βΌ CVE-2020-15349 βΌ
π Read
via "National Vulnerability Database".
BinaryNights ForkLift 3.x before 3.4 has a local privilege escalation vulnerability because the privileged helper tool implements an XPC interface that allows file operations to any process (copy, move, delete) as root and changing permissions.π Read
via "National Vulnerability Database".
βΌ CVE-2020-25832 βΌ
π Read
via "National Vulnerability Database".
Reflected Cross Site scripting vulnerability on Micro Focus Filr product, affecting version 4.2.1. The vulnerability could be exploited to perform Reflected XSS attack.π Read
via "National Vulnerability Database".
βΌ CVE-2020-11851 βΌ
π Read
via "National Vulnerability Database".
Arbitrary code execution vulnerability on Micro Focus ArcSight Logger product, affecting all version prior to 7.1.1. The vulnerability could be remotely exploited resulting in the execution of arbitrary code.π Read
via "National Vulnerability Database".
βΌ CVE-2020-27131 βΌ
π Read
via "National Vulnerability Database".
Multiple vulnerabilities in the Java deserialization function that is used by Cisco Security Manager could allow an unauthenticated, remote attacker to execute arbitrary commands on an affected device. These vulnerabilities are due to insecure deserialization of user-supplied content by the affected software. An attacker could exploit these vulnerabilities by sending a malicious serialized Java object to a specific listener on an affected system. A successful exploit could allow the attacker to execute arbitrary commands on the device with the privileges of NT AUTHORITY\SYSTEM on the Windows target host. Cisco has not released software updates that address these vulnerabilities.π Read
via "National Vulnerability Database".
βΌ CVE-2020-27130 βΌ
π Read
via "National Vulnerability Database".
A vulnerability in Cisco Security Manager could allow an unauthenticated, remote attacker to gain access to sensitive information. The vulnerability is due to improper validation of directory traversal character sequences within requests to an affected device. An attacker could exploit this vulnerability by sending a crafted request to the affected device. A successful exploit could allow the attacker to download arbitrary files from the affected device.π Read
via "National Vulnerability Database".
βΌ CVE-2020-13353 βΌ
π Read
via "National Vulnerability Database".
When importing repos via URL, one time use git credentials were persisted beyond the expected time window in Gitaly 1.79.0 or above. Affected versions are: >=1.79.0, <13.3.9,>=13.4, <13.4.5,>=13.5, <13.5.2.π Read
via "National Vulnerability Database".
βΌ CVE-2020-25834 βΌ
π Read
via "National Vulnerability Database".
Cross-Site Scripting vulnerability on Micro Focus ArcSight Logger product, affecting version 7.1. The vulnerability could be remotely exploited resulting in Cross-Site Scripting (XSS).π Read
via "National Vulnerability Database".
βΌ CVE-2020-27125 βΌ
π Read
via "National Vulnerability Database".
A vulnerability in Cisco Security Manager could allow an unauthenticated, remote attacker to access sensitive information on an affected system. The vulnerability is due to insufficient protection of static credentials in the affected software. An attacker could exploit this vulnerability by viewing source code. A successful exploit could allow the attacker to view static credentials, which the attacker could use to carry out further attacks.π Read
via "National Vulnerability Database".
βΌ CVE-2020-13352 βΌ
π Read
via "National Vulnerability Database".
Private group info is leaked leaked in GitLab CE/EE version 10.2 and above, when the project is moved from private to public group. Affected versions are: >=10.2, <13.3.9,>=13.4, <13.4.5,>=13.5, <13.5.2.π Read
via "National Vulnerability Database".
βΌ CVE-2020-27192 βΌ
π Read
via "National Vulnerability Database".
BinaryNights ForkLift 3.4 was compiled with the com.apple.security.cs.disable-library-validation flag enabled which allowed a local attacker to inject code into ForkLift. This would allow the attacker to run malicious code with escalated privileges through ForkLift's helper tool.π Read
via "National Vulnerability Database".
βΌ CVE-2020-25705 βΌ
π Read
via "National Vulnerability Database".
