Our news
-
Reported Supply Chain Compromise Affecting XZ Utils Data Compression Library, CVE-2024-3094
CISA and the open source community are responding to reports of malicious code being embedded in XZ Utils versions 5.6.0 and 5.6.1. This activity was assigned CVE-2024-3094. XZ Utils is data compression software and may be present in Linux distributions. The malicious code may allow unauthorized access to affected systems. CISA recommends developers and users…
-
Apple Released Security Updates for Safari and macOS
Apple released security updates to address a vulnerability (CVE-2024-1580) in Safari and macOS. A cyber threat actor could exploit this vulnerability to take control of an affected system. CISA encourages users and administrators to review the following advisories and apply the necessary updates: Safari 17.4.1 macOS Sonoma 14.4.1 macOS Ventura 13.6.6
-
Vulnerability Summary for the Week of March 18, 2024
High Vulnerabilities Primary Vendor — Product Description Published CVSS Score Source & Patch Info N/A — N/A Directory Traversal vulnerability in Devan-Kerman ARRP v.0.8.1 and before allows a remote attacker to execute arbitrary code via the dumpDirect in RuntimeResourcePackImpl component. 2024-03-19 8.8 CVE-2024-24042 cve@mitre.org cve@mitre.org N/A — N/A danielmiessler fabric through 1.3.0…
-
CISA and FBI Release Secure by Design Alert to Urge Manufacturers to Eliminate SQL Injection Vulnerabilities
Today, CISA and the Federal Bureau of Investigation (FBI) released a joint Secure by Design Alert, Eliminating SQL Injection Vulnerabilities in Software. This Alert was crafted in response to a recent, well-publicized exploitation of SQL injection (SQLi) defects in a managed file transfer application that impacted thousands of organizations. Additionally, the Alert highlights the prevalence…
-
Ivanti Releases Security Updates for Neurons for ITSM and Standalone Sentry
Ivanti has released security advisories to address vulnerabilities in Ivanti Neurons for ITSM and Standalone Sentry. A cyber threat actor could exploit these vulnerabilities to take control of an affected system. CISA encourages users and administrators to review the following Ivanti advisories and apply the necessary updates: CVE-2023-46808 (Authenticated Remote File Write) for Ivanti Neurons for…
-
CISA, FBI, and MS-ISAC Release Update to Joint Guidance on Distributed Denial-of-Service Techniques
Today, CISA, the Federal Bureau of Investigation (FBI), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) released an updated joint guide, Understanding and Responding to Distributed Denial-Of-Service Attacks, to address the specific needs and challenges faced by organizations in defending against DDoS attacks. The guidance now includes detailed insight into three different types of…
-
Vulnerability Summary for the Week of March 11, 2024
High Vulnerabilities Primary Vendor — Product Description Published CVSS Score Source & Patch Info academylms — academy_lms_-_elearning_and_online_course_solution_for_wordpress The Academy LMS – eLearning and online course solution for WordPress plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 1.9.19. This is due to plugin allowing arbitrary user meta…
-
Repository for Software Attestation and Artifacts Now Live
Software producers who partner with the federal government can now upload their Secure Software Development Attestation Forms to CISA’s Repository for Software Attestation and Artifacts. Software producers that provide the government software can fill out the form to attest to implementation of specific security practices. CISA and the Office of Management and Budget (OMB) released…