ATENTIONβΌ New - CVE-2019-20390
π Read
via "National Vulnerability Database".
A Cross-Site Request Forgery (CSRF) vulnerability was discovered in Subrion CMS 4.2.1 that allows a remote attacker to remove files on the server without a victim's knowledge, by enticing an authenticated user to visit an attacker's web page. The application fails to validate the CSRF token for a GET request. An attacker can craft a panel/uploads/read.json?cmd=rm URL (removing this token) and send it to the victim.π Read
via "National Vulnerability Database".
ATENTIONβΌ New - CVE-2019-20389
π Read
via "National Vulnerability Database".
An XSS issue was identified on the Subrion CMS 4.2.1 /panel/configuration/general settings page. A remote attacker can inject arbitrary JavaScript code in the v[language_switch] parameter (within multipart/form-data), which is reflected back within a user's browser without proper output encoding.π Read
via "National Vulnerability Database".
ATENTIONβΌ New - CVE-2019-19721
π Read
via "National Vulnerability Database".
An off-by-one error in the DecodeBlock function in codec/sdl_image.c in VideoLAN VLC media player before 3.0.9 allows remote attackers to cause a denial of service (memory corruption) via a crafted image file. NOTE: this may be related to the SDL_Image product.π Read
via "National Vulnerability Database".
ATENTIONβΌ New - CVE-2019-18666
π Read
via "National Vulnerability Database".
An issue was discovered on D-Link DAP-1360 revision F devices. Remote attackers can start a telnet service without authorization via an undocumented HTTP request. Although this is the primary vulnerability, the impact depends on the firmware version. Versions 609EU through 613EUbeta were tested. Versions through 6.12b01 have weak root credentials, allowing an attacker to gain remote root access. After 6.12b01, the root credentials were changed but the telnet service can still be started without authorization.π Read
via "National Vulnerability Database".
π How to enable SSL on Ubuntu Linux for testing π
π Read
via "Security on TechRepublic".
Sometimes admins need to be able to test a web-based solution before deciding it's worth using. When that software requires SSL, you can enable a snake-oil SSL key for testing purposes.π Read
via "Security on TechRepublic".
TechRepublic
How to enable SSL on Ubuntu Linux for testing | TechRepublic
Sometimes admins need to be able to test a web-based solution before deciding it's worth using. When that software requires SSL, you can enable a snake-oil SSL key for testing purposes.
π How to enable SSL on Ubuntu Linux for testing π
π Read
via "Security on TechRepublic".
Sometimes admins need to be able to test a web-based solution before deciding it's worth using. When that software requires SSL, you can enable a snake oil SSL key for testing purposes.π Read
via "Security on TechRepublic".
TechRepublic
How to enable SSL on Ubuntu Linux for testing
Sometimes admins need to be able to test a web-based solution before deciding it's worth using. When that software requires SSL, you can enable a snake oil SSL key for testing purposes.
π΄ UK Supercomputing Service ARCHER Still Offline After Monday Attack π΄
π Read
via "Dark Reading: ".
Incident comes amid US warnings about Chinese cybergroups targeting organizations involved in COVID-19-related research.π Read
via "Dark Reading: ".
Dark Reading
UK Supercomputing Service ARCHER Still Offline After Monday Attack
Incident comes amid US warnings about Chinese cybergroups targeting organizations involved in COVID-19-related research.
β Hoaxcalls Botnet Exploits Symantec Secure Web Gateways β
π Read
via "Threatpost".
The fast-moving botnet has added an exploit for an unpatched bug in an unsupported version of the security gateway.π Read
via "Threatpost".
Threat Post
Hoaxcalls Botnet Exploits Symantec Secure Web Gateways
The fast-moving botnet has added an exploit for an unpatched bug in an unsupported version of the security gateway.
π TOR Virtual Network Tunneling Tool 0.4.3.5 π
π Go!
via "Security Tool Files β Packet Storm".
Tor is a network of virtual tunnels that allows people and groups to improve their privacy and security on the Internet. It also enables software developers to create new communication tools with built-in privacy features. It provides the foundation for a range of applications that allow organizations and individuals to share information over public networks without compromising their privacy. Individuals can use it to keep remote Websites from tracking them and their family members. They can also use it to connect to resources such as news sites or instant messaging services that are blocked by their local Internet service providers (ISPs).π Go!
via "Security Tool Files β Packet Storm".
Packetstormsecurity
TOR Virtual Network Tunneling Tool 0.4.3.5 β Packet Storm
Information Security Services, News, Files, Tools, Exploits, Advisories and Whitepapers
ATENTIONβΌ New - CVE-2019-20802
π Read
via "National Vulnerability Database".
