‼ CVE-2020-27664 ‼
📖 Read
via "National Vulnerability Database".
admin/src/containers/InputModalStepperProvider/index.js in Strapi before 3.2.5 has unwanted /proxy?url= functionality.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-9900 ‼
📖 Read
via "National Vulnerability Database".
An issue existed within the path validation logic for symlinks. This issue was addressed with improved path sanitization. This issue is fixed in iOS 13.6 and iPadOS 13.6, macOS Catalina 10.15.6, tvOS 13.4.8, watchOS 6.2.8. A local attacker may be able to elevate their privileges.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-9990 ‼
📖 Read
via "National Vulnerability Database".
A race condition was addressed with additional validation. This issue is fixed in macOS Catalina 10.15.6. A malicious application may be able to execute arbitrary code with kernel privileges.📖 Read
via "National Vulnerability Database".
🕴 Credential-Stuffing Attacks Plague Loyalty Programs 🕴
📖 Read
via "Dark Reading".
But that's not the only type of web attack cybercriminals have been profiting from.📖 Read
via "Dark Reading".
Dark Reading
Credential-Stuffing Attacks Plague Loyalty Programs
But that's not the only type of web attack cybercriminals have been profiting from.
🕴 7 Mobile Browsers Vulnerable to Address-Bar Spoofing 🕴
📖 Read
via "Dark Reading".
Flaws allow attackers to manipulate URLs users see on their mobile devices, Rapid7 says📖 Read
via "Dark Reading".
Dark Reading
7 Mobile Browsers Vulnerable to Address-Bar Spoofing
Flaws allow attackers to manipulate URLs users see on their mobile devices, Rapid7 says
🕴 Botnet Infects Hundreds of Thousands of Websites 🕴
📖 Read
via "Dark Reading".
KashmirBlack has been targeting popular content management systems, such as WordPress, Joomla, and Drupal, and using Dropbox and GitHub for communication to hide its presence.📖 Read
via "Dark Reading".
Dark Reading
Botnet Infects Hundreds of Thousands of Websites
KashmirBlack has been targeting popular content management systems, such as WordPress, Joomla, and Drupal, and using Dropbox and GitHub for communication to hide its presence.
‼ CVE-2020-18129 ‼
📖 Read
via "National Vulnerability Database".
A CSRF vulnerability in Eyoucms v1.2.7 allows an attacker to add an admin account via login.php.📖 Read
via "National Vulnerability Database".
‼ CVE-2018-18508 ‼
📖 Read
via "National Vulnerability Database".
In Network Security Services (NSS) before 3.36.7 and before 3.41.1, a malformed signature can cause a crash due to a null dereference, resulting in a Denial of Service.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-15270 ‼
📖 Read
via "National Vulnerability Database".
Parse Server (npm package parse-server) broadcasts events to all clients without checking if the session token is valid. This allows clients with expired sessions to still receive subscription objects. It is not possible to create subscription objects with invalid session tokens. The issue is not patched.📖 Read
via "National Vulnerability Database".
⚠ S3 Ep3: Cryptography, hacking and pwning Chrome [Podcast] ⚠
📖 Read
via "Naked Security".
Listen to the latest Naked Security podcast!📖 Read
via "Naked Security".
Sophos News
Naked Security – Sophos News
‼ CVE-2019-14716 ‼
📖 Read
via "National Vulnerability Database".
Verifone VerixV Pinpad Payment Terminals with QT000530 have an undocumented physical access mode (aka VerixV shell.out).📖 Read
via "National Vulnerability Database".
‼ CVE-2020-15003 ‼
📖 Read
via "National Vulnerability Database".
OX App Suite through 7.10.3 allows Information Exposure because a user can obtain the IP address and User-Agent string of a different user (via the session API during shared Drive access).📖 Read
via "National Vulnerability Database".
‼ CVE-2018-8062 ‼
📖 Read
via "National Vulnerability Database".
A cross-site scripting (XSS) vulnerability on Comtrend AR-5387un devices with A731-410JAZ-C04_R02.A2pD035g.d23i firmware allows remote attackers to inject arbitrary web script or HTML via the Service Description parameter while creating a WAN service.📖 Read
via "National Vulnerability Database".
‼ CVE-2019-14711 ‼
📖 Read
via "National Vulnerability Database".
Verifone MX900 series Pinpad Payment Terminals with OS 30251000 have a race condition for RBAC bypass.📖 Read
via "National Vulnerability Database".
❌ Ransomware Takes Down Network of French IT Giant ❌
📖 Read
via "Threat Post".
Sopra Steria hit with cyber attack that reportedly encrypted parts of their network on Oct. 20 but has remained mostly mum on details.📖 Read
via "Threat Post".
Threat Post
Ransomware Takes Down Network of French IT Giant
Sopra Steria hit with cyber attack that reportedly encrypted parts of their network on Oct. 20 but has remained mostly mum on details.
🕴 A Pause to Address 'Ethical Debt' of Facial Recognition 🕴
📖 Read
via "Dark Reading".
Ethical use will require some combination of consistent reporting, regulation, corporate responsibility, and adversarial technology.📖 Read
via "Dark Reading".
Dark Reading
A Pause to Address 'Ethical Debt' of Facial Recognition
Ethical use will require some combination of consistent reporting, regulation, corporate responsibility, and adversarial technology.
❌ Nvidia Warns Gamers of Severe GeForce Experience Flaws ❌
📖 Read
via "Threat Post".
Versions of Nvidia GeForce Experience for Windows prior to 3.20.5.70 are affected by a high-severity bug that could enable code execution, denial of service and more.📖 Read
via "Threat Post".
Threat Post
Nvidia Warns Gamers of Severe GeForce Experience Flaws
Versions of Nvidia GeForce Experience for Windows prior to 3.20.5.70 are affected by a high-severity bug that could enable code execution, denial of service and more.
‼ CVE-2020-27216 ‼
📖 Read
via "National Vulnerability Database".
In Eclipse Jetty versions 1.0 thru 9.4.32.v20200930, 10.0.0.alpha1 thru 10.0.0.beta2, and 11.0.0.alpha1 thru 11.0.0.beta2O, on Unix like systems, the system's temporary directory is shared between all users on that system. A collocated user can observe the process of creating a temporary sub directory in the shared temporary directory and race to complete the creation of the temporary subdirectory. If the attacker wins the race then they will have read and write permission to the subdirectory used to unpack web applications, including their WEB-INF/lib jar files and JSP files. If any code is ever executed out of this temporary directory, this can lead to a local privilege escalation vulnerability.📖 Read
via "National Vulnerability Database".
🔏 Friday Five 10-23 🔏
📖 Read
via "Digital Guardian".
Indictments of Russian intelligence officers, NSA advisories, and stolen money donated to charities - catch up on the week's infosec news with the Friday Five!📖 Read
via "Digital Guardian".
🕴 COVID-19: Latest Security News & Commentary 🕴
📖 Read
via "Dark Reading".
Check out Dark Reading's updated, exclusive news and commentary surrounding the coronavirus pandemic.📖 Read
via "Dark Reading".
Dark Reading
COVID-19: Latest Security News & Commentary
Check out Dark Reading's updated, exclusive news and commentary surrounding the coronavirus pandemic.
‼ CVE-2020-3998 ‼
📖 Read
via "National Vulnerability Database".
VMware Horizon Client for Windows (5.x prior to 5.5.0) contains an information disclosure vulnerability. A malicious attacker with local privileges on the machine where Horizon Client for Windows is installed may be able to retrieve hashed credentials if the client crashes.📖 Read
via "National Vulnerability Database".