‼ CVE-2020-28638 ‼
📖 Read
via "National Vulnerability Database".
ask_password in Tomb 2.0 through 2.7 returns a warning when pinentry-curses is used and $DISPLAY is non-empty, causing affected users' files to be encrypted with "tomb {W] Detected DISPLAY, but only pinentry-curses is found." as the encryption key.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-15481 ‼
📖 Read
via "National Vulnerability Database".
An issue was discovered in PassMark BurnInTest v9.1 Build 1008, OSForensics v7.1 Build 1012, and PerformanceTest v10.0 Build 1008. The kernel driver exposes IOCTL functionality that allows low-privilege users to map arbitrary physical memory into the address space of the calling process. This could lead to arbitrary Ring-0 code execution and escalation of privileges. This affects DirectIo32.sys and DirectIo64.sys drivers. This issue is fixed in BurnInTest v9.2, PerformanceTest v10.0 Build 1009, OSForensics v8.0.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-7772 ‼
📖 Read
via "National Vulnerability Database".
This affects the package doc-path before 2.1.2.📖 Read
via "National Vulnerability Database".
‼ CVE-2019-19562 ‼
📖 Read
via "National Vulnerability Database".
An authentication bypass in the debug interface in Mercedes-Benz HERMES 2.1 allows an attacker with physical access to device hardware to obtain system information.📖 Read
via "National Vulnerability Database".
‼ CVE-2019-19561 ‼
📖 Read
via "National Vulnerability Database".
A misconfiguration in the debug interface in Mercedes-Benz HERMES 1.5 allows an attacker with direct physical access to device hardware to obtain cellular modem information.📖 Read
via "National Vulnerability Database".
‼ CVE-2019-19557 ‼
📖 Read
via "National Vulnerability Database".
A misconfiguration in the debug interface in Mercedes-Benz HERMES 1 allows an attacker with direct physical access to device hardware to obtain cellular modem information.📖 Read
via "National Vulnerability Database".
‼ CVE-2019-19556 ‼
📖 Read
via "National Vulnerability Database".
An authentication bypass in the debug interface in Mercedes-Benz HERMES 1 allows an attacker with physical access to device hardware to obtain system information.📖 Read
via "National Vulnerability Database".
‼ CVE-2019-19563 ‼
📖 Read
via "National Vulnerability Database".
A misconfiguration in the debug interface in Mercedes-Benz HERMES 2.1 allows an attacker with direct physical access to device hardware to obtain cellular modem information.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-28268 ‼
📖 Read
via "National Vulnerability Database".
Prototype pollution vulnerability in 'controlled-merge' versions 1.0.0 through 1.2.0 allows attacker to cause a denial of service and may lead to remote code execution.📖 Read
via "National Vulnerability Database".
‼ CVE-2019-19560 ‼
📖 Read
via "National Vulnerability Database".
A misconfiguration in the debug interface in Mercedes-Benz HERMES 1.5 allows an attacker with direct physical access to device hardware to obtain cellular modem information.📖 Read
via "National Vulnerability Database".
❌ Cybercrime Moves to the Cloud to Accelerate Attacks Amid Data Glut ❌
📖 Read
via "Threat Post".
A report on the underground economy finds that malicious actors are offering cloud-based troves of stolen data, accessible with handy tools to slice and dice what's on offer.📖 Read
via "Threat Post".
Threat Post
Cybercrime Moves to the Cloud to Accelerate Attacks Amid Data Glut
A report on the underground economy finds that malicious actors are offering cloud-based troves of stolen data, accessible with handy tools to slice and dice what's on offer.
‼ CVE-2020-8897 ‼
📖 Read
via "National Vulnerability Database".
