This Week in Security: Roundcube, Unified Threat Naming, and AI Chat Logs

An authenticated Remote Code Execution (RCE) vulnerability has been discovered in the Roundcube email client, affecting versions 1.5.10 or lower and versions 1.6.11 and 1.7.2.
The issue allows the filename of a file uploaded via the email client to be used as a payload delivery mechanism, and can be used in conjunction with a GPG class from the PEAR library to execute arbitrary commands.
Multiple vulnerabilities have been discovered in the NetMRI network automation suite from Infoblox, including an unauthorized code execution via special encoding, hard coded credentials, SQL injection and an authenticated arbitrary file read.
The Yomani XR credit card terminal from Worldline has been reverse engineered, revealing a lack of security in the device’s software, including an accessible serial debug port that does not require a password.
While the device features extensive anti-tamper protections, the serial port is accessible via a removable panel that does not trigger the tamper protection.
CrowdStrike and Microsoft have announced a new collaborative effort to unify their respective threat actor naming schemes, with the goal of keeping their lists of threat actors aligned.

Fast Feed