#1 Trusted Cybersecurity News Platform
Followed by 5.20+ million
The Hacker News Logo
Subscribe – Get Latest News
State of SaaS

Path Traversal | Breaking Cybersecurity News | The Hacker News

Category — Path Traversal
CISA Flags Critical Flaws in Mitel and Oracle Systems Amid Active Exploitation

CISA Flags Critical Flaws in Mitel and Oracle Systems Amid Active Exploitation

Jan 08, 2025 Vulnerability / Network Security
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday added three flaws impacting Mitel MiCollab and Oracle WebLogic Server to its Known Exploited Vulnerabilities ( KEV ) catalog, citing evidence of active exploitation. The list of vulnerabilities is as follows - CVE-2024-41713 (CVSS score: 9.1) - A path traversal vulnerability in Mitel MiCollab that could allow an attacker to gain unauthorized and unauthenticated access CVE-2024-55550 (CVSS score: 4.4) - A path traversal vulnerability in Mitel MiCollab that could allow an authenticated attacker with administrative privileges to read local files within the system due to insufficient input sanitization CVE-2020-2883 (CVSS score: 9.8) - A security vulnerability in Oracle WebLogic Server that could be exploited by an unauthenticated attacker with network access via IIOP or T3 It's worth noting that CVE-2024-41713 could be chained with CVE-2024-55550 to permit an unauthenticated, remote attacker to re...
Critical Flaws in Traccar GPS System Expose Users to Remote Attacks

Critical Flaws in Traccar GPS System Expose Users to Remote Attacks

Aug 26, 2024 Software Security / Vulnerability
Two security vulnerabilities have been disclosed in the open-source Traccar GPS tracking system that could be potentially exploited by unauthenticated attackers to achieve remote code execution under certain circumstances. Both the vulnerabilities are path traversal flaws and could be weaponized if guest registration is enabled, which is the default configuration for Traccar 5, Horizon3.ai researcher Naveen Sunkavally said. A brief description of the shortcomings is as follows - CVE-2024-24809 (CVSS score: 8.5) - Path Traversal: 'dir/../../filename' and unrestricted upload of file with dangerous type CVE-2024-31214 (CVSS score: 9.7) - Unrestricted file upload vulnerability in device image upload could lead to remote code execution "The net result of CVE-2024-31214 and CVE-2024-24809 is that an attacker can place files with arbitrary content anywhere on the file system," Sunkavally said . "However an attacker only has partial control over the filename....
Product Walkthrough: How Satori Secures Sensitive Data From Production to AI

Product Walkthrough: How Satori Secures Sensitive Data From Production to AI

Jan 20, 2025Data Security / Data Monitoring
Every week seems to bring news of another data breach, and it's no surprise why: securing sensitive data has become harder than ever. And it's not just because companies are dealing with orders of magnitude more data. Data flows and user roles are constantly shifting, and data is stored across multiple technologies and cloud environments. Not to mention, compliance requirements are only getting stricter and more elaborate.  The problem is that while the data landscape has evolved rapidly, the usual strategies for securing that data are stuck in the past. Gone are the days when data lived in predictable places, with access controlled by a chosen few. Today, practically every department in the business needs to use customer data, and AI adoption means huge datasets, and a constant flux of permissions, use cases, and tools. Security teams are struggling to implement effective strategies for securing sensitive data, and a new crop of tools, called data security platforms, have appear...
Mailcow Mail Server Flaws Expose Servers to Remote Code Execution

Mailcow Mail Server Flaws Expose Servers to Remote Code Execution

Jun 19, 2024 Email Security / Vulnerability
Two security vulnerabilities have been disclosed in the Mailcow open-source mail server suite that could be exploited by malicious actors to achieve arbitrary code execution on susceptible instances. Both shortcomings impact all versions of the software prior to version 2024-04 , which was released on April 4, 2024. The issues were responsibly disclosed by SonarSource on March 22, 2024. The flaws, rated Moderate in severity, are listed below - CVE-2024-30270 (CVSS score: 6.7) - A path traversal vulnerability impacting a function named "rspamd_maps()" that could result in the execution of arbitrary commands on the server by allowing a threat actor to overwrite any file that's can be modified with the "www-data" user CVE-2024-31204 (CVSS score: 6.8) - A cross-site scripting (XSS) vulnerability via the exception handling mechanism when not operating in the DEV_MODE The second of the two flaws is rooted in the fact that it saves details of the exception...
cyber security

