Aggregator

This daily article is intended to make it easier for those who want to stay updated with my regular posts. Any subscriber-only content will be clearly marked at the end of the link.

Scrutiny Over Ethics of Profit-Sharing Prompts End to Cyberstarts CISO Compensation
Allegations of conflicts of interest in Cyberstarts’ Sunrise program have sparked debate in the CISO community. While the program connected CISOs with startups for advisory purposes, its profit-sharing incentives drew criticism, leading some participants to resign and the firm to halt compensation.

Also: Anticipating Donald Trump's Second Term; a Surprising Cybersecurity Merger
In the latest weekly update, ISMG editors explored the growing threat of disrupted ransomware attacks as a public health crisis, the potential global impact of a Donald Trump's second presidential term, and implications of the latest big merger in the cybersecurity market.

Researchers Find Exploitable Flaws in the OvrC Platform
Security flaws in a cloud platform for remotely configuring and monitoring Internet of Things gadgets could expose millions of devices to remote code execution hacks. Security researchers at Claroty's Team82 uncovered 10 vulnerabilities in the widely used OvrC cloud platform.

Trump Administration Picks May Test Bipartisan Support for Cybersecurity Agency
Newly empowered Republicans in U.S. president-elect Donald Trump's orbit appear slated to enact far-reaching changes to the federal cyber defense agency, with one senator pledging to act on his long-standing enmity to the Cybersecurity and Infrastructure Security Agency.

Health System's Cyberattack Affected More Than 235,000 Patients, Employees, Others
A New York state court has approved a preliminary $1.5 million settlement of a consolidated proposed class action lawsuit against One Brooklyn Health System following a November 2022 cyberattack that involved theft of sensitive health data belonging to more than 235,000 people.

Email at many organizations has stopped working; the tech giant has advised users who are facing the issue to uninstall the updates so that it can address flaw.

Explore how the SEC Cybersecurity Rule has raised boardroom awareness, but why achieving true resilience and transparency remains a critical challenge.

The post The SEC Cybersecurity Rule: Awareness Rises, Compliance Lags appeared first on Security Boulevard.

A vulnerability was found in Royal Browser Extensions TS and Royal Browser Extensions TSX. It has been classified as problematic. This affects an unknown part. The manipulation leads to credentials management (Credentials). This vulnerability is uniquely identified as CVE-2018-18865. It is possible to initiate the attack remotely. Furthermore, there is an exploit available. It is recommended to upgrade the affected component.

A vulnerability, which was classified as problematic, has been found in GNUstep Base up to 1.19.3. This issue affects some unknown processing of the component Error Message Handler. The manipulation leads to information disclosure. The identification of this vulnerability is CVE-2010-1457. The attack needs to be approached locally. Furthermore, there is an exploit available. It is recommended to upgrade the affected component.

According to Mozilla, users have a lot more power to manipulate ChatGPT than they might realize. OpenAI hopes those manipulations remain within a clearly delineated sandbox.

A vulnerability, which was classified as problematic, has been found in Google Android. Affected by this issue is the function EUTRAN_LCS_DecodeFacilityInformationElement of the file LPP_LcsManagement.c. The manipulation leads to information disclosure. This vulnerability is handled as CVE-2024-27223. The attack may be launched remotely. There is no exploit available. It is recommended to apply a patch to fix this issue.

A vulnerability was found in NodeBB 3.6.7. It has been declared as critical. This vulnerability affects unknown code. The manipulation leads to improper access controls. This vulnerability was named CVE-2024-29316. The attack needs to be done within the local network. There is no exploit available.

A vulnerability was found in Zenario up to 9.3.57595 and classified as problematic. This issue affects some unknown processing of the component Tree Explorer Tool. The manipulation leads to cross site scripting. The identification of this vulnerability is CVE-2024-34460. The attack may be initiated remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability, which was classified as problematic, was found in MediaTek MT6298, MT6813, MT6815, MT6833, MT6835, MT6853, MT6855, MT6873, MT6875, MT6875T, MT6877, MT6878, MT6879, MT6883, MT6885, MT6889, MT6891, MT6893, MT6895, MT6895T, MT6896, MT6897, MT6980, MT6980D, MT6983, MT6990, MT8673, MT8675, MT8765, MT8766, MT8768, MT8771, MT8786, MT8791T, MT8792, MT8797 and MT8798. This affects an unknown part of the component Modem. The manipulation leads to risky cryptographic algorithm. This vulnerability is uniquely identified as CVE-2024-20070. It is possible to initiate the attack remotely. There is no exploit available. It is recommended to apply a patch to fix this issue.

A vulnerability, which was classified as critical, has been found in Fsas Technologies Fujitsu Business Application ID Link Manager II, Fujitsu Software ID Link Manager, Fujitsu Software Time Creator ID Link Manager and Fujitsu Software Time Creator ID Link Manager SaaS. This issue affects some unknown processing. The manipulation leads to observable response discrepancy. The identification of this vulnerability is CVE-2024-34024. The attack may be initiated remotely. There is no exploit available.

A vulnerability, which was classified as critical, was found in Oracle Trade Management up to 12.2.13. This affects an unknown part of the component GL Accounts. The manipulation leads to improper authorization. This vulnerability is uniquely identified as CVE-2024-21146. It is possible to initiate the attack remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability has been found in D-Link DSL6740C and classified as critical. Affected by this vulnerability is an unknown functionality of the component SSH/Telnet. The manipulation leads to os command injection. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. This vulnerability is known as CVE-2024-11062. The attack can be launched remotely. There is no exploit available.

A vulnerability was found in Google Android 8 and classified as problematic. This issue affects the function createFromParcel of the file MediaCas.java. The manipulation leads to improper input validation. The identification of this vulnerability is CVE-2017-13312. Attacking locally is a requirement. There is no exploit available. It is recommended to apply a patch to fix this issue.

Israeli surveillance firm NSO Group reportedly used multiple zero-day exploits, including an unknown one named "Erised," that leveraged WhatsApp vulnerabilities to deploy Pegasus spyware in zero-click attacks, even after getting sued. [...]