βΌ CVE-2020-12510 βΌ
π Read
via "National Vulnerability Database".
The default installation path of the TwinCAT XAR 3.1 software in all versions is underneath C:\TwinCAT. If the directory does not exist it and further subdirectories are created with permissions which allow every local user to modify the content. The default installation registers TcSysUI.exe for automatic execution upon log in of a user. If a less privileged user has a local account he or she can replace TcSysUI.exe. It will be executed automatically by another user during login. This is also true for users with administrative access. Consequently, a less privileged user can trick a higher privileged user into executing code he or she modified this way. By default BeckhoffΓ’β¬β’s IPCs are shipped with TwinCAT software installed this way and with just a single local user configured. Thus the vulnerability exists if further less privileged users have been added.π Read
via "National Vulnerability Database".
βΌ CVE-2020-25701 βΌ
π Read
via "National Vulnerability Database".
If the upload course tool in Moodle was used to delete an enrollment method which did not exist or was not already enabled, the tool would erroneously enable that enrollment method. This could lead to unintended users gaining access to the course. Versions affected: 3.9 to 3.9.2, 3.8 to 3.8.5, 3.7 to 3.7.8, 3.5 to 3.5.14 and earlier unsupported versions. This is fixed in moodle 3.9.3, 3.8.6, 3.7.9, 3.5.15, and 3.10.π Read
via "National Vulnerability Database".
βΌ CVE-2020-6879 βΌ
π Read
via "National Vulnerability Database".
Some ZTE devices have input verification vulnerabilities. The devices support configuring a static prefix through the web management page. The restriction of the front-end code can be bypassed by constructing a POST request message and sending the request to the creation of a static routing rule configuration interface. The WEB service backend fails to effectively verify the abnormal input. As a result, the attacker can successfully use the vulnerability to tamper parameter values. This affects: ZXHN Z500 V1.0.0.2B1.1000 and ZXHN F670L V1.1.10P1N2E. This is fixed in ZXHN Z500 V1.0.1.1B1.1000 and ZXHN F670L V1.1.10P2N2.π Read
via "National Vulnerability Database".
βΌ CVE-2020-22394 βΌ
π Read
via "National Vulnerability Database".
In YzmCMS v5.5 the member contribution function in the editor contains a cross-site scripting (XSS) vulnerability.π Read
via "National Vulnerability Database".
βΌ CVE-2020-12496 βΌ
π Read
via "National Vulnerability Database".
Endress+Hauser Ecograph T (Neutral/Private Label) (RSG35, ORSG35) and Memograph M (Neutral/Private Label) (RSG45, ORSG45) with Firmware version V2.0.0 and above is prone to exposure of sensitive information to an unauthorized actor. The firmware release has a dynamic token for each request submitted to the server, which makes repeating requests and analysis complex enough. Nevertheless, it's possible and during the analysis it was discovered that it also has an issue with the access-control matrix on the server-side. It was found that a user with low rights can get information from endpoints that should not be available to this user.π Read
via "National Vulnerability Database".
βΌ CVE-2020-12495 βΌ
π Read
via "National Vulnerability Database".
Endress+Hauser Ecograph T (Neutral/Private Label) (RSG35, ORSG35) with Firmware version prior to V2.0.0 is prone to improper privilege management. The affected device has a web-based user interface with a role-based access system. Users with different roles have different write and read privileges. The access system is based on dynamic "tokens". The vulnerability is that user sessions are not closed correctly and a user with fewer rights is assigned the higher rights when he logs on.π Read
via "National Vulnerability Database".
β Tisβ the Season for Online Holiday Shopping; and Phishing β
π Read
via "Threat Post".
Watch out for these top phishing approaches this holiday season.π Read
via "Threat Post".
Threat Post
Tisβ the Season for Online Holiday Shopping; and Phishing
Watch out for these top phishing approaches this holiday season.
π¦Ώ How to use the built-in GPG feature for Thunderbird π¦Ώ
π Read
via "Tech Republic".
As of release 78, Thunderbird no longer requires a third-party extension to work with encryption. Learn how this new feature works.π Read
via "Tech Republic".
TechRepublic
How to use the built-in GPG feature for Thunderbird
As of release 78, Thunderbird no longer requires a third-party extension to work with encryption. Learn how this new feature works.
π¦Ώ Thunderbird: How to use the built-in GPG feature π¦Ώ
π Read
via "Tech Republic".
As of release 78, Thunderbird no longer requires a third-party extension to work with encryption. Learn how this new feature works.π Read
via "Tech Republic".
TechRepublic
Thunderbird: How to use the built-in GPG feature
As of release 78, Thunderbird no longer requires a third-party extension to work with encryption. Learn how this new feature works.
π¦Ώ How to use Mozilla's VPN service across mobile and desktop platforms π¦Ώ
π Read
via "Tech Republic".
