β GoDaddy Employees Tricked into Compromising Cryptocurrency Sites β
π Read
via "Threat Post".
βVishingβ attack on GoDaddy employees gave fraudsters access to cryptocurrency service domains NiceHash, Liquid.π Read
via "Threat Post".
Threat Post
GoDaddy Employees Tricked into Compromising Cryptocurrency Sites
βVishingβ attack on GoDaddy employees gave fraudsters access to cryptocurrency service domains NiceHash, Liquid.
βΌ CVE-2020-28927 βΌ
π Read
via "National Vulnerability Database".
There is a Stored XSS in Magicpin v2.1 in the User Registration section. Each time an admin visits the manage user section from the admin panel, the XSS triggers and the attacker can able to steal the cookie according to the crafted payload.π Read
via "National Vulnerability Database".
βΌ CVE-2020-15248 βΌ
π Read
via "National Vulnerability Database".
October is a free, open-source, self-hosted CMS platform based on the Laravel PHP Framework. In October CMS from version 1.0.319 and before version 1.0.470, backend users with the default "Publisher" system role have access to create & manage users where they can choose which role the new user has. This means that a user with "Publisher" access has the ability to escalate their access to "Developer" access. Issue has been patched in Build 470 (v1.0.470) & v1.1.1.π Read
via "National Vulnerability Database".
βΌ CVE-2020-28864 βΌ
π Read
via "National Vulnerability Database".
Buffer overflow in WinSCP 5.17.8 allows a malicious FTP server to cause a denial of service or possibly have other unspecified impact via a long file name.π Read
via "National Vulnerability Database".
βΌ CVE-2020-15247 βΌ
π Read
via "National Vulnerability Database".
October is a free, open-source, self-hosted CMS platform based on the Laravel PHP Framework. In October CMS from version 1.0.319 and before version 1.0.469, an authenticated backend user with the cms.manage_pages, cms.manage_layouts, or cms.manage_partials permissions who would normally not be permitted to provide PHP code to be executed by the CMS due to cms.enableSafeMode being enabled is able to write specific Twig code to escape the Twig sandbox and execute arbitrary PHP. This is not a problem for anyone that trusts their users with those permissions to normally write & manage PHP within the CMS by not having cms.enableSafeMode enabled, but would be a problem for anyone relying on cms.enableSafeMode to ensure that users with those permissions in production do not have access to write & execute arbitrary PHP. Issue has been patched in Build 469 (v1.0.469) and v1.1.0.π Read
via "National Vulnerability Database".
βΌ CVE-2020-26239 βΌ
π Read
via "National Vulnerability Database".
Scratch Addons is a WebExtension that supports both Chrome and Firefox. Scratch Addons before version 1.3.2 is vulnerable to DOM-based XSS. If the victim visited a specific website, the More Links addon of the Scratch Addons extension used incorrect regular expression which caused the HTML-escaped values to be unescaped, leading to XSS. Scratch Addons version 1.3.2 fixes the bug. The extension will be automatically updated by the browser. More Links addon can be disabled via the option of the extension.π Read
via "National Vulnerability Database".
βΌ CVE-2020-15249 βΌ
π Read
via "National Vulnerability Database".
October is a free, open-source, self-hosted CMS platform based on the Laravel PHP Framework. In October CMS from version 1.0.319 and before version 1.0.469, backend users with access to upload files were permitted to upload SVG files without any sanitization applied to the uploaded files. Since SVG files support being parsed as HTML by browsers, this means that they could theoretically upload Javascript that would be executed on a path under the website's domain (i.e. /storage/app/media/evil.svg), but they would have to convince their target to visit that location directly in the target's browser as the backend does not display SVGs inline anywhere, SVGs are only displayed as image resources in the backend and are thus unable to be executed. Issue has been patched in Build 469 (v1.0.469) & v1.1.0.π Read
via "National Vulnerability Database".
βΌ CVE-2020-7927 βΌ
π Read
via "National Vulnerability Database".
Specially crafted API calls may allow an authenticated user who holds Organization Owner privilege to obtain an API key with Global Role privilege. This issue affects MongoDB Ops Manager v4.2 versions 4.2.0-4.2.17, v4.3 versions 4.3.0-4.3.9 and v4.4 versions 4.4.0-4.4.2.π Read
via "National Vulnerability Database".
βΌ CVE-2020-15246 βΌ
π Read
via "National Vulnerability Database".
October is a free, open-source, self-hosted CMS platform based on the Laravel PHP Framework. In October CMS from version 1.0.421 and before version 1.0.469, an attacker can read local files on an October CMS server via a specially crafted request. Issue has been patched in Build 469 (v1.0.469) and v1.1.0.π Read
via "National Vulnerability Database".
βΌ CVE-2020-28896 βΌ
π Read
via "National Vulnerability Database".
