Voici la sélection des vulnérabilités de cybersécurité les plus critiques découvertes la semaine passée.
Vous retrouvez ci-dessous les liens directs vers les articles les plus intéressants. Pour information, cette veille est préparée avec un vrai cerveau non artificiel, alors bonne lecture et merci de soutenir le Décodeur !
Les actus sélectionnées cette semaine
Cybersécurité : la fonctionnalité Recall de Microsoft universellement fustigée
Microsoft a présenté fin mai sa nouvelle fonctionnalité Recall, qui sera disponible sur les PC Copilot+. Elle permet de prendre des captures…-Intelligence artificielle
Malware can steal data collected by the Windows Recall tool
Cybersecurity researchers demonstrated how malware could potentially steal data collected by the new Windows Recall feature.
Huge Surge in Attacks Exploiting Check Point VPN Zero-Day Vulnerability
Check Point published an advisory regarding a critical vulnerability, CVE-2024-24919, which has since seen a surge in exploitation attempts.
CISA says ‘patch now’ to 7-year-old Oracle WebLogic bug
Experts say Big Red will probably re-release patch in an upcoming cycle
TikTok fixes zero-day bug used to hijack high-profile accounts
Over the past week, attackers have hijacked high-profile TikTok accounts belonging to multiple companies and celebrities, exploiting a zero-day vulnerability in the social media’s direct messages feature.
Hackers exploit 2018 ThinkPHP flaws to install ‘Dama’ web shells
Chinese threat actors are targeting ThinkPHP applications vulnerable to CVE-2018-20062 and CVE-2019-9082 to install a persistent web shell named Dama.
Replicate AI Vulnerability Could Expose Sensitive Data
Researchers found a serious security vulnerability in the Replicate AI platform that risked AI models. Since the vendors patched the flaw following the bug report, the threat no longer persists but still demonstrates the severity
WebEx: Hunderttausende Meetings potenziell öffentlich zugänglich
Die Debatte über Sicherheitslücken von WebEx-Instanzen geht weiter. « Die Zeit » fand hunderttausende Meetings, die potenziell öffentlich zugänglich waren.
Popular WordPress Plugins Leave Millions Open to Backdoor Attacks
Fastly discover unauthenticated stored XSS attacks plaguing WordPress Plugins! Learn how these attacks work and how to secure your site.
Atlassian Confluence High-Severity Bug Allows Code Execution
Because of the role the Confluence Server plays in managing documentation and knowledge data bases, the researchers recommend users upgrade to patch CVE-2024-21683 as soon as possible.
NIST Commits to Plan to Resume NVD Work
The agency aims to burn down the backlog of vulnerabilities waiting to be added to the National Vulnerabilities Database via additional funding, third-party contract, and partnership with CISA.
Exploit for critical Progress Telerik auth bypass released, patch now
Researchers have published a proof-of-concept (PoC) exploit script demonstrating a chained remote code execution (RCE) vulnerability on Progress Telerik Report Servers.
Cox fixed an API auth bypass exposing millions of modems to attacks
Cox Communications has fixed an authorization bypass vulnerability that enabled remote attackers to abuse exposed backend APIs to reset millions of modems’ settings and steal customers’ sensitive personal information.
Zyxel issues emergency RCE patch for end-of-life NAS devices
Zyxel Networks has released an emergency security update to address three critical vulnerabilities impacting older NAS devices that have reached end-of-life.
Une faille dans EmbedAI glisse des données compromises dans les LLM – Le Monde Informatique
Intrusion, Hacking et Pare-feu : Une vulnérabilité a été découverte dans l’application EmbedAI. Elle peut être exploitée pour tromper un utilisateur et lui faire télécharger à son…