A weak robustness vulnerability exists in the AWS Encryption SDKs for Java, Python, C and Javalcript prior to versions 2.0.0. Due to the non-committing property of AES-GCM (and other AEAD ciphers such as AES-GCM-SIV or (X)ChaCha20Poly1305) used by the SDKs to encrypt messages, an attacker can craft a unique cyphertext which will decrypt to multiple different results, and becomes especially relevant in a multi-recipient setting. We recommend users update their SDK to 2.0.0 or later.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-7765 ‼
📖 Read
via "National Vulnerability Database".
This affects the package @firebase/util before 0.3.4. This vulnerability relates to the deepExtend function within the DeepCopy.ts file. Depending on if user input is provided, an attacker can overwrite and pollute the object prototype of a program.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-7773 ‼
📖 Read
via "National Vulnerability Database".
This affects the package markdown-it-highlightjs before 3.3.1. It is possible insert malicious JavaScript as a value of lang in the markdown-it-highlightjs Inline code highlighting feature. const markdownItHighlightjs = require("markdown-it-highlightjs"); const md = require('markdown-it'); const reuslt_xss = md() .use(markdownItHighlightjs, { inline: true }) .render('console.log(42){.">js}'); console.log(reuslt_xss);📖 Read
via "National Vulnerability Database".
🕴 A Call for Change in Physical Security 🕴
📖 Read
via "Dark Reading".
We're at an inflection point. The threats we face are dynamic, emerging, and global. Are you ready?📖 Read
via "Dark Reading".
Dark Reading
A Call for Change in Physical Security
We're at an inflection point. The threats we face are dynamic, emerging, and global. Are you ready?
⚠ How to do cybersecurity – join us online for the Sophos Evolve event! ⚠
📖 Read
via "Naked Security".
Join us this week or next week for a free online event to learn how cybersecurity is evolving, and why.📖 Read
via "Naked Security".
Naked Security
How to do cybersecurity – join us online for the Sophos Evolve event
Join us this week or next week for a free online event to learn how cybersecurity is evolving, and why.
❌ Exposed Database Reveals 100K+ Compromised Facebook Accounts ❌
📖 Read
via "Threat Post".
Cybercriminals left an ElasticSearch database exposed, revealing a global attack that compromised Facebook accounts and used them to scam others.📖 Read
via "Threat Post".
Threat Post
Exposed Database Reveals 100K+ Compromised Facebook Accounts
Cybercriminals left an ElasticSearch database exposed, revealing a global attack that compromised Facebook accounts and used them to scam others.
🛠 nfstream 6.2.3 🛠
📖 Read
via "Packet Storm Security".
nfstream is a Python package providing fast, flexible, and expressive data structures designed to make working with online or offline network data both easy and intuitive. It aims to be the fundamental high-level building block for doing practical, real world network data analysis in Python. Additionally, it has the broader goal of becoming a common network data processing framework for researchers providing data reproducibility across experiments.📖 Read
via "Packet Storm Security".
Packetstormsecurity
nfstream 6.2.3 ≈ Packet Storm
Information Security Services, News, Files, Tools, Exploits, Advisories and Whitepapers
🛠 Machosec 1.0 🛠
📖 Read
via "Packet Storm Security".
Machosec is a script that checks the security of Mach-O 64-bit executables and application bundles for dyld injection vulnerabilities, LC_RPATH vulnerabilities leading to dyld injection, symlinks pointing to attacker controlled locations, writable by others vulnerabilities, missing stack canaries, disabled PIE (ASLR), and disabled FORTIFY_SOURCE (keeping insecure functions such as strcpy, memcpy etc.).📖 Read
via "Packet Storm Security".
Packetstormsecurity
Machosec 1.0 ≈ Packet Storm
Information Security Services, News, Files, Tools, Exploits, Advisories and Whitepapers
‼ CVE-2020-27422 ‼
📖 Read
via "National Vulnerability Database".
In Anuko Time Tracker v1.19.23.5311, the password reset link emailed to the user doesn't expire once used, allowing an attacker to use the same link to takeover the account.📖 Read
via "National Vulnerability Database".