#1 Trusted Cybersecurity News Platform
Followed by 5.20+ million
The Hacker News Logo
Subscribe – Get Latest News

CrushFTP | Breaking Cybersecurity News | The Hacker News

Category — CrushFTP
Critical Update: CrushFTP Zero-Day Flaw Exploited in Targeted Attacks

Critical Update: CrushFTP Zero-Day Flaw Exploited in Targeted Attacks

Apr 20, 2024 Vulnerability / Endpoint Security
Users of the CrushFTP enterprise file transfer software are being urged to update to the latest version following the discovery of a security flaw that has come under targeted exploitation in the wild. "CrushFTP v11 versions below 11.1 have a vulnerability where users can escape their VFS and download system files," CrushFTP  said  in an advisory released Friday. "This has been patched in v11.1.0." That said, customers who are operating their CrushFTP instances within a  DMZ  ( demilitarized zone ) restricted environment are protected against the attacks. Simon Garrelou of Airbus CERT has been credited with discovering and reporting the flaw. It has yet to be assigned a CVE identifier. Cybersecurity company CrowdStrike, in a post shared on Reddit, said it has observed an exploit for the flaw being used in the wild in a "targeted fashion." These intrusions are said to have mainly targeted U.S. entities,...
Warning: 3 Critical Vulnerabilities Expose ownCloud Users to Data Breaches

Warning: 3 Critical Vulnerabilities Expose ownCloud Users to Data Breaches

Nov 25, 2023 Data Security / Vulnerability
The maintainers of the open-source file-sharing software ownCloud have warned of three critical security flaws that could be exploited to disclose sensitive information and modify files. A brief description of the vulnerabilities is as follows - CVE-2023-49103 (CVSS score: 10.0) - Disclosure of sensitive credentials and configuration in containerized deployments impacting graphapi versions from 0.2.0 to 0.3.0. CVE-2023-49105 (CVSS score: 9.8) - WebDAV Api Authentication Bypass using Pre-Signed URLs impacting core versions from 10.6.0 to 10.13.0. CVE-2023-49104 (CVSS score: 9.0) - Subdomain Validation Bypass impacting oauth2 prior to version 0.6.1. "The 'graphapi' app relies on a third-party library that provides a URL. When this URL is accessed, it reveals the configuration details of the PHP environment (phpinfo)," the company  said  of the first flaw. "This information includes all the environment variables of the web server. In containerized deplo...
Want to Grow Vulnerability Management into Exposure Management? Start Here!

Want to Grow Vulnerability Management into Exposure Management? Start Here!

Dec 05, 2024Attack Surface / Exposure Management
Vulnerability Management (VM) has long been a cornerstone of organizational cybersecurity. Nearly as old as the discipline of cybersecurity itself, it aims to help organizations identify and address potential security issues before they become serious problems. Yet, in recent years, the limitations of this approach have become increasingly evident.  At its core, Vulnerability Management processes remain essential for identifying and addressing weaknesses. But as time marches on and attack avenues evolve, this approach is beginning to show its age. In a recent report, How to Grow Vulnerability Management into Exposure Management (Gartner, How to Grow Vulnerability Management Into Exposure Management, 8 November 2024, Mitchell Schneider Et Al.), we believe Gartner® addresses this point precisely and demonstrates how organizations can – and must – shift from a vulnerability-centric strategy to a broader Exposure Management (EM) framework. We feel it's more than a worthwhile read an...
Expert Insights / Articles Videos
Cybersecurity Resources