2024: A year of identity attacks | Get the new ebook

websitePush SecurityIdentity Security
Identity attacks were the leading cause of breaches in 2024. Learn how tooling and techniques are evolving.
Patch Your GoAnywhere MFT Immediately - Critical Flaw Lets Anyone Be Admin

Patch Your GoAnywhere MFT Immediately - Critical Flaw Lets Anyone Be Admin

Jan 24, 2024 Vulnerability / Endpoint Security
A critical security flaw has been disclosed in Fortra's GoAnywhere Managed File Transfer (MFT) software that could be abused to create a new administrator user. Tracked as  CVE-2024-0204 , the issue carries a CVSS score of 9.8 out of 10. "Authentication bypass in Fortra's GoAnywhere MFT prior to 7.4.1 allows an unauthorized user to create an admin user via the administration portal," Fortra  said  in an advisory released on January 22, 2024. Users who cannot upgrade to version 7.4.1 can apply temporary workarounds in non-container deployments by deleting the InitialAccountSetup.xhtml file in the install directory and restarting the services. For container-deployed instances, it's recommended to replace the file with an empty file and restart. Mohammed Eldeeb and Islam Elrfai of Cairo-based Spark Engineering Consultants have been credited with discovering and reporting the flaw in December 2023. Cybersecurity firm Horizon3.ai, which published a  proof-of-co...
Alert: New Vulnerabilities Discovered in QNAP and Kyocera Device Manager

Alert: New Vulnerabilities Discovered in QNAP and Kyocera Device Manager

Jan 09, 2024 Network Security / Data Protection
A security flaw has been disclosed in Kyocera's  Device Manager  product that could be exploited by bad actors to carry out malicious activities on affected systems. "This vulnerability allows attackers to coerce authentication attempts to their own resources, such as a malicious SMB share, to capture or relay Active Directory hashed credentials if the 'Restrict NTLM: Outgoing NTLM traffic to remote servers' security policy is not enabled," Trustwave  said . Tracked as  CVE-2023-50916 , Kyocera, in an  advisory  released late last month, described it as a path traversal issue that enables an attacker to intercept and alter a local path pointing to the backup location of the database to a universal naming convention (UNC) path. This, in turn, causes the web application to attempt to authenticate the rogue UNC path, resulting in unauthorized access to clients' accounts and data theft. Furthermore, depending on the configuration of the environment, it cou...
New Critical RCE Vulnerability Discovered in Apache Struts 2 - Patch Now

New Critical RCE Vulnerability Discovered in Apache Struts 2 - Patch Now

Dec 12, 2023 Vulnerability / Software Security
Apache has released a security advisory warning of a critical security flaw in the Struts 2 open-source web application framework that could result in remote code execution. Tracked as  CVE-2023-50164 , the vulnerability is  rooted  in a flawed "file upload logic" that could enable unauthorized path traversal and could be exploited under the circumstances to upload a malicious file and achieve execution of arbitrary code. Struts is a Java framework that uses the Model-View-Controller ( MVC ) architecture for building enterprise-oriented web applications. Steven Seeley of Source Incite has been credited with discovering and reporting the flaw, which impacts the following versions of the software - Struts 2.3.37 (EOL) Struts 2.5.0 - Struts 2.5.32, and Struts 6.0.0 - Struts 6.3.0 Patches for the bug are available in versions 2.5.33 and 6.3.0.2 or greater. There are no workarounds that remediate the issue. "All developers are strongly advised to perform this upgr...
Expert Insights / Articles Videos
Cybersecurity Resources