An issue was discovered in the Readdle Documents app before 6.9.7 for iOS. The application's file-transfer web server improperly displays directory names, leading to Stored XSS, which may be used to steal a user's data. This requires user interaction because there is no known direct way for an attacker to create a crafted directory name on a victim's device. However, a crafted directory name can occur if a victim extracts a ZIP archive that was provided by an attacker.π Read
via "National Vulnerability Database".
ATENTIONβΌ New - CVE-2019-20801
π Read
via "National Vulnerability Database".
An issue was discovered in the Readdle Documents app before 6.9.7 for iOS. The application's file-transfer web server allows for cross-origin requests from any domain, and the WebSocket server lacks authorization control. Any web site can execute JavaScript code (that accesses a user's data) via cross-origin requests.π Read
via "National Vulnerability Database".
ATENTIONβΌ New - CVE-2019-20800
π Read
via "National Vulnerability Database".
In Cherokee through 1.2.104, remote attackers can trigger an out-of-bounds write in cherokee_handler_cgi_add_env_pair in handler_cgi.c by sending many request headers, as demonstrated by a GET request with many "Host: 127.0.0.1" headers.π Read
via "National Vulnerability Database".
ATENTIONβΌ New - CVE-2019-20799
π Read
via "National Vulnerability Database".
In Cherokee through 1.2.104, multiple memory corruption errors may be used by a remote attacker to destabilize the work of a server.π Read
via "National Vulnerability Database".
ATENTIONβΌ New - CVE-2019-20798
π Read
via "National Vulnerability Database".
An XSS issue was discovered in handler_server_info.c in Cherokee through 1.2.104. The requested URL is improperly displayed on the About page in the default configuration of the web server and its administrator panel. The XSS in the administrator panel can be used to reconfigure the server and execute arbitrary commands.π Read
via "National Vulnerability Database".
ATENTIONβΌ New - CVE-2019-20797
π Read
via "National Vulnerability Database".
An issue was discovered in e6y prboom-plus 2.5.1.5. There is a buffer overflow in client and server code responsible for handling received UDP packets, as demonstrated by I_SendPacket or I_SendPacketTo in i_network.c.π Read
via "National Vulnerability Database".
β Monday review β the hot 17 stories of the week β
π Read
via "Naked Security".
From DHL delivery phishes to the top 10 most exploited bugs - and everything in between. It's weekly roundup time.π Read
via "Naked Security".
Naked Security
Monday review β the hot 17 stories of the week
From DHL delivery phishes to the top 10 most exploited bugs β and everything in between. Itβs weekly roundup time.
β Shiny new Azure login attracts shiny new phishing attacks β
π Read
via "Naked Security".
Admins working with Microsoft Azure beware: phishers are updating their assets to reflect changes on the company's cloud-based login screen.π Read
via "Naked Security".
Sophos News
Naked Security β Sophos News
π GitLab survey suggests DevOps is becoming real, while DevSecOps has work to do π
π Read
via "Security on TechRepublic".
Commentary: Developers are finally taking on more of an operational role, but they still aren't getting involved enough in security.π Read
via "Security on TechRepublic".
TechRepublic
GitLab survey suggests DevOps is becoming real, while DevSecOps has work to do
Commentary: Developers are finally taking on more of an operational role, but they still aren't getting involved enough in security.
π΄ The 3 Top Cybersecurity Myths & What You Should Know π΄
π Read
via "Dark Reading: ".
With millions of employees now attempting to work from home, it's vital to challenge misconceptions about cybersecurity.π Read
via "Dark Reading: ".
Dark Reading
The 3 Top Cybersecurity Myths & What You Should Know
With millions of employees now attempting to work from home, it's vital to challenge misconceptions about cybersecurity.
β Senate renews warrantless collection of web histories β
π Read
via "Naked Security".
The government can keep on surveilling your online life without a warrant. An amendment to ban it failed by just one vote.π Read
via "Naked Security".
Naked Security
Senate renews warrantless collection of web histories
The government can keep on surveilling your online life without a warrant. An amendment to ban it failed by just one vote.
β Edison Mail iOS Bug Exposes Emails to Strangers β
π Read
via "Threatpost".
A bug introduced in an iOS software update on the Edison Mail app allowed emails to be viewed by strangers.π Read
via "Threatpost".
Threat Post
Edison Mail iOS Bug Exposes Emails to Strangers
A bug introduced in an iOS software update on the Edison Mail app allowed emails to be viewed by strangers.