A flaw in the way reply ICMP packets are limited in the Linux kernel functionality was found that allows to quickly scan open UDP ports. This flaw allows an off-path remote user to effectively bypassing source port UDP randomization. The highest threat from this vulnerability is to confidentiality and possibly integrity, because software that relies on UDP source port randomization are indirectly affected as well. Kernel versions before 5.10 may be vulnerable to this issue.π Read
via "National Vulnerability Database".
βΌ CVE-2020-13358 βΌ
π Read
via "National Vulnerability Database".
A vulnerability in the internal Kubernetes agent api in GitLab CE/EE version 13.3 and above allows unauthorized access to private projects. Affected versions are: >=13.4, <13.4.5,>=13.3, <13.3.9,>=13.5, <13.5.2.π Read
via "National Vulnerability Database".
βΌ CVE-2020-13354 βΌ
π Read
via "National Vulnerability Database".
A potential DOS vulnerability was discovered in GitLab CE/EE starting with version 12.6. The container registry name check could cause exponential number of backtracks for certain user supplied values resulting in high CPU usage. Affected versions are: >=12.6, <13.3.9.π Read
via "National Vulnerability Database".
βΌ CVE-2020-10776 βΌ
π Read
via "National Vulnerability Database".
A flaw was found in Keycloak before version 12.0.0, where it is possible to add unsafe schemes for the redirect_uri parameter. This flaw allows an attacker to perform a Cross-site scripting attack.π Read
via "National Vulnerability Database".
βΌ CVE-2020-11860 βΌ
π Read
via "National Vulnerability Database".
Cross-Site Scripting vulnerability on Micro Focus ArcSight Logger product, affecting all version prior to 7.1.1. The vulnerability could be remotely exploited resulting in Cross-Site Scripting (XSS)π Read
via "National Vulnerability Database".
βΌ CVE-2020-14389 βΌ
π Read
via "National Vulnerability Database".
It was found that Keycloak before version 12.0.0 would permit a user with only view-profile role to manage the resources in the new account console, allowing access and modification of data the user was not intended to have.π Read
via "National Vulnerability Database".
βΌ CVE-2020-26406 βΌ
π Read
via "National Vulnerability Database".
Certain SAST CiConfiguration information could be viewed by unauthorized users in GitLab EE starting with 13.3. This information was exposed through GraphQL to non-members of public projects with repository visibility restricted as well as guest members on private projects. Affected versions are: >=13.3, <13.3.9,>=13.4, <13.4.5,>=13.5, <13.5.2.π Read
via "National Vulnerability Database".
βΌ CVE-2020-25833 βΌ
π Read
via "National Vulnerability Database".
Persistent cross-Site Scripting vulnerability on Micro Focus IDOL product, affecting all version prior to version 12.7. The vulnerability could be exploited to perform Persistent XSS attack.π Read
via "National Vulnerability Database".
β Some Apple Apps on macOS Big Sur Bypass Content Filters, VPNs β
π Read
via "Threat Post".
Attackers can exploit the feature and send peopleβs data directly to remote servers, posing a privacy and security risk, researchers said.π Read
via "Threat Post".
Threat Post
Some Apple Apps on macOS Big Sur Bypass Content Filters, VPNs
Malware can easily exploit the feature and send peopleβs data directly to remote servers, posing a massive privacy and security risk, researchers said.
π΄ Ransomware Operator Promotes Distributed Storage for Stolen Data π΄
π Read
via "Dark Reading".
The criminals behind the DarkSide ransomware-as-a-service operation say the system will be harder to take down.π Read
via "Dark Reading".
Dark Reading
Ransomware Operator Promotes Distributed Storage for Stolen Data
The criminals behind the DarkSide ransomware-as-a-service operation say the system will be harder to take down.
βΌ CVE-2020-28687 βΌ
π Read
via "National Vulnerability Database".
The edit profile functionality in ARTWORKS GALLERY IN PHP, CSS, JAVASCRIPT, AND MYSQL 1.0 allows remote attackers to upload arbitrary files.π Read
via "National Vulnerability Database".