❌ Multiple Industrial Control System Vendors Warn of Critical Bugs ❌
📖 Read
via "Threat Post".
Four industrial control system vendors each announced vulnerabilities that ranged from critical to high-severity.📖 Read
via "Threat Post".
Threat Post
Multiple Industrial Control System Vendors Warn of Critical Bugs
Four industrial control system vendors each announced vulnerabilities that ranged from critical to high-severity.
🕴 EFF, Security Experts Condemn Politicization of Election Security 🕴
📖 Read
via "Dark Reading".
Open letter, signed by high-profile security professionals and organizations, urges White House to "reverse course and support election security."📖 Read
via "Dark Reading".
Dark Reading
EFF, Security Experts Condemn Politicization of Election Security
Open letter, signed by high-profile security professionals and organizations, urges White House to reverse course and support election security.
‼ CVE-2020-26551 ‼
📖 Read
via "National Vulnerability Database".
An issue was discovered in Aviatrix Controller before R5.3.1151. Encrypted key values are stored in a readable file.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-28129 ‼
📖 Read
via "National Vulnerability Database".
Stored Cross-site scripting (XSS) vulnerability in SourceCodester Gym Management System 1.0 allows users to inject and store arbitrary JavaScript code in index.php?page=packages via vulnerable fields 'Package Name' and 'Description'.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-26549 ‼
📖 Read
via "National Vulnerability Database".
An issue was discovered in Aviatrix Controller before R5.4.1290. The htaccess protection mechanism to prevent requests to directories can be bypassed for file downloading.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-26553 ‼
📖 Read
via "National Vulnerability Database".
An issue was discovered in Aviatrix Controller before R6.0.2483. Several APIs contain functions that allow arbitrary files to be uploaded to the web tree.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-26550 ‼
📖 Read
via "National Vulnerability Database".
An issue was discovered in Aviatrix Controller before R5.3.1151. An encrypted file containing credentials to unrelated systems is protected by a three-character key.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-25890 ‼
📖 Read
via "National Vulnerability Database".
The web application of Kyocera printer (ECOSYS M2640IDW) is affected by Stored XSS vulnerability, discovered in the addition a new contact in "Machine Address Book". Successful exploitation of this vulnerability can lead to session hijacking of the administrator in the web application or the execution of unwanted actions📖 Read
via "National Vulnerability Database".
‼ CVE-2020-28092 ‼
📖 Read
via "National Vulnerability Database".
PESCMS Team 2.3.2 has multiple reflected XSS via the id parameter:?g=Team&m=Task&a=my&status=3&id=,?g=Team&m=Task&a=my&status=0&id=,?g=Team&m=Task&a=my&status=1&id=,?g=Team&m=Task&a=my&status=10&id=📖 Read
via "National Vulnerability Database".
‼ CVE-2020-26552 ‼
📖 Read
via "National Vulnerability Database".
An issue was discovered in Aviatrix Controller before R6.0.2483. Multiple executable files, that implement API endpoints, do not require a valid session ID for access.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-28914 ‼
📖 Read
via "National Vulnerability Database".
An improper file permissions vulnerability affects Kata Containers prior to 1.11.5. When using a Kubernetes hostPath volume and mounting either a file or directory into a container as readonly, the file/directory is mounted as readOnly inside the container, but is still writable inside the guest. For a container breakout situation, a malicious guest can potentially modify or delete files/directories expected to be read-only.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-26548 ‼
📖 Read
via "National Vulnerability Database".
An issue was discovered in Aviatrix Controller before R5.4.1290. There is an insecure sudo rule: a user exists that can execute all commands as any user on the system.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-26216 ‼
📖 Read
via "National Vulnerability Database".
TYPO3 Fluid before versions 2.0.8, 2.1.7, 2.2.4, 2.3.7, 2.4.4, 2.5.11 and 2.6.10 is vulnerable to Cross-Site Scripting. Three XSS vulnerabilities have been detected in Fluid: 1. TagBasedViewHelper allowed XSS through maliciously crafted additionalAttributes arrays by creating keys with attribute-closing quotes followed by HTML. When rendering such attributes, TagBuilder would not escape the keys. 2. ViewHelpers which used the CompileWithContentArgumentAndRenderStatic trait, and which declared escapeOutput = false, would receive the content argument in unescaped format. 3. Subclasses of AbstractConditionViewHelper would receive the then and else arguments in unescaped format. Update to versions 2.0.8, 2.1.7, 2.2.4, 2.3.7, 2.4.4, 2.5.11 or 2.6.10 of this typo3fluid/fluid package that fix the problem described. More details are available in the linked advisory.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-28130 ‼
📖 Read
via "National Vulnerability Database".
An Arbitrary File Upload in the Upload Image component in SourceCodester Online Library Management System 1.0 allows the user to conduct remote code execution via admin/borrower/index.php?view=add because .php files can be uploaded to admin/borrower/photos (under the web root).📖 Read
via "National Vulnerability Database".
🕴 Nearly Two Dozen AWS APIs Are Vulnerable to Abuse 🕴
📖 Read
via "Dark Reading".
Attackers can conduct identity reconnaissance against an organization at leisure without being detected, Palo Alto Networks says.📖 Read
via "Dark Reading".
Dark Reading
Nearly Two Dozen AWS APIs Are Vulnerable to Abuse
Attackers can conduct identity reconnaissance against an organization at leisure without being detected, Palo Alto Networks says.
‼ CVE-2020-28183 ‼
📖 Read
via "National Vulnerability Database".
SQL injection vulnerability in SourceCodester Water Billing System 1.0 via the username and password parameters to process.php.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-28917 ‼
📖 Read
via "National Vulnerability Database".
An issue was discovered in the view_statistics (aka View frontend statistics) extension before 2.0.1 for TYPO3. It saves all GET and POST data of TYPO3 frontend requests to the database. Depending on the extensions used on a TYPO3 website, sensitive data (e.g., cleartext passwords if ext:felogin is installed) may be saved.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-28915 ‼
📖 Read
via "National Vulnerability Database".
A buffer over-read (at the framebuffer layer) in the fbcon code in the Linux kernel before 5.8.15 could be used by local attackers to read kernel memory, aka CID-6735b4632def.📖 Read
via "National Vulnerability Database".
❌ Firing of CISA Chief Christopher Krebs Widely Condemned ❌
📖 Read
via "Threat Post".
President Trump fired US cybersecurity chief over Twitter Tuesday, an act widely condemned within the cybersecurity community.📖 Read
via "Threat Post".
Threat Post
Firing of CISA Chief Christopher Krebs Widely Condemned
President Trump fired US cybersecurity chief over Twitter Tuesday, an act widely condemned within the cybersecurity community.
🦿 Microsoft's new security chip takes PC protection to a higher level 🦿
📖 Read
via "Tech Republic".
Intel, AMD and Qualcomm will use the Microsoft-designed Pluton security processor from Xbox One and Azure Sphere in future SoCs to deliver better protection than a TPM.📖 Read
via "Tech Republic".
🦿 Zoom: These new features will prevent trolls and meeting-crashers 🦿
📖 Read
via "Tech Republic".
Zoom hosts can now pause a meeting while they remove a disruptive participant, and a new web-scanning tool will seek out compromised meeting links.📖 Read
via "Tech Republic".
TechRepublic
Zoom: These new features will prevent trolls and meeting-crashers
Zoom hosts can now pause a meeting while they remove a disruptive participant, and a new web-scanning tool will seek out compromised meeting links.