday published an advisory warning of four critical vulnerabilities impacting multiple products that could result in a denial of service attack and even unauthenticated remote code execution on target networks. The four critical flaws affect BIG-IP versions 11.6 or 12.x and newer, with a critical pre-auth remote code execution also affecting BIG-IQ versions 6.x and 7.x. F5 said it's not aware of any public exploitation of these issues.