βΌ CVE-2020-3984 βΌ
π Read
via "National Vulnerability Database".
The SD-WAN Orchestrator 3.3.2 prior to 3.3.2 P3 and 3.4.x prior to 3.4.4 does not apply correct input validation which allows for SQL-injection. An authenticated SD-WAN Orchestrator user may exploit a vulnerable API call using specially crafted SQL queries which may lead to unauthorized data access.π Read
via "National Vulnerability Database".
βΌ CVE-2020-4001 βΌ
π Read
via "National Vulnerability Database".
The SD-WAN Orchestrator 3.3.2, 3.4.x, and 4.0.x has default passwords allowing for a Pass-the-Hash Attack. SD-WAN Orchestrator ships with default passwords for predefined accounts which may lead to to a Pass-the-Hash attack.π Read
via "National Vulnerability Database".
β Baidu Apps in Google Play Leak Sensitive Data β
π Read
via "Threat Post".
Cyberattackers could use the information to track users across devices, disable phone service, or intercept messages and phone calls.π Read
via "Threat Post".
Threat Post
Baidu Apps in Google Play Leak Sensitive Data
Cyberattackers could use the information to track users across devices, disable phone service, or intercept messages and phone calls.
β Smart Doorbells on Amazon, eBay, Harbor Serious Security Issues β
π Read
via "Threat Post".
Matt Lewis, with NCC Group, talks to Threatpost about a slew of security and privacy issues found in smart doorbells that are being sold on Amazon and eBay.π Read
via "Threat Post".
Threat Post
Smart Doorbells on Amazon, eBay, Harbor Serious Security Issues
Matt Lewis, with NCC Group, talks to Threatpost about a slew of security and privacy issues found in smart doorbells that are being sold on Amazon and eBay.
β Gift card hack exposed β you pay, they play β
π Read
via "Naked Security".
These crooks hacked into a network hoping to get everyone in the company to buy them gift cards.π Read
via "Naked Security".
Naked Security
Gift card hack exposed β you pay, they play
These crooks hacked into a network hoping to get everyone in the company to buy them gift cards.
π FBI Warns of Spoofed FBI Websites π
π Read
via "Digital Guardian".
The FBI is urging the American public to ensure they're getting "reliable and verified FBI information."π Read
via "Digital Guardian".
Digital Guardian
FBI Warns of Spoofed FBI Websites
The FBI is urging the American public to ensure they're getting "reliable and verified FBI information."
π΄ US Treasury's OFAC Ransomware Advisory: Navigating the Gray Areas π΄
π Read
via "Dark Reading".
Leveraging the right response strategy, following the regulations, and understanding the ransom entity are the fundamentals in any ransomware outbreak.π Read
via "Dark Reading".
Dark Reading
US Treasury's OFAC Ransomware Advisory: Navigating the Gray Areas
Leveraging the right response strategy, following the regulations, and understanding the ransom entity are the fundamentals in any ransomware outbreak.
π΄ What's in Store for Privacy in 2021 π΄
π Read
via "Dark Reading".
Changes are coming to the privacy landscape, including more regulations and technologies.π Read
via "Dark Reading".
Dark Reading
What's in Store for Privacy in 2021
Changes are coming to the privacy landscape, including more regulations and technologies.
βΌ CVE-2020-13620 βΌ
π Read
via "National Vulnerability Database".
Fastweb FASTGate GPON FGA2130FWB devices through 2020-05-26 allow CSRF via the router administration web panel, leading to an attacker's ability to perform administrative actions such as modifying the configuration.π Read
via "National Vulnerability Database".
βΌ CVE-2020-28994 βΌ
π Read
via "National Vulnerability Database".
A SQL injection vulnerability was discovered in Karenderia Multiple Restaurant System, affecting versions 5.4.2 and below. The vulnerability allows for an unauthenticated attacker to perform various tasks such as modifying and leaking all contents of the database.π Read
via "National Vulnerability Database".
βΌ CVE-2020-7378 βΌ
π Read
via "National Vulnerability Database".
CRIXP OpenCRX version 4.30 and 5.0-20200717 and prior suffers from an unverified password change vulnerability. An attacker who is able to connect to the affected OpenCRX instance can change the password of any user, including admin-Standard, to any chosen value. This issue was resolved in version 5.0-20200904, released September 4, 2020.π Read
via "National Vulnerability Database".
βΌ CVE-2020-29040 βΌ
π Read
via "National Vulnerability Database".
An issue was discovered in Xen through 4.14.x allowing x86 HVM guest OS users to cause a denial of service (stack corruption), cause a data leak, or possibly gain privileges because of an off-by-one error. NOTE: this issue is caused by an incorrect fix for CVE-2020-27671.π Read
via "National Vulnerability Database".
βΌ CVE-2020-13942 βΌ
π Read
via "National Vulnerability Database".
It is possible to inject malicious OGNL or MVEL scripts into the /context.json public endpoint. This was partially fixed in 1.5.1 but a new attack vector was found. In Apache Unomi version 1.5.2 scripts are now completely filtered from the input. It is highly recommended to upgrade to the latest available version of the 1.5.x release to fix this problem.π Read
via "National Vulnerability Database".
βΌ CVE-2020-24815 βΌ
π Read
via "National Vulnerability Database".
A Server-Side Request Forgery (SSRF) affecting the PDF generation in MicroStrategy 10.4, 2019 before Update 6, and 2020 before Update 2 allows authenticated users to access the content of internal network resources or leak files from the local system via HTML containers embedded in a dossier/dashboard document. NOTE: 10.4., no fix will be released as version will reach end-of-life on 31/12/2020.π Read
via "National Vulnerability Database".
βΌ CVE-2020-28331 βΌ
π Read
via "National Vulnerability Database".
Barco wePresent WiPG-1600W devices have Improper Access Control. Affected Version(s): 2.5.1.8. The Barco wePresent WiPG-1600W device has an SSH daemon included in the firmware image. By default, the SSH daemon is disabled and does not start at system boot. The system initialization scripts read a device configuration file variable to see if the SSH daemon should be started. The web interface does not provide a visible capability to alter this configuration file variable. However, a malicious actor can include this variable in a POST such that the SSH daemon will be started when the device boots.π Read
via "National Vulnerability Database".
βΌ CVE-2020-28928 βΌ
π Read
via "National Vulnerability Database".
In musl libc through 1.2.1, wcsnrtombs mishandles particular combinations of destination buffer size and source character limit, as demonstrated by an invalid write access (buffer overflow).π Read
via "National Vulnerability Database".
βΌ CVE-2020-10762 βΌ
π Read
via "National Vulnerability Database".
An information-disclosure flaw was found in the way that gluster-block before 0.5.1 logs the output from gluster-block CLI operations. This includes recording passwords to the cmd_history.log file