‼ CVE-2020-3591 ‼
📖 Read
via "National Vulnerability Database".
A vulnerability in the web-based management interface of the Cisco SD-WAN vManage Software could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface. The vulnerability exists because the web-based management interface does not properly validate user-supplied input. An attacker could exploit this vulnerability by persuading a user to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface or access sensitive, browser-based information.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-3593 ‼
📖 Read
via "National Vulnerability Database".
A vulnerability in Cisco SD-WAN Software could allow an authenticated, local attacker to elevate privileges to root on the underlying operating system. The vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by sending a crafted request to a utility that is running on an affected system. A successful exploit could allow the attacker to gain root privileges.📖 Read
via "National Vulnerability Database".
❌ WordPress Sites Open to Code Injection Attacks via Welcart e-Commerce Bug ❌
📖 Read
via "Threat Post".
The shopping cart application contains a PHP object-injection bug.📖 Read
via "Threat Post".
Threat Post
WordPress Sites Open to Code Injection Attacks via Welcart e-Commerce Bug
The shopping cart application contains a PHP object-injection bug.
‼ CVE-2020-28339 ‼
📖 Read
via "National Vulnerability Database".
The usc-e-shop (aka Collne Welcart e-Commerce) plugin before 1.9.36 for WordPress allows Object Injection because of usces_unserialize. There is not a complete POP chain.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-7764 ‼
📖 Read
via "National Vulnerability Database".
This affects the package find-my-way before 2.2.5, from 3.0.0 and before 3.0.5. It accepts the Accept-Version' header by default, and if versioned routes are not being used, this could lead to a denial of service. Accept-Version can be used as an unkeyed header in a cache poisoning attack.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-28347 ‼
📖 Read
via "National Vulnerability Database".
tdpServer on TP-Link Archer A7 AC1750 devices before 201029 allows remote attackers to execute arbitrary code via the slave_mac parameter. NOTE: this issue exists because of an incomplete fix for CVE-2020-10882 in which shell quotes are mishandled.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-15297 ‼
📖 Read
via "National Vulnerability Database".
Insufficient validation in the Bitdefender Update Server and BEST Relay components of Bitdefender Endpoint Security Tools versions prior to 6.6.20.294 allows an unprivileged attacker to bypass the in-place mitigations and interact with hosts on the network. This issue affects: Bitdefender Update Server versions prior to 6.6.20.294.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-24353 ‼
📖 Read
via "National Vulnerability Database".
Pega Platform before 8.4.0 has a XSS issue via stream rule parameters used in the request header.📖 Read
via "National Vulnerability Database".
❌ Millions of Hotel Guests Worldwide Caught Up in Mass Data Leak ❌
📖 Read
via "Threat Post".
A cloud misconfiguration affecting users of a popular reservation platform threatens travelers with identity theft, scams, credit-card fraud and vacation-stealing.📖 Read
via "Threat Post".
Threat Post
Millions of Hotel Guests Worldwide Caught Up in Mass Data Leak
A cloud misconfiguration affecting users of a popular reservation platform threatens travelers with identity theft, scams, credit-card fraud and vacation-stealing.
❌ Microsoft Exchange Attack Exposes New xHunt Backdoors ❌
📖 Read
via "Threat Post".
An attack on the Microsoft Exchange server of an organization in Kuwait revealed two never-before-seen Powershell backdoors.📖 Read
via "Threat Post".
Threat Post
Microsoft Exchange Attack Exposes New xHunt Backdoors
An attack on the Microsoft Exchange server of an organization in Kuwait revealed two never-before-seen Powershell backdoors.
🕴 Preventing and Mitigating DDoS Attacks: It's Elementary 🕴
📖 Read
via "Dark Reading".
Following a spate of cyberattacks nationwide, school IT teams need to act now to ensure their security solution makes the grade.📖 Read
via "Dark Reading".
Dark Reading
Preventing and Mitigating DDoS Attacks: It's Elementary
Following a spate of cyberattacks nationwide, school IT teams need to act now to ensure their security solution makes the grade.
‼ CVE-2020-25655 ‼
📖 Read
via "National Vulnerability Database".
An issue was discovered in ManagedClusterView API, that could allow secrets to be disclosed to users without the correct permissions. Views created for an admin user would be made available for a short time to users with only view permission. In this short time window the user with view permission could read cluster secrets that should only be disclosed to admin users.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-8133 ‼
📖 Read
via "National Vulnerability Database".
A wrong generation of the passphrase for the encrypted block in Nextcloud Server 19.0.1 allowed an attacker to overwrite blocks in a file.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-8268 ‼
📖 Read
via "National Vulnerability Database".
Prototype pollution vulnerability in json8-merge-patch npm package < 1.0.3 may allow attackers to inject or modify methods and properties of the global object constructor.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-9300 ‼
📖 Read
via "National Vulnerability Database".
The Access Control issues include allowing a regular user to view a restricted incident, user role escalation to admin, users adding themselves as a participant in a restricted incident, and users able to view restricted incidents via the search feature. If your install has followed the secure deployment guidelines the risk of this is lowered, as this may only be exploited by an authenticated user.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-8276 ‼
📖 Read
via "National Vulnerability Database".
The implementation of Brave Desktop's privacy-preserving analytics system (P3A) between 1.1 and 1.18.35 logged the timestamp of when the user last opened an incognito window, including Tor windows. The intended behavior was to log the timestamp for incognito windows excluding Tor windows. Note that if a user has P3A enabled, the timestamp is not sent to Brave's server, but rather a value from:Used in last 24hUsed in last week but not 24hUsed in last 28 days but not weekEver used but not in last 28 daysNever usedThe privacy risk is low because a local attacker with disk access cannot tell if the timestamp corresponds to a Tor window or a non-Tor incognito window.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-9299 ‼
📖 Read
via "National Vulnerability Database".
There were XSS vulnerabilities discovered and reported in the Dispatch application, affecting name and description parameters of Incident Priority, Incident Type, Tag Type, and Incident Filter. This vulnerability can be exploited by an authenticated user.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-8150 ‼
📖 Read
via "National Vulnerability Database".
A cryptographic issue in Nextcloud Server 19.0.1 allowed an attacker to downgrade the encryption scheme and break the integrity of encrypted files.📖 Read
via "National Vulnerability Database".
🛠 Windows File Enumeration Intel Gathering Tool 2.2 🛠
📖 Read
via "Packet Storm Security".
NtFileSins.py is a Windows file enumeration intel gathering tool.📖 Read
via "Packet Storm Security".
Packetstormsecurity
Windows File Enumeration Intel Gathering Tool 2.2 ≈ Packet Storm
Information Security Services, News, Files, Tools, Exploits, Advisories and Whitepapers
🛠 Etherify Radio Signal Analysis Tool 🛠
📖 Read
via "Packet Storm Security".
Etherify is an interesting tool that analyzes radio signals transmitted by transmission rates via ethernet.📖 Read
via "Packet Storm Security".
Packetstormsecurity
Etherify Radio Signal Analysis Tool ≈ Packet Storm
Information Security Services, News, Files, Tools, Exploits, Advisories and Whitepapers
🕴 Insecure APIs a Growing Risk for Organizations 🕴
📖 Read
via "Dark Reading".
Security models for application programming interfaces haven't kept pace with requirements of a non-perimeter world, Forrester says.📖 Read
via "Dark Reading".
Dark Reading
Insecure APIs a Growing Risk for Organizations
Security models for application programming interfaces haven't kept pace with requirements of a non-perimeter world, Forrester says.