Mozilla now offers a VPN service that protects Windows and mobile devices, and soon your Linux and macOS desktops. Jack Wallen shows you how to use the new offering.π Read
via "Tech Republic".
TechRepublic
Mozilla's VPN service works across mobile and desktop platforms
Mozilla now offers a VPN service that protects Windows and mobile devices, and soon your Linux and macOS desktops. Jack Wallen shows you how to use the new offering.
β GO SMS Pro Android App Exposes Private Photos, Videos and Messages β
π Read
via "Threat Post".
The vulnerable version of the app, which has 100 million users, uses easily predictable URLs to link to private content.π Read
via "Threat Post".
Threat Post
GO SMS Pro Android App Exposes Private Photos, Videos and Messages
The vulnerable version of the app, which has 100 million users, uses easily predictable URLs to link to private content.
π FIN7 Hacker Pleads Guilty π
π Read
via "Digital Guardian".
Another hacker associated with FIN7 β a group responsible for hacking more than 100 US companies and stealing 15 million credit card details β plead guilty this week.π Read
via "Digital Guardian".
Digital Guardian
FIN7 Hacker Pleads Guilty
Another hacker associated with FIN7 β a group responsible for hacking more than 100 US companies and stealing 15 million credit card details β plead guilty this week.
π΄ Go SMS Pro Messaging App Exposed Users' Private Media Files π΄
π Read
via "Dark Reading".
The popular Android app uses easily guessable Web addresses when users send private photos, videos, and voice messages.π Read
via "Dark Reading".
Dark Reading
Go SMS Pro Messaging App Exposed Users' Private Media Files
The popular Android app uses easily guessable Web addresses when users send private photos, videos, and voice messages.
π¦Ώ Brave Rewards: How to disable the feature π¦Ώ
π Read
via "Tech Republic".
Brave is a browser that should be on your radar. However, it does include the Brave Rewards feature that some users might want to disable. Learn how to turn off this option.π Read
via "Tech Republic".
TechRepublic
How to disable the Brave Rewards feature
Brave is a browser that should be on your radar. However, it does include the Brave Rewards feature that some users might want to disable. Learn how to turn off this option.
βΌ CVE-2020-28949 βΌ
π Read
via "National Vulnerability Database".
Archive_Tar through 1.4.10 has :// filename sanitization only to address phar attacks, and thus any other stream-wrapper attack (such as file:// to overwrite files) can still succeed.π Read
via "National Vulnerability Database".
βΌ CVE-2020-28948 βΌ
π Read
via "National Vulnerability Database".
Archive_Tar through 1.4.10 allows an unserialization attack because phar: is blocked but PHAR: is not blocked.π Read
via "National Vulnerability Database".
βΌ CVE-2020-28941 βΌ
π Read
via "National Vulnerability Database".
An issue was discovered in drivers/accessibility/speakup/spk_ttyio.c in the Linux kernel through 5.9.9. Local attackers on systems with the speakup driver could cause a local denial of service attack, aka CID-d41227544427. This occurs because of an invalid free when the line discipline is used more than once.π Read
via "National Vulnerability Database".
βΌ CVE-2020-28924 βΌ
π Read
via "National Vulnerability Database".
An issue was discovered in Rclone before 1.53.3. Due to the use of a weak random number generator, the password generator has been producing weak passwords with much less entropy than advertised. The suggested passwords depend deterministically on the time the second rclone was started. This limits the entropy of the passwords enormously. These passwords are often used in the crypt backend for encryption of data. It would be possible to make a dictionary of all possible passwords with about 38 million entries per password length. This would make decryption of secret material possible with a plausible amount of effort. NOTE: all passwords generated by affected versions should be changed.π Read
via "National Vulnerability Database".
βΌ CVE-2020-28951 βΌ
π Read
via "National Vulnerability Database".
libuci in OpenWrt before 18.06.9 and 19.x before 19.07.5 may encounter a use after free when using malicious package names. This is related to uci_parse_package in file.c and uci_strdup in util.c.π Read
via "National Vulnerability Database".
β German COVID-19 Contact-Tracing Vulnerability Allowed RCE β
π Read
via "Threat Post".
Bug hunters at GitHub Security Labs help shore up German contact tracing app security, crediting open source collaboration.π Read
via "Threat Post".
Threat Post
German COVID-19 Contact-Tracing Vulnerability Allowed RCE
Bug hunters at GitHub Security Lab help shore up German contact tracing app security, crediting open-source collaboration.
β Robot Vacuums Suck Up Sensitive Audio in βLidarPhoneβ Hack β
π Read
via "Threat Post".
Researchers have unveiled an attack that allows attackers to eavesdrop on homeowners inside their homes, through the LiDAR sensors on their robot vacuums.π Read
via "Threat Post".
Threat Post
Robot Vacuums Suck Up Sensitive Audio in βLidarPhoneβ Hack
Researchers have unveiled an attack that allows attackers to eavesdrop on homeowners inside their homes, through the LiDAR sensors on their robot vacuums.