Aggregator

CVE-2019-11358 | Oracle Financial Services - Regulatory Reporting for US Federal Reserve - Lombard Risk Integration Pack jQuery cross site scripting (EDB-52141 / Nessus ID 208606)

Vuldb Updates
10 months 1 week ago
A vulnerability, which was classified as critical, has been found in Oracle Financial Services - Regulatory Reporting for US Federal Reserve - Lombard Risk Integration Pack 8.0.4/8.0.5/8.0.6/8.0.7. Affected by this issue is some unknown functionality of the component jQuery. The manipulation leads to cross site scripting. This vulnerability is handled as CVE-2019-11358. The attack may be launched remotely. Furthermore, there is an exploit available. It is recommended to upgrade the affected component.
vuldb.com

CVE-2024-56924 | CodeAstro Internet Banking System 2.0.0 Admin Page pages_account cross-site request forgery (EUVD-2024-53451)

Vuldb Updates
10 months 1 week ago
A vulnerability, which was classified as problematic, was found in CodeAstro Internet Banking System 2.0.0. This affects an unknown part of the component Admin Page. The manipulation of the argument pages_account leads to cross-site request forgery. This vulnerability is uniquely identified as CVE-2024-56924. It is possible to initiate the attack remotely. There is no exploit available.
vuldb.com

CVE-2024-56908 | Perfex CRM up to 3.2.0 HTTP POST Request upload_sales_file rel_id improper authentication (EUVD-2024-53448)

Vuldb Updates
10 months 1 week ago
A vulnerability was found in Perfex CRM up to 3.2.0. It has been declared as critical. This vulnerability affects the function upload_sales_file of the component HTTP POST Request Handler. The manipulation of the argument rel_id leads to improper authentication. This vulnerability was named CVE-2024-56908. The attack can be initiated remotely. There is no exploit available. It is recommended to upgrade the affected component.
vuldb.com

Lynx

Dark Feed IO
10 months 1 week ago

You must login to view this content

cohenido

SDL 75/100问:前期的安全设计与测试是否解决不同层面问题?

我的安全视界观
10 months 1 week ago
这个问题非常好,说明提出问题的人对SDL有一定理论研究,但缺少实践,也问出了一个痛点。从严谨的角度来说,在设计阶段提出的安全设计,需要验证是否业务团队是否都落实?通常在设计阶段会评审和检查设计方案,在编码阶段也会去进一步实现,不过得等到测试阶段来验证效果,由此可以看出安全测试的一个主要目的是:验证安全设计是否实施。 安全测试的内容又不止安全设计,完整的来讲还要包括:安全需求、部署环境时配置不当引入的安全问题等。但是在实际落地过程中,由于资源、人员等因素,会导致少有公司能够完全按照安全设计去写测试用例,然后一项项的进行测试。同时为了保证安全性,通常会引入各类AST工具及人工渗透等方式,在上线前尽可能多的发现问题。 所以,可以认为安全测试解决的问题范围理论上包含了安全设计,但实际可能会出现遗漏。 1、SDL 100问 SDL100问:我与SDL的故事 SAST误报太高,如何解决? SDL需要哪些人参与? SDL如何做成平台化以及价值? 安全SDK提供安全API是怎么做的? 安全测试,测不出逻辑漏洞怎么办? 大家都有哪些SDL运营指标? 业务系统是否可以带漏洞上线? 按千行代码漏洞数进行量化,如何制定指标? 如何定位安全与业务的关系? 如何定位安全培训? SDL 74/100问:有没有SDL相关的监管要求? 2、SDL创新实践 首发!“ 研发安全运营 ” 架构研究与实践 DevSecOps实施关键:研发安全团队 DevSecOps实施关键:研发安全流程 DevSecOps实施关键:研发安全规范 DevSecOps实施关键:研发安全工具 从安全视角,看研发安全 数字化转型下研发安全痛点 一个思考:安全测试驱动产品安全? 3、SDL最初实践 【SDL最初实践】开篇 【SDL最初实践】安全培训 【SDL最初实践】安全需求 【SDL最初实践】安全设计 【SDL最初实践】安全开发 【SDL最初实践】安全测试 【SDL最初实践】安全审核 【SDL最初实践】安全响应 4、安全运营实践 基于实践的安全事件简述 安全事件运营SOP:钓鱼邮件 安全事件运营SOP:网络攻击 安全事件运营SOP:蜜罐告警 安全事件运营SOP:webshell事件 安全事件运营SOP:接收漏洞事件 应急能力提升:实战应急困境与突破 应急能力提升:挖矿权限维持攻击模拟

Managed ad