Zoom SDK's Security Vulnerabilities

Patching Perforce perforations: Critical RCE vulnerability discovered in Perforce Helix Core Server

Microsoft discovered, responsibly disclosed, and helped remediate four vulnerabilities that could be remotely exploited by unauthenticated attackers in Perforce Helix Core Server (“Perforce Server”), a source code management platform largely used in the videogame industry and by multiple...

Patching Perforce perforations: Critical RCE vulnerability discovered in Perforce Helix Core Server

Microsoft discovered, responsibly disclosed, and helped remediate four vulnerabilities that could be remotely exploited by unauthenticated attackers in Perforce Helix Core Server (“Helix Core Server”), a source code management platform largely used in the videogame industry and by multiple...

CVE-2023-39214

Exposure of sensitive information in Zoom Client SDK's before 5.15.5 may allow an authenticated user to enable a denial of service via network...

CVE-2023-39214

Exposure of sensitive information in Zoom Client SDK's before 5.15.5 may allow an authenticated user to enable a denial of service via network...

Design/Logic Flaw

Exposure of sensitive information in Zoom Client SDK's before 5.15.5 may allow an authenticated user to enable a denial of service via network...

CVE-2023-39214

Exposure of sensitive information in Zoom Client SDK's before 5.15.5 may allow an authenticated user to enable a denial of service via network...

CVE-2023-39217

Improper input validation in Zoom SDK’s before 5.14.10 may allow an unauthenticated user to enable a denial of service via network...

CVE-2023-36533

Uncontrolled resource consumption in Zoom SDKs before 5.14.7 may allow an unauthenticated user to enable a denial of service via network...

github.com/cosmos/cosmos-sdk's x/crisis does not charge ConstantFee

x/crisis does not charge ConstantFee Impact If a transaction is sent to the x/crisis module to check an invariant, the ConstantFee parameter of the chain is NOT charged. All versions of the x/crisis module are affected on all versions of the Cosmos SDK. Details The x/crisis module is supposed to...

github.com/cosmos/cosmos-sdk's x/crisis does not charge ConstantFee

x/crisis does not charge ConstantFee Impact If a transaction is sent to the x/crisis module to check an invariant, the ConstantFee parameter of the chain is NOT charged. All versions of the x/crisis module are affected on all versions of the Cosmos SDK. Details The x/crisis module is supposed to...

CVE-2023-29529

matrix-js-sdk is the Matrix Client-Server SDK for JavaScript and TypeScript. An attacker present in a room where an MSC3401 group call is taking place can eavesdrop on the video and audio of participants using matrix-js-sdk, without their knowledge. To affected matrix-js-sdk users, the attacker...

CVE-2023-29529

matrix-js-sdk is the Matrix Client-Server SDK for JavaScript and TypeScript. An attacker present in a room where an MSC3401 group call is taking place can eavesdrop on the video and audio of participants using matrix-js-sdk, without their knowledge. To affected matrix-js-sdk users, the attacker...

CVE-2023-29529

matrix-js-sdk is the Matrix Client-Server SDK for JavaScript and TypeScript. An attacker present in a room where an MSC3401 group call is taking place can eavesdrop on the video and audio of participants using matrix-js-sdk, without their knowledge. To affected matrix-js-sdk users, the attacker...

Race condition

matrix-js-sdk is the Matrix Client-Server SDK for JavaScript and TypeScript. An attacker present in a room where an MSC3401 group call is taking place can eavesdrop on the video and audio of participants using matrix-js-sdk, without their knowledge. To affected matrix-js-sdk users, the attacker...

CVE-2023-29529 matrix-js-sdk vulnerable to invisible eavesdropping in group calls

matrix-js-sdk is the Matrix Client-Server SDK for JavaScript and TypeScript. An attacker present in a room where an MSC3401 group call is taking place can eavesdrop on the video and audio of participants using matrix-js-sdk, without their knowledge. To affected matrix-js-sdk users, the attacker...

matrix-js-sdk vulnerable to invisible eavesdropping in group calls

Impact An attacker present in a room where an MSC3401 group call is taking place can eavesdrop on the video and audio of participants using matrix-js-sdk, without their knowledge. To affected matrix-js-sdk users, the attacker will not appear to be participating in the call. This attack is possible....

matrix-js-sdk vulnerable to invisible eavesdropping in group calls

Impact An attacker present in a room where an MSC3401 group call is taking place can eavesdrop on the video and audio of participants using matrix-js-sdk, without their knowledge. To affected matrix-js-sdk users, the attacker will not appear to be participating in the call. This attack is possible....

CVE-2023-29529

matrix-js-sdk is the Matrix Client-Server SDK for JavaScript and TypeScript. An attacker present in a room where an MSC3401 group call is taking place can eavesdrop on the video and audio of participants using matrix-js-sdk, without their knowledge. To affected matrix-js-sdk users, the attacker...

FreeBSD : py39-sentry-sdk -- sensitive cookies leak (15dae5cc-9ee6-4577-a93e-2ab57780e707)

The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the 15dae5cc-9ee6-4577-a93e-2ab57780e707 advisory. Sentry SDK is the official Python SDK for Sentry, real-time crash reporting software. When using...

CVE-2023-28117

Sentry SDK is the official Python SDK for Sentry, real-time crash reporting software. When using the Django integration of versions prior to 1.14.0 of the Sentry SDK in a specific configuration it is possible to leak sensitive cookies values, including the session cookie to Sentry. These sensitive....

CVE-2023-28117

Sentry SDK is the official Python SDK for Sentry, real-time crash reporting software. When using the Django integration of versions prior to 1.14.0 of the Sentry SDK in a specific configuration it is possible to leak sensitive cookies values, including the session cookie to Sentry. These sensitive....

CVE-2023-28117

Sentry SDK is the official Python SDK for Sentry, real-time crash reporting software. When using the Django integration of versions prior to 1.14.0 of the Sentry SDK in a specific configuration it is possible to leak sensitive cookies values, including the session cookie to Sentry. These sensitive....

Design/Logic Flaw

Sentry SDK is the official Python SDK for Sentry, real-time crash reporting software. When using the Django integration of versions prior to 1.14.0 of the Sentry SDK in a specific configuration it is possible to leak sensitive cookies values, including the session cookie to Sentry. These sensitive....

CVE-2023-28117 Sentry SDK leaks sensitive session information when `sendDefaultPII` is set to `True`

Sentry SDK is the official Python SDK for Sentry, real-time crash reporting software. When using the Django integration of versions prior to 1.14.0 of the Sentry SDK in a specific configuration it is possible to leak sensitive cookies values, including the session cookie to Sentry. These sensitive....

CVE-2023-28117

Sentry SDK is the official Python SDK for Sentry, real-time crash reporting software. When using the Django integration of versions prior to 1.14.0 of the Sentry SDK in a specific configuration it is possible to leak sensitive cookies values, including the session cookie to Sentry. These sensitive....

Apache Avro Rust SDK's Reader could consume memory beyond allowed constraints

It is possible for a Reader to consume memory beyond the allowed constraints and thus lead to out of memory on the system. This issue affects Rust applications using Apache Avro Rust SDK prior to 0.14.0 (previously known as avro-rs). Users should update to apache-avro version 0.14.0 which...

Apache Avro Rust SDK's Reader could consume memory beyond allowed constraints

It is possible for a Reader to consume memory beyond the allowed constraints and thus lead to out of memory on the system. This issue affects Rust applications using Apache Avro Rust SDK prior to 0.14.0 (previously known as avro-rs). Users should update to apache-avro version 0.14.0 which...

Drainage of FeeCollector's Block Transaction Fees in cronos

Impact In Cronos nodes running versions before v0.6.5, it is possible to take transaction fees from Cosmos SDK's FeeCollector for the current block by sending a custom crafted MsgEthereumTx. User funds and balances are safe. Patches This problem has been patched in Cronos v0.6.5 on the mempool...

Drainage of FeeCollector's Block Transaction Fees in cronos

Impact In Cronos nodes running versions before v0.6.5, it is possible to take transaction fees from Cosmos SDK's FeeCollector for the current block by sending a custom crafted MsgEthereumTx. User funds and balances are safe. Patches This problem has been patched in Cronos v0.6.5 on the mempool...

Privilege Escalation

github.com/crypto-org-chain/cronos is vulnerable to privilege escalation. An attacker can take transaction fees from Cosmos SDK's FeeCollector for the current block by sending a custom-crafted...

CVE-2021-43839

Cronos is a commercial implementation of a blockchain. In Cronos nodes running versions before v0.6.5, it is possible to take transaction fees from Cosmos SDK's FeeCollector for the current block by sending a custom crafted MsgEthereumTx. This problem has been patched in Cronos v0.6.5. There are...

CVE-2021-43839

Cronos is a commercial implementation of a blockchain. In Cronos nodes running versions before v0.6.5, it is possible to take transaction fees from Cosmos SDK's FeeCollector for the current block by sending a custom crafted MsgEthereumTx. This problem has been patched in Cronos v0.6.5. There are...

CVE-2021-43839

Cronos is a commercial implementation of a blockchain. In Cronos nodes running versions before v0.6.5, it is possible to take transaction fees from Cosmos SDK's FeeCollector for the current block by sending a custom crafted MsgEthereumTx. This problem has been patched in Cronos v0.6.5. There are...

Design/Logic Flaw

Cronos is a commercial implementation of a blockchain. In Cronos nodes running versions before v0.6.5, it is possible to take transaction fees from Cosmos SDK's FeeCollector for the current block by sending a custom crafted MsgEthereumTx. This problem has been patched in Cronos v0.6.5. There are...

CVE-2021-43839 Drainage of FeeCollector's Block Transaction Fees

Cronos is a commercial implementation of a blockchain. In Cronos nodes running versions before v0.6.5, it is possible to take transaction fees from Cosmos SDK's FeeCollector for the current block by sending a custom crafted MsgEthereumTx. This problem has been patched in Cronos v0.6.5. There are...

efiXplorer - IDA Plugin For UEFI Firmware Analysis And Reverse Engineering Automation

efiXplorer - IDA plugin for UEFI firmware analysis and reverse engineering automation Supported versions of Hex-Rays products: everytime we focus on last versions of IDA and Decompiler because we try to use most recent features from new SDK releases. That means we tested only on recent versions of....

CVE-2020-9040

Couchbase Server Java SDK before 2.7.1.1 allows a potential attacker to forge an SSL certificate and pose as the intended peer. An attacker can leverage this flaw by crafting a cryptographically valid certificate that will be accepted by Java SDK's Netty component due to missing hostname...

CVE-2020-9040

Couchbase Server Java SDK before 2.7.1.1 allows a potential attacker to forge an SSL certificate and pose as the intended peer. An attacker can leverage this flaw by crafting a cryptographically valid certificate that will be accepted by Java SDK's Netty component due to missing hostname...

Design/Logic Flaw

Couchbase Server Java SDK before 2.7.1.1 allows a potential attacker to forge an SSL certificate and pose as the intended peer. An attacker can leverage this flaw by crafting a cryptographically valid certificate that will be accepted by Java SDK's Netty component due to missing hostname...

CVE-2020-9040

Couchbase Server Java SDK before 2.7.1.1 allows a potential attacker to forge an SSL certificate and pose as the intended peer. An attacker can leverage this flaw by crafting a cryptographically valid certificate that will be accepted by Java SDK's Netty component due to missing hostname...

May 2020 Patch Tuesday – 111 Vulns, 16 Critical, SharePoint, VS Code, Adobe Patches

Continuing the trend of large Microsoft Patch Tuesdays, this month’s addresses 111 vulnerabilities with 16 of them labeled as Critical. The 16 Critical vulnerabilities cover SharePoint, Browsers, Scripting Engines, Media Foundation, Microsoft Graphics, Microsoft Color Management, and the VS Code...

Description of the cumulative update for Office Communications Server 2007 R2, Unified Communications Managed API 2.0 Core Redist 64-bit: April 2010

Describes the issues that are fixed in the cumulative update for Office Communications Server 2007 R2, Unified Communications Managed API 2.0 Core Redist 64-bit: April 2010.SummaryThis article describes the Office Communications Server 2007 R2, Unified Communications Managed API 2.0 Core Redist...

WDExtract - Extract Windows Defender Database From Vdm Files And Unpack It

Extract Windows Defender database from vdm files and unpack it This program distributed as-is, without any warranty; No official support, if you like this tool, feel free to contribute. Features Unpack VDM containers of Windows Defender/Microsoft Security Essentials; Decrypt VDM container...

PLATINUM continues to evolve, find ways to maintain invisibility

Back in April 2016, we released the paper PLATINUM: Targeted attacks in South and Southeast Asia, where we detailed the tactics, techniques, and procedures of the PLATINUM activity group. We described a group that was well-resourced and quickly adopted advanced techniques, such as hot patching to.....

Description of the cumulative update for Office Communications Server 2007 R2, Unified Communications Managed API 2.0 Core Redist 64-bit: March, 2011

Describes the bugs that are resolved in the cumulative update for Office Communications Server 2007 R2, Unified Communications Managed API 2.0 Core Redist 64-bit that is dated March 2011.SummaryThis article describes the issues that is fixed in the cumulative update for Office Communications...

Description of the cumulative update for Office Communications Server 2007 R2, Unified Communications Managed API 2.0 Core Redist 64-bit: November 2010

Describes the bugs that are resolved in the cumulative update for Office Communications Server 2007 R2, Unified Communications Managed API 2.0 Core Redist 64-bit that is dated November 2010.SummaryThis article describes the issue that is fixed in the cumulative update for Office Communications...

Backdoor in Baidu Android SDK Puts 100 Million Devices at Risk

The China's Google-like Search Engine Baidu is offering a software development kit (SDK) that contains functionality that can be abused to give backdoor-like access to a user's device, potentially exposing around 100 Million Android users to malicious hackers. The SDK in question is Moplus, which.....

Citrix NITRO SDK - Command Injection Vulnerability

A command injection vulnerability in Citrix NITRO SDK's xen_hotfix page was discovered. The attacker-supplied command is executed with elevated privileges (nsroot). This issue can be used to compromise of the entire Citrix SDX appliance along with all underlying applications and...

Intel® Active Management Technology Software Development Kit Remote Code Execution

**Summary: ** Intel® Active Management Technology (Intel® AMT) Software Development Kit (SDK) is the development framework for the independent software vendors (ISVs) to develop manageability applications that interact with Intel® AMT-enabled systems. Updated software which corrects a potential...

DUO-PSA-2015-001: Duo Product Security Advisory

Duo Product Security Advisory Advisory ID: DUO-PSA-2015-001 Original Publication Date: 2015-02-03 Revision Date: 2015-02-10 Status: Confirmed, Fixed Document Revision: 3 Overview Duo Security has identified an issue in certain versions of the Duo Web SDK that could allow attackers to bypass...