CVE-2019-16867

HongCMS 3.0.0 allows arbitrary file deletion via a ../ in the file parameter to admin/index.php/database/ajax?action=delete, a similar issue to CVE-2018-16774. (If the attacker deletes config.php and visits install/index.php, they can reinstall the product.)
Source: NIST
CVE-2019-16867

LORCA Launches Open Call for Fourth Cohort of Cybersecurity Innovators

LORCA Launches Open Call for Fourth Cohort of Cybersecurity Innovators


The London Office for Rapid Cybersecurity Advancement (LORCA) has announced the launch of its global open call for its fourth cohort of cyber-scaleups.



LORCA, launched in June 2018 and hosted at Plexal, an innovation center located in the Here East campus in London’s Queen Elizabeth Olympic Park, aims to bolster the UK’s cybersecurity sector and make the internet safer for everyone by supporting the most promising later-stage companies.



LORCA offers 12-month programs from which companies can benefit from a collaborative ecosystem of academia, innovators, government, investors and industry.



It has already welcomed three cohorts of companies into its previous programs, which have gone on to raise over £58m in investment and won 514 contracts.



LORCA is now inviting new applications based on three innovation themes, after consulting with industry leaders from various sectors about their most pressing cyber-challenges and the types of solutions they need from the market in the future.



The three themes are: connected economy, connected everything and connected everyone.



The latest cohort will receive bespoke support with scaling in the UK and abroad, as well as access to commercial and engineering experts through delivery partners Deloitte and the Centre for Secure Information Technologies (CSIT) at Queen’s University Belfast.



Saj Huq, program director, LORCA, said: “As technology increasingly impacts all aspects of business and society, it’s clear that a cybersecurity paradigm shift is needed. Now more than ever, we need to support the development of cutting-edge innovations across the board to help us lead safer digital lives, keep our infrastructure secure and protect our digital economy from complex and evolving cyber threats. Given its increasing significance within a world that is more connected by the day, cybersecurity has to be everywhere – and serve everyone.”



The deadline for applying is Monday November 4 2019, with full details available here.


Source: Infosecurity
LORCA Launches Open Call for Fourth Cohort of Cybersecurity Innovators

Experts Question ECJ’s Right to be Forgotten Ruling

Experts Question ECJ’s Right to be Forgotten Ruling

Google’s victory in a landmark right to be forgotten case asks more questions than it answers, according to legal and technology experts.



The European Court of Justice (ECJ) ruled yesterday that the search giant only needs to remove links from its services inside the EU in order to comply with legitimate right to be forgotten/right to erasure requests.



French privacy regulator CNIL had demanded that Google remove links globally to pages containing false or damaging info on a person, in a case dating back to 2015.



Part of Google’s argument for not removing info outside the EU was that the law could be exploited by oppressive governments to cover up abuses and control the flow of information, much as China does with its Great Firewall censorship apparatus.



“Since 2014, we’ve worked hard to implement the right to be forgotten in Europe, and to strike a sensible balance between people’s rights of access to information and privacy,” the search giant said of the result. “It’s good to see that the court agreed with our arguments.”



However, some argued that the ruling undermines the right to be forgotten by failing to institute the law globally.



“Google is normally able to detect visitors from Europe to its global search engines and block them from seeing certain web pages containing sensitive information about individuals from queries made using their names,” explained Simon Migliano, head of research at Top10VPN.



“However, anyone connected to a VPN server located outside Europe will evade such detection and be able to view those results regardless of any ‘right to be forgotten’ decision in place. This loophole highlights the significant limitations of geo-restricting contentious web content in this day and age.”


Mishcon de Reya data protection adviser, Jon Baines, added that there are still question marks over what happens to the UK if it leaves the EU without a deal.



“Will UK search engine domains retain links to information removed from EU search engine domains? Or might the UK decide ultimately to give effect to delinking decisions made in the EU? Private individuals, as well as businesses, will want urgent clarification on this from government,” he argued.


EU citizens have been able to request information on them be removed from the web since 2014. However, since then, the GDPR has made it easier for EU citizens to request that such information be expunged from the web, with its right to erasure clause. Providers have a month to respond to a verbal or written request.



Ron Moscona, a partner at international law firm Dorsey & Whitney, explained that the ruling has failed to add clarity on how and when the GDPR should be limited in scope to within the EU.



“The provisions of Article 3 of GDPR that define its territorial effect clearly extend the legal rights and obligations of GDPR, in many circumstances, to the processing of personal data outside the EU including by entities operating outside the EU,” he said.



“Today’s decision of the EU court does not address these broader territorial issues.”




Source: Infosecurity
Experts Question ECJ’s Right to be Forgotten Ruling

CVE-2019-5094 (e2fsprogs)

An exploitable code execution vulnerability exists in the quota file functionality of E2fsprogs 1.45.3. A specially crafted ext4 partition can cause an out-of-bounds write on the heap, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.
Source: NIST
CVE-2019-5094 (e2fsprogs)

CVE-2019-13527

In Rockwell Automation Arena Simulation Software Cat. 9502-Ax, Versions 16.00.00 and earlier, a maliciously crafted Arena file opened by an unsuspecting user may result in the use of a pointer that has not been initialized.
Source: NIST
CVE-2019-13527

CVE-2019-14220

An issue was discovered in BlueStacks 4.110 and below on macOS and on 4.120 and below on Windows. BlueStacks employs Android running in a virtual machine (VM) to enable Android apps to run on Windows or MacOS. Bug is in a local arbitrary file read through a system service call. The impacted method runs with System admin privilege and if given the file name as parameter returns you the content of file. A malicious app using the affected method can then read the content of any system file which it is not authorized to read
Source: NIST
CVE-2019-14220