All articles tagged with #code execution
A security flaw in the Unity game engine, affecting versions from 2017.1 onwards, could allow malicious apps to execute arbitrary code on Android and escalate privileges on Windows, prompting warnings and updates from Valve and Microsoft to mitigate the risk.
A security flaw in Google's Gemini CLI allowed attackers to silently execute malicious commands and exfiltrate data by exploiting prompt injection vulnerabilities and allow-list weaknesses, prompting Google to release a fix in version 0.1.14. Users are advised to upgrade and exercise caution when running the tool on untrusted codebases.
Ivanti has released critical security updates for its Cloud Services Application (CSA) and Connect Secure products to address multiple vulnerabilities, including an authentication bypass (CVE-2024-11639) with a CVSS score of 10.0, and several command and SQL injection flaws. These vulnerabilities could allow remote attackers to gain administrative access and execute arbitrary code. Users are urged to update to the latest versions to mitigate potential risks, although no active exploitation has been reported yet.
Fortinet has released critical security patches to address a vulnerability in FortiClientLinux that could allow arbitrary code execution. The vulnerability, tracked as CVE-2023-45590, affects specific versions of FortiClientLinux and is attributed to an "Improper Control of Generation of Code" flaw. Additionally, Fortinet's April 2024 security patches also resolve issues with FortiClientMac installer and FortiOS/FortiProxy, emphasizing the importance of keeping systems up-to-date to mitigate potential threats.
Multiple critical security flaws have been discovered in Ivanti Avalanche, a mobile device management solution used by 30,000 organizations. The vulnerabilities, including stack-based buffer overflows, could allow remote attackers to execute code or crash systems. Ivanti has released a patch to address the issues, along with six other flaws that could lead to authentication bypass and remote code execution. Users are urged to update their software promptly to mitigate potential threats.
Zyxel has released software updates to address two critical security flaws affecting select firewall and VPN products that could be abused by remote attackers to achieve code execution. Both the flaws are buffer overflow vulnerabilities and are rated 9.8 out of 10 on the CVSS scoring system. The impacted devices include ATP, USG FLEX, USG FLEX50(W) / USG20(W)-VPN, VPN, and ZyWALL/USG. Security researchers from TRAPA Security and STAR Labs SG have been credited with discovering and reporting the flaws.