Security News

Citrix this week announced that updates released for Citrix ShareFile storage zones controllers address several information disclosure vulnerabilities. With storage zones controllers, the ShareFile Software-as-a-Service cloud storage also offers private storage for ShareFile data, which is known as storage zones.

SAP this week revealed that it is notifying customers of a series of security issues that it has identified in its cloud products. The Germany-based enterprise software maker said it discovered that some of its cloud products "Do not meet one or several contractually agreed or statutory IT security standards at present."

Microsoft on Tuesday announced a new security research challenge that encourages white hat hackers to find and responsibly disclose vulnerabilities in the company's Azure Sphere solution. In an effort to identify potentially serious vulnerabilities in Azure Sphere, Microsoft has decided to run a three-month application-only challenge.

TP-Link has released firmware updates to address several vulnerabilities in its NC series cloud cameras, including bugs that could lead to the remote execution of arbitrary commands. Tracked as CVE-2020-12111, the first of the command injection flaws impacts the NC260 and NC450 models and could be abused to remotely execute commands as root on affected devices.

Two vulnerabilities in SaltStack Salt, an open-source remote task and configuration management framework, are being actively exploited by attackers, CISA warns. The vulnerabilities affect all Salt versions prior to 2019.2.4 and 3000.2, which were released last week.

Over the past several days, hackers have exploited two recently disclosed Salt vulnerabilities to compromise the servers of LineageOS, Ghost and DigiCert. Last week, F-Secure security researchers disclosed two vulnerabilities in Salt that could allow remote attackers to execute commands as root on "Master" and connected minions.

Oracle warned customers on Thursday that threat actors have been spotted attempting to exploit multiple recently patched vulnerabilities, including a critical WebLogic Server flaw tracked as CVE-2020-2883. Oracle's April 2020 Critical Patch Update resolves nearly 400 vulnerabilities, including CVE-2020-2883, a critical flaw in Oracle WebLogic Server that can be exploited by an unauthenticated attacker for remote code execution.

Several vulnerabilities, most of which have been described as cross-site scripting flaws, have been patched in WordPress this week with the release of version 5.4.1. WordPress 5.4.1, described as a short-cycle security and maintenance release, fixes 17 bugs and 7 vulnerabilities affecting version 5.4 and earlier.

Google Project Zero security researchers have discovered multiple vulnerabilities in ImageIO, the image parsing API used by Apple's iOS and macOS operating systems. The bugs in image parsing code, some of which impact open source image libraries and not the ImageIO framework itself, can be triggered through popular messenger applications by sending specially crafted image files to the targeted user.

Updates released by Adobe on Tuesday for the Magento Commerce and Open Source editions address multiple critical severity vulnerabilities that could lead to arbitrary code execution. A total of six critical vulnerabilities were patched in the popular e-commerce platform, none of which requires authentication for a successful exploitation.