The Hacker News Logo
Subscribe to Newsletter
CrowdSec

The Hacker News - Most Trusted Cyber Security and Computer Security Analysis: SonarSource

New UnRAR Vulnerability Could Let Attackers Hack Zimbra Webmail Servers

New UnRAR Vulnerability Could Let Attackers Hack Zimbra Webmail Servers

June 29, 2022Ravie Lakshmanan
A new security vulnerability has been disclosed in RARlab's UnRAR utility that, if successfully exploited, could permit a remote attacker to execute arbitrary code on a system that relies on the binary. The flaw, assigned the identifier CVE-2022-30333, relates to a path traversal vulnerability in the Unix versions of UnRAR that can be triggered upon extracting a maliciously crafted RAR archive. Following responsible disclosure on May 4, 2022, the shortcoming was addressed by RarLab as part of  version 6.12  released on May 6. Other versions of the software, including those for Windows and Android operating systems, are not impacted. "An attacker is able to create files outside of the target extraction directory when an application or victim user extracts an untrusted archive," SonarSource researcher Simon Scannell  said  in a Tuesday report. "If they can write to a known location, they are likely to be able to leverage it in a way leading to the execution of arb
Unpatched Bug in RainLoop Webmail Could Give Hackers Access to all Emails

Unpatched Bug in RainLoop Webmail Could Give Hackers Access to all Emails

April 21, 2022Ravie Lakshmanan
An unpatched high-severity security flaw has been disclosed in the open-source RainLoop web-based email client that could be weaponized to siphon emails from victims' inboxes. "The code vulnerability [...] can be easily exploited by an attacker by sending a malicious email to a victim that uses RainLoop as a mail client," SonarSource security researcher Simon Scannell  said  in a report published this week. "When the email is viewed by the victim, the attacker gains full control over the session of the victim and can steal any of their emails, including those that contain highly sensitive information such as passwords, documents, and password reset links." Tracked as CVE-2022-29360, the flaw relates to a stored cross-site-scripting (XSS) vulnerability impacting the latest version of RainLoop ( v1.16.0 ) that was released on May 7, 2021. Stored XSS flaws, also called persistent XSS, occur when a malicious script is injected directly into a target web applic
Preventing your Cloud 'Secrets' from Public Exposure: An IDE plugin solution

Preventing your Cloud 'Secrets' from Public Exposure: An IDE plugin solution

August 25, 2021The Hacker News
I'm sure you would agree that, in today's digital world, the majority of applications we work on require some type of credentials – to connect to a database with a username/password, to access computer programs via authorized tokens, or API keys to invoke services for authentication. Credentials, or sometimes just referred to as 'Secrets,' are pieces of user or system-level confidential information that ought to be carefully protected and accessible to legitimate users only. We all know how important it is to keep these assets secure to prevent account misuse and breaches.  A reality check: How often do you make proactive efforts to protect these assets? Rarely, I'd say.  Among the worst mistakes a developer can make when it comes to application security is to accidentally commit confidential information publicly on the Internet. Surprisingly, secrets and credentials are accidentally leaked more often than you might expect, and there are intelligent tools that s
Online Courses and Software

Sign up for cybersecurity newsletter and get latest news updates delivered straight to your inbox daily.