Mutt before 2.0.2 and NeoMutt before 2020-11-20 did not ensure that $ssl_force_tls was processed if an IMAP server's initial server response was invalid. The connection was not properly closed, and the code could continue attempting to authenticate. This could result in authentication credentials being exposed on an unencrypted connection, or to a machine-in-the-middle.π Read
via "National Vulnerability Database".
β Critical VMware Zero-Day Bug Allows Command Injection; Patch Pending β
π Read
via "Threat Post".
VMware explained it has no patch for a critical escalation-of-privileges bug that impacts both Windows and Linux operating systems and its Workspace One.π Read
via "Threat Post".
Threat Post
Critical VMware Zero-Day Bug Allows Command Injection; Patch Pending
VMware explained it has no patch for a critical escalation-of-privileges bug that impacts both Windows and Linux operating systems and its Workspace One.
π¦Ώ Malicious Google Play apps caught masquerading as Minecraft mods π¦Ώ
π Read
via "Tech Republic".
The Android apps promised Minecraft modifications but instead delivered intrusive ads aimed at kids and teenagers, says Kaspersky.π Read
via "Tech Republic".
TechRepublic
Malicious Google Play apps caught masquerading as Minecraft mods
The Android apps promised Minecraft modifications but instead delivered intrusive ads aimed at kids and teenagers, says Kaspersky.
π΄ Evidence-Based Trust Gets Black Hat Europe Spotlight π΄
π Read
via "Dark Reading".
An FPGA-based system could change the balance of power between hardware attackers and defenders within IT security.π Read
via "Dark Reading".
Dark Reading
Evidence-Based Trust Gets Black Hat Europe Spotlight
An FPGA-based system could change the balance of power between hardware attackers and defenders within IT security.
π΄ Ransomware Grows Easier to Spread, Harder to Block π΄
π Read
via "Dark Reading".
Researchers illustrate the evolution toward more complete and effective ransomware attacks designed to cripple target organizations.π Read
via "Dark Reading".
Dark Reading
Ransomware Grows Easier to Spread, Harder to Block
Researchers illustrate the evolution toward more complete and effective ransomware attacks designed to cripple target organizations.
π΄ As 'Anywhere Work' Evolves, Security Will Be Key Challenge π΄
π Read
via "Dark Reading".
Companies should plan their future workforce model now, so they have time to implement the necessary tools, including cybersecurity and seamless remote access, a Forrester report says.π Read
via "Dark Reading".
Dark Reading
As 'Anywhere Work' Evolves, Security Will be Key Challenge
Companies should plan their future workforce model now, so they have time to implement the necessary tools, including cybersecurity and seamless remote access, a Forrester report says.
π΄ Security Researchers Sound Alarm on Smart Doorbells π΄
π Read
via "Dark Reading".
A new analysis of 11 relatively inexpensive video doorbells uncovered high-risk vulnerabilities in all of them.π Read
via "Dark Reading".
Dark Reading
Security Researchers Sound Alarm on Smart Doorbells
A new analysis of 11 relatively inexpensive video doorbells uncovered high-risk vulnerabilities in all of them.
βΌ CVE-2018-16722 βΌ
π Read
via "National Vulnerability Database".
In Jingyun Antivirus v2.4.2.39, the driver file (ZySandbox.sys) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x12360094, a related issue to CVE-2018-16305.π Read
via "National Vulnerability Database".
βΌ CVE-2020-15436 βΌ
π Read
via "National Vulnerability Database".
Use-after-free vulnerability in fs/block_dev.c in the Linux kernel before 5.8 allows local users to gain privileges or cause a denial of service by leveraging improper access to a certain error field.π Read
via "National Vulnerability Database".
βΌ CVE-2018-16721 βΌ
π Read
via "National Vulnerability Database".
In Jingyun Antivirus v2.4.2.39, the driver file (ZySandbox.sys) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x12360090, a related issue to CVE-2018-16306.π Read
via "National Vulnerability Database".
βΌ CVE-2020-15437 βΌ
π Read
via "National Vulnerability Database".
The Linux kernel before version 5.8 is vulnerable to a NULL pointer dereference in drivers/tty/serial/8250/8250_core.c:serial8250_isa_init_ports() that allows local users to cause a denial of service by using the p->serial_in pointer which uninitialized.π Read
via "National Vulnerability Database".
βΌ CVE-2020-26227 βΌ
π Read
via "National Vulnerability Database".
TYPO3 is an open source PHP based web content management system. In TYPO3 before versions 9.5.23 and 10.4.10 the system extension Fluid (typo3/cms-fluid) of the TYPO3 core is vulnerable to cross-site scripting passing user-controlled data as argument to Fluid view helpers. Update to TYPO3 versions 9.5.23 or 10.4.10 that fix the problem described.π Read
via "National Vulnerability Database".