SAP BusinessObjects Explorer 14.0.5 suffers from a cross site flashing vulnerability. It is possible to directly load and display the com_businessobjects_polestar_bootstrap.swf Flash file and specify a configUrl. This requires the victim to be logged and the attacker needs to know the /webres/ URL, which is known as soon as the attacker is in possession of valid credentials. The configuration file specified in the configURL parameter may reside on a foreign host. The configuration file itself may contain URLs of further Flash files residing on a foreign domain. If successful, the victim loads foreign Flash files, which leads to Cross Site Flashing.
The Ebola virus becomes the latest bait used by fraudsters
The Spanish Civil Guard has warned via Twitter of a number of Ebola-related hoaxes that have appeared over recent days.
Once again, WhatsApp has become the main channel for such scams, which include bogus reports of new cases of Ebola or the canceling of classes at the CEU San Pablo University in Madrid due to a possible infection.
Hackers often exploit such situations for financial gain, and it was never in doubt that the first confirmed case of Ebola in Spain would give rise to these types of scams.
The Spanish Civil Guard have asked users to help avoid generating panic by not distributing these messages. They also encourage people to get their information through what they refer to as “serious channels of communication.”
The post The Ebola virus becomes the latest bait used by fraudsters appeared first on MediaCenter Panda Security.
Week in security: Dubai Police use Google Glass facial recognition, Bugzilla gets bugged and ‘Unpatchable’ USB exploit lands on GitHub
This week in security, we covered a full range of privacy and malware, with controversial plans to equip police officers with facial recognition packed Google Glass in Dubai, and the BadUSB malware finding its way on to GitHub.
The post Week in security: Dubai Police use Google Glass facial recognition, Bugzilla gets bugged and ‘Unpatchable’ USB exploit lands on GitHub appeared first on We Live Security.
Dairy Queen hit by card data stealing malware
Dairy Queen has become the latest company to be hit by payment card stealing malware, reports the Wall Street Journal. The breach is said to have affected 395 of its 4,500 American locations.
The post Dairy Queen hit by card data stealing malware appeared first on We Live Security.
Hackers Target ATMs in Russia, Eastern Europe – The Wall Street Journal
Report: Huge Spike in Mobile Malware Targets Android, Especially Mobile Payments – PCWorld
Hackers Steal Millions In Cash From ATMs, Using Tyupkin Malware – Dark Reading
Kaspersky Lab Hires Sales Veteran To Bolster Enterprise Push – CRN
CVE-2014-3678
Cross-site scripting (XSS) vulnerability in the Monitoring plugin before 1.53.0 for CloudBees Jenkins allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
CVE-2014-4312
Multiple cross-site scripting (XSS) vulnerabilities in Epicor Enterprise 7.4 before FS74SP6_HotfixTL054181 allow remote attackers to inject arbitrary web script or HTML via the (1) Notes section to Order details; (2) Description section to “Order to consume”; (3) Favorites name section to Favorites; (4) FiltKeyword parameter to Procurement/EKPHTML/search_item_bt.asp; (5) Act parameter to Procurement/EKPHTML/EnterpriseManager/Budget/ImportBudget_fr.asp; (6) hdnOpener or (7) hdnApproverFieldName parameter to Procurement/EKPHTML/EnterpriseManager/UserSearchDlg.asp; or (8) INTEGRATED parameter to Procurement/EKPHTML/EnterpriseManager/Codes.asp.