ATENTIONโผ New - CVE-2019-10804
๐ Read
via "National Vulnerability Database".
serial-number through 1.3.0 allows execution of arbritary commands. The "cmdPrefix" argument in serialNumber function is used by the "exec" function without any validation.๐ Read
via "National Vulnerability Database".
ATENTIONโผ New - CVE-2019-10803
๐ Read
via "National Vulnerability Database".
push-dir through 0.4.1 allows execution of arbritary commands. Arguments provided as part of the variable "opt.branch" is not validated before being provided to the "git" command within "index.js#L139". This could be abused by an attacker to inject arbitrary commands.๐ Read
via "National Vulnerability Database".
ATENTIONโผ New - CVE-2019-10802
๐ Read
via "National Vulnerability Database".
giting version prior to 0.0.8 allows execution of arbritary commands. The first argument "repo" of function "pull()" is executed by the package without any validation.๐ Read
via "National Vulnerability Database".
ATENTIONโผ New - CVE-2019-10801
๐ Read
via "National Vulnerability Database".
enpeem through 2.2.0 allows execution of arbitrary commands. The "options.dir" argument is provided to the "exec" function without any sanitization.๐ Read
via "National Vulnerability Database".
ATENTIONโผ New - CVE-2018-21035
๐ Read
via "National Vulnerability Database".
In Qt through 5.14.1, the WebSocket implementation accepts up to 2GB for frames and 2GB for messages. Smaller limits cannot be configured. This makes it easier for attackers to cause a denial of service (memory consumption).๐ Read
via "National Vulnerability Database".
๐ Coronavirus: How hackers are exploiting the epidemic to steal your information ๐
๐ Read
via "Security on TechRepublic".
Karen Roby interviewed an expert about a different threat than COVID-19 brings.๐ Read
via "Security on TechRepublic".
TechRepublic
Coronavirus: Hackers are exploiting the COVID-19 outbreak to steal your information
Karen Roby interviewed a cybersecurity expert about a different threat than COVID-19 brings.
ATENTIONโผ New - CVE-2015-5361
๐ Read
via "National Vulnerability Database".
Background For regular, unencrypted FTP traffic, the FTP ALG can inspect the unencrypted control channel and open related sessions for the FTP data channel. These related sessions (gates) are specific to source and destination IPs and ports of client and server. The design intent of the ftps-extensions option (which is disabled by default) is to provide similar functionality when the SRX secures the FTP/FTPS client. As the control channel is encrypted, the FTP ALG cannot inspect the port specific information and will open a wider TCP data channel (gate) from client IP to server IP on all destination TCP ports. In FTP/FTPS client environments to an enterprise network or the Internet, this is the desired behavior as it allows firewall policy to be written to FTP/FTPS servers on well-known control ports without using a policy with destination IP ANY and destination port ANY. Issue The ftps-extensions option is not intended or recommended where the SRX secures the FTPS server, as the wide data channel session (gate) will allow the FTPS client temporary access to all TCP ports on the FTPS server. The data session is associated to the control channel and will be closed when the control channel session closes. Depending on the configuration of the FTPS server, supporting load-balancer, and SRX inactivity-timeout values, the server/load-balancer and SRX may keep the control channel open for an extended period of time, allowing an FTPS client access for an equal duration.รขโฌ‹ Note that the ftps-extensions option is not enabled by default.๐ Read
via "National Vulnerability Database".
ATENTIONโผ New - CVE-2015-3006
๐ Read
via "National Vulnerability Database".
On the QFX3500 and QFX3600 platforms, the number of bytes collected from the RANDOM_INTERRUPT entropy source when the device boots up is insufficient, possibly leading to weak or duplicate SSH keys or self-signed SSL/TLS certificates. Entropy increases after the system has been up and running for some time, but immediately after boot, the entropy is very low. This issue only affects the QFX3500 and QFX3600 switches. No other Juniper Networks products or platforms are affected by this weak entropy vulnerability.๐ Read
via "National Vulnerability Database".
๐ Fraud alert: Voice authentication platform analyzes 1,380 data points per call ๐
๐ Read
via "Security on TechRepublic".
Pindrop's dashboard scores the caller, the device, and the behavior to spot bad actors and authentic customers.๐ Read
via "Security on TechRepublic".
TechRepublic
Fraud alert: Voice authentication platform analyzes 1,380 data points per call
Pindrop's dashboard scores the caller, the device, and the behavior to spot bad actors and authentic customers.
๐ SerialTweaker 1.1 ๐
๐ Go!
via "Security Tool Files โ Packet Storm".
SerialTweaker is a tool that can be used to load a serialized object, change its contents, and reserialize it to a new serialized object with modified fields inside.๐ Go!
via "Security Tool Files โ Packet Storm".
Packetstormsecurity
SerialTweaker 1.1 โ Packet Storm
Information Security Services, News, Files, Tools, Exploits, Advisories and Whitepapers
๐ nfstream 3.2.2 ๐
๐ Go!
via "Security Tool Files โ Packet Storm".
nfstream is a Python package providing fast, flexible, and expressive data structures designed to make working with online or offline network data both easy and intuitive. It aims to be the fundamental high-level building block for doing practical, real world network data analysis in Python. Additionally, it has the broader goal of becoming a common network data processing framework for researchers providing data reproducibility across experiments.๐ Go!
via "Security Tool Files โ Packet Storm".
Packetstormsecurity
nfstream 3.2.2 โ Packet Storm
Information Security Services, News, Files, Tools, Exploits, Advisories and Whitepapers
ATENTIONโผ New - CVE-2019-17026
๐ Read
via "National Vulnerability Database".
Incorrect alias information in IonMonkey JIT compiler for setting array elements could lead to a type confusion. We are aware of targeted attacks in the wild abusing this flaw. This vulnerability affects Firefox ESR < 68.4.1, Thunderbird < 68.4.1, and Firefox < 72.0.1.๐ Read
via "National Vulnerability Database".
โ Monday review โ the hot 23 stories of the week โ
๐ Read
via "Naked Security".
From Chrome's mystery zero-day to why the EC has switched to Signal, get yourself up to date with everything we've written in the last week.๐ Read
via "Naked Security".
Sophos News
Naked Security โ Sophos News
๐ 5G and IoT security: Why cybersecurity experts are sounding an alarm ๐
๐ Read
via "Security on TechRepublic".
Without regulation and strong proactive measures, 5G networks remain vulnerable to cyberattacks, and the responsibility falls on businesses and governments.๐ Read
via "Security on TechRepublic".
TechRepublic
5G and IoT security: Why cybersecurity experts are sounding an alarm
Without regulation and strong proactive measures, 5G networks remain vulnerable to cyberattacks, and the responsibility falls on businesses and governments.
โ Facebook sues data analytics firm OneAudience over malicious SDK โ
๐ Read
via "Naked Security".
Facebook says OneAudience paid developers to install its social-media-profile-looting SDK into their apps to get marketing data for clients.๐ Read
via "Naked Security".
Naked Security
Facebook sues data analytics firm OneAudience over malicious SDK
Facebook says OneAudience paid developers to install its social-media-profile-looting SDK into their apps to get marketing data for clients.
โ Fresh phish! Stripe scam baked and delivered in under an hour โ
๐ Read
via "Naked Security".
Less than an hour after the crooks registered their scamming domain, the phishing attack was under way.๐ Read
via "Naked Security".
Naked Security
Fresh phish! Stripe scam baked and delivered in under an hour
Less than an hour after the crooks registered their scamming domain, the phishing attack was under way.
โ Ironpie robot vacuum can suck up your privacy โ
๐ Read
via "Naked Security".
You might want to unplug this not-so-smart robot: researchers found they can watch video streams piped out from its security camera.๐ Read
via "Naked Security".
Naked Security
Ironpie robot vacuum can suck up your privacy
You might want to unplug this not-so-smart robot: researchers found they can watch video streams piped out from its security camera.
โ Letโs Encrypt issues one billionth free certificate โ
๐ Read
via "Naked Security".
Thanks to this flood of free certificates, the web is a lot more encrypted than it was a few years ago.๐ Read
via "Naked Security".
Naked Security
Letโs Encrypt issues one billionth free certificate
Thanks to this flood of free certificates, the web is a lot more encrypted than it was a few years ago.
๐ด What Disney+ Can Teach Businesses About Customer Security ๐ด
๐ Read
via "Dark Reading: ".
Businesses must prioritize customer protection by taking on some of the responsibility to prevent credential stuffing attacks through multipronged authentication and identity management.๐ Read
via "Dark Reading: ".
Dark Reading
What Disney+ Can Teach Businesses About Customer Security - Dark Reading
Businesses must prioritize customer protection by taking on some of the responsibility to prevent credential stuffing attacks through multipronged authentication and identity management.