This DCL script abuses the old psi_mail trick on VAX/VMS systems to remotely find valid users.

Open-Xchange OX App Suite suffers from a content spoofing, cross site scripting, and information disclosure vulnerabilities. Versions affected vary depending on the vulnerability.

A FortiSIEM collector connects to a Supervisor/Worker over HTTPS TLS (443/TCP) to register itself as well as relaying event data such as syslog, netflow, SNMP, etc. When the Collector (the client) connects to the Supervisor/Worker (the server), the client does not validate the server-provided certificate against its root-CA store. Since the client does no server certificate validation, this means any certificate presented to the client will be considered valid and the connection will succeed. If an attacker spoofs a Worker/Supervisor using an ARP or DNS poisoning attack (or any other MITM attack), the Collector will blindly connect to the attacker's HTTPS TLS server. It will disclose the authentication password used along with any data being relayed. Versions 5.0 and 5.2.1 have been tested and are affected.

Windows Defender Antivirus version 4.18.1908.7-0 suffers from a file extension spoofing vulnerability.

Google Invisible RECAPTCHA version 3 suffers from a spoofing bypass vulnerability.

A vulnerability exists within the Microsoft Server Message Block 3.1.1 (SMBv3) protocol that can be leveraged to execute code on a vulnerable server. This local exploit implementation leverages this flaw to elevate itself before injecting a payload into winlogon.exe.

Macs Framework version 1.14f suffers from cross site scripting and remote SQL injection vulnerabilities.

Project Open CMS version 5.0.3 suffers from cross site scripting and remote SQL injection vulnerabilities.

This is a simple perl script to perform dictionary attacks against the KeePass password manager.

Simple script to perform RC4 encryption / decryption.

Script that performs RSA factorization attack using Fermat's algorithm.

Max Secure Anti Virus Plus version 19.0.4.020 suffers from an insecure permission vulnerability.

This is a brief whitepaper discussing how to perform forensics on iOS 5 on the iPhone.

IPhone TreasonSMS suffers from html injection and file inclusion vulnerabilities.

This article explains the technical procedure and challenges involved in extracting data and artifacts from iPhone backups.

Singapore has retained its place at the top of fDi's Asia-Pacific Cities of the Future ranking, with Shanghai and Tokyo completing the top three list. 

Russia remains fDi’s most diversified commodity economy, while second ranked Brazil has displaced Ukraine into third place. Cathy Mullan reports.

man-cgi versions prior to 1.16 suffer from a local file inclusion vulnerability.

Teltonika RUT9XX routers with firmware before 00.05.01.1 are prone to cross site scripting vulnerabilities in hotspotlogin.cgi due to insufficient user input sanitization.

An exploitable command injection vulnerability exists in the ACEManager iplogging.cgi functionality of Sierra Wireless AirLink ES450 FW 4.9.3. A specially crafted HTTP request can inject arbitrary commands, resulting in arbitrary command execution. An attacker can send an authenticated HTTP request to trigger this vulnerability.

An exploitable unverified password change vulnerability exists in the ACEManager upload.cgi functionality of Sierra Wireless AirLink ES450 FW 4.9.3. A specially crafted HTTP request can cause a unverified device configuration change, resulting in an unverified change of the user password on the device. An attacker can make an authenticated HTTP request to trigger this vulnerability.

An exploitable cross-site scripting vulnerability exists in the ACEManager ping_result.cgi functionality of Sierra Wireless AirLink ES450 FW 4.9.3. A specially crafted HTTP ping request can cause reflected javascript code execution, resulting in the execution of javascript code running on the victim's browser. An attacker can get a victim to click a link, or embedded URL, that redirects to the reflected cross-site scripting vulnerability to trigger this vulnerability.

An exploitable remote code execution vulnerability exists in the upload.cgi functionality of Sierra Wireless AirLink ES450 FW 4.9.3. A specially crafted HTTP request can upload a file, resulting in executable code being uploaded, and routable, to the webserver. An attacker can make an authenticated HTTP request to trigger this vulnerability.

An exploitable Information Disclosure vulnerability exists in the ACEManager EmbeddedAceGet_Task.cgi functionality of Sierra Wireless AirLink ES450 FW 4.9.3. A specially crafted HTTP request can cause an information disclosure, resulting in the exposure of confidential information, including, but not limited to, plaintext passwords and SNMP community strings. An attacker can make an authenticated HTTP request, or run the binary, to trigger this vulnerability.

An exploitable Permission Assignment vulnerability exists in the ACEManager EmbeddedAceSet_Task.cgi functionality of Sierra Wireless AirLink ES450 FW 4.9.3. A specially crafted HTTP request can cause a arbitrary setting writes, resulting in the unverified changes to any system setting. An attacker can make an authenticated HTTP request, or run the binary as any user, to trigger this vulnerability.

An exploitable information disclosure vulnerability exists in the ACEManager template_load.cgi functionality of Sierra Wireless AirLink ES450 FW 4.9.3. A specially crafted HTTP request can cause a information leak, resulting in the disclosure of internal paths and files. An attacker can make an authenticated HTTP request to trigger this vulnerability.

What if the coronavirus lasts until the end of the year? Lawrence Yeo has a bleak forecast.