May 4, SecurityWeek – (International) Attackers exploit critical ImageMagick vulnerability. Two security researchers discovered a remote code execution (RCE) vulnerability dubbed, “ImageTragick,” was leveraged in the wild and found in the open-source software, ImageMagick. Attackers could exploit the flaw to gain access to the victim’s server by creating an exploit file and assigning the file an image extension to bypass the security check, which tricks ImageMagick into converting the malicious file and activating the malicious code. Source
May 3, Softpedia – (International) Stored XSS bug affects all bbPress WordPress Forum versions. Automattic released its newest version of its WordPress forum plugin, bbPress 2.5.9 that patched a stored cross-site scripting (XSS) vulnerability after a security researcher from Sucuri found attackers could use the bbPress user mention (@username) system to store malicious code inside forum posts, allowing skilled attackers to craft malicious code to steal cookies from forum admins and impersonate them with elevated privileged on the WordPress backend. Source
May 3, Softpedia – (International) MosQUito exploit stealing legitimate traffic from WordPress and Joomla Websites. eZanga.com, Inc., published a list that revealed 9,285 Web sites were affected by a malicious campaign dubbed, MosQUito after discovering that hackers were searching for Web sites where the jQuery JavaScript library was loaded and replaced with a malicious PHP file, jQuery.min.php, to steal paid traffic from legitimate businesses and to redirect victims to another Web site controlled by the attacker. Source
May 3, Softpedia – (International) Samsung smart home platform exposes door lock codes. Researchers from the University of Michigan and Microsoft discovered two security flaws within Samsung’s SmartThings smart home management platform including a flaw which allowed SmartApps to access more operations on devices than the apps’ functionality requires, and a flaw in SmartThings event subsystem which did not sufficiently protect events that carry sensitive information such as lock pincodes, allowing attackers to open locks on command. Officials from SmartThings reported the flaws have been patched. Source
Reprinted from the USDHS Daily Open Source Infrastructure Report