Security News
A researcher has earned nearly $4,000 from TikTok after discovering a couple of vulnerabilities that could have been chained to hijack accounts. Muhammed Taskiran, a 20-year-old researcher based in Germany, informed TikTok in late August that a URL parameter on tiktok.com was "Reflecting its value without being properly sanitized."
VMware on Thursday announced releasing patches for a couple of serious ESXi vulnerabilities that were demonstrated at a recent hacking contest in China. The 360 ESG Vulnerability Research Institute from Chinese cybersecurity company Qihoo 360 earned more than $740,000 of the total, including $180,000 for a VMware ESXi guest to host escape exploit.
VMware has patched critical vulnerabilities affecting its ESXi enterprise-class hypervisor and has released a security update for its SD-WAN Orchestrator, plugging a handful of serious security holes. Vulnerabilities in ESXi hypervisor exploited during a hacking competition.
VMware on Wednesday patched a total of six vulnerabilities in its SD-WAN Orchestrator product, including flaws that can be chained by an attacker to steer traffic or shut down an enterprise network. Three of the vulnerabilities were reported to VMware by Israel-based cybersecurity consulting firm Realmode Labs.
Join Webex meetings without appearing in the participant list. "These flaws affect both scheduled meetings with unique meeting URLs and Webex Personal Rooms. Personal rooms may be easier to exploit because they are often based on a predictable combination of the room owner's name and organization name. These technical vulnerabilities could be further exploited with a combination of social engineering, open source intelligence and cognitive overloading techniques."
Cisco this week released advisories for three serious vulnerabilities in Security Manager that already have proof-of-concept exploit code available online. Cisco says that there are no workarounds available for this vulnerability but that Cisco Security Manager 4.22 addresses is.
Cisco has patched two vulnerabilities in its Cisco Security Manager solution, both of which could allow unauthenticated, remote attackers to gain access to sensitive information on an affected system. Those are part of a batch of twelve vulnerabilities flagged in July 2020 by Florian Hauser, a security researcher and red teamer at Code White.
The first update released by Apple for macOS Big Sur 11.0 addresses 60 vulnerabilities affecting various components of the operating system. MacOS Big Sur 11.0 was officially launched on November 12 and on the same day Apple released its first update, version 11.0.1.
Schneider Electric this week released advisories for vulnerabilities impacting various products, including flaws that can be exploited to take control of Modicon M221 programmable logic controllers. "By bypassing authentication protections and having direct access to manipulate the PLC, an attacker could take over complete control of the PLC actions, which could be catastrophic depending what type of OT environment the PLC is deployed," Sigler explained.
SAP's security updates for November 2020 patch several critical vulnerabilities affecting the company's Solution Manager, Data Services, ABAP, S4/HANA, and NetWeaver products. One of the hot news patches resolves a total of four vulnerabilities related to missing authentication checks in SolMan, which provides a central management interface for SAP and non-SAP systems.