Patching | Breaking Cybersecurity News | The Hacker News

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday placed a now-patched security flaw impacting the popular jQuery JavaScript library to its Known Exploited Vulnerabilities ( KEV ) catalog, based on evidence of active exploitation. The medium-severity vulnerability is CVE-2020-11023 (CVSS score: 6.1/6.9), a nearly five-year-old cross-site scripting (XSS) bug that could be exploited to achieve arbitrary code execution. "Passing HTML containing <option> elements from untrusted sources - even after sanitizing them - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code," according to a GitHub advisory released for the flaw. The problem was addressed in jQuery version 3.5.0 released in April 2020. A workaround for CVE-2020-11023 involves using DOMPurify with the SAFE_FOR_JQUERY flag set to sanitize the HTML string before passing it to a jQuery method. As is typically the case, t...

Details have emerged about a now-patched security vulnerability that could allow a bypass of the Secure Boot mechanism in Unified Extensible Firmware Interface (UEFI) systems. The vulnerability, assigned the CVE identifier CVE-2024-7344 (CVSS score: 6.7), resides in a UEFI application signed by Microsoft's "Microsoft Corporation UEFI CA 2011" third-party UEFI certificate, according to a new report from ESET shared with The Hacker News. Successful exploitation of the flaw can lead to the execution of untrusted code during system boot, thereby enabling attackers to deploy malicious UEFI bootkits on machines that have Secure Boot on, irrespective of the operating system installed. Secure Boot is a firmware security standard that prevents malware from loading when a computer starts up by ensuring that the device boots using only software that is trusted by the Original Equipment Manufacturer (OEM). The feature leverages digital signatures to validate the authenticity,...

The Need For Unified Security Google Workspace is where teams collaborate, share ideas, and get work done. But while it makes work easier, it also creates new security challenges. Cybercriminals are constantly evolving, finding ways to exploit misconfigurations, steal sensitive data, and hijack user accounts. Many organizations try to secure their environment by piecing together different security tools, hoping that multiple layers of protection will keep them safe.  But in reality, this patchwork approach often creates blind spots, making it harder—not easier—to defend against threats. To truly secure Google Workspace, businesses need a unified security strategy that offers complete protection without unnecessary complexity. The problem with most security solutions is that they only solve part of the puzzle. Point solutions, like tools that block malware or phishing attacks, might work well for a specific type of threat but fail to recognize suspicious user behavior, unauthori...

Threat actors are attempting to exploit a recently disclosed security flaw impacting Apache Struts that could pave the way for remote code execution. The issue, tracked as CVE-2024-53677 , carries a CVSS score of 9.5 out of 10.0, indicating critical severity. The vulnerability shares similarities with another critical bug the project maintainers addressed in December 2023 ( CVE-2023-50164 , CVSS score: 9.8), which also came under active exploitation shortly after public disclosure. "An attacker can manipulate file upload params to enable paths traversal and under some circumstances this can lead to uploading a malicious file which can be used to perform Remote Code Execution," according to the Apache advisory . In other words, successful exploitation of the flaw could allow a malicious actor to upload arbitrary payloads to susceptible instances, which could then be leveraged to run commands, exfiltrate data, or download additional payloads for follow-on exploitation. T...

Hewlett Packard Enterprise (HPE) has released security updates to address multiple vulnerabilities impacting Aruba Networking Access Point products, including two critical bugs that could result in unauthenticated command execution. The flaws affect Access Points running Instant AOS-8 and AOS-10 - AOS-10.4.x.x: 10.4.1.4 and below Instant AOS-8.12.x.x: 8.12.0.2 and below Instant AOS-8.10.x.x: 8.10.0.13 and below The most severe among the six newly patched vulnerabilities are CVE-2024-42509 (CVSS score: 9.8) and CVE-2024-47460 (CVSS score: 9.0), two critical unauthenticated command injection flaws in the CLI Service that could result in the execution of arbitrary code. "Command injection vulnerability in the underlying CLI service could lead to unauthenticated remote code execution by sending specially crafted packets destined to the PAPI (Aruba's Access Point management protocol) UDP port (8211)," HPE said in an advisory for both the flaws. "Successful exp...