Voici la sélection des vulnérabilités de cybersécurité les plus critiques découvertes la semaine passée.
Vous retrouvez ci-dessous les liens directs vers les articles les plus intéressants. Pour information, cette veille est préparée avec un vrai cerveau non artificiel, alors bonne lecture et merci de soutenir le Décodeur !
Les actus sélectionnées cette semaine
Un hacker pourrait parfaitement manipuler les feux de circulation comme dans les films
Un expert en cybersécurité a trouvé des failles dans des systèmes de gestion de feux de circulation. Les vulnérabilités des produits en question pouvaient être trouvées sur le web….
Crooks Bypassed Google’s Email Verification to Create Workspace Accounts, Access 3rd-Party Services
Google says it recently fixed an authentication weakness that allowed crooks to circumvent the email verification required to create a Google Workspace account, and leverage that to impersonate a domain holder…
Docker fixes critical 5-year old authentication bypass flaw
Docker has issued security updates to address a critical vulnerability impacting certain versions of Docker Engine that could allow an attacker to bypass authorization plugins (AuthZ) under certain circumstances. […]
Critical ServiceNow RCE flaws actively exploited to steal credentials
Threat actors are chaining together ServiceNow flaws using publicly available exploits to breach government agencies and private firms in data theft attacks. […]
PKfail Secure Boot bypass lets attackers install UEFI malware
Hundreds of UEFI products from 10 vendors are susceptible to compromise due to a critical firmware supply-chain issue known as PKfail, which allows attackers to bypass Secure Boot and install malware….
Acronis warns of Cyber Infrastructure default password abused in attacks
Acronis warned customers to patch a critical Cyber Infrastructure security flaw that lets attackers bypass authentication on vulnerable servers using default credentials. […]
WhatsApp for Windows lets Python, PHP scripts execute with no warning
A security issue in the latest version of WhatsApp for Windows allows sending Python and PHP attachments that are executed without any warning when the recipient opens them. […]
Millions of Devices Vulnerable to ‘PKFail’ Secure Boot Bypass Issue
Several vendors for consumer and enterprise PCs share a compromised crypto key that should never have been on the devices in the first place.
A bug in Chrome Password Manager caused user credentials to disappear
Google addressed a Chrome’s Password Manager bug that caused user credentials to disappear temporarily for more than 18 hours. Google has addressed a bug in Chrome’s…
NIST may not resolve vulnerability database backlog until early 2025, analysis shows
A new dashboard underscores the severity of the logjam that’s plagued the agency since February.
Critical Flaws In Traffic Light Controller Let Attackers Change Signal Lights
A critical vulnerability in a traffic light controller has been found, which might allow attackers to change the lights and cause a traffic jam. A traffic signal…
Google Chrome 127 Released With Fix for Vulnerabilities that Lead to Browser Crash
Google has announced the release of Chrome 127, which is now available on the Stable channel for Windows, Mac, and Linux. The new version, 127.0.6533.72/73 for…
GitLab Patched XSS Vulnerability that Lets Attackers to Execute Arbitrary Code
GitLab has released new Community Edition (CE) and Enterprise Edition (EE) versions to address multiple vulnerabilities. Among these, a high-severity cross-site scripting (XSS) vulnerability has garnered particular…
6600+ Vulnerable GeoServer instances Exposed to the Internet
Security analysts have identified 6,635 GeoServer instances exposed to the Internet, which makes them vulnerable to critical remote code execution (RCE) attacks. A recent tweet from the…
Vulnerabilities in LangChain Gen AI Could Prompt Data Leak
Open-Source Company Issues Patches After Being Alerted by Palo AltoA widely used generative artificial intelligence framework is vulnerable to a prompt injunction flaw that could enable sensitive data to leak….
CISA Adds Twilio Authy and IE Flaws to Exploited Vulnerabilities List
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two security flaws to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation. The vulnerabilities are listed…
Microsoft Defender Flaw Exploited to Deliver ACR, Lumma, and Meduza Stealers
A now-patched security flaw in the Microsoft Defender SmartScreen has been exploited as part of a new campaign designed to deliver information stealers such as ACR Stealer, Lumma, and Meduza….
Telegram App Flaw Exploited to Spread Malware Hidden in Videos
A zero-day security flaw in Telegram’s mobile app for Android called EvilVideo made it possible for attackers to malicious files disguised as harmless-looking videos. The exploit appeared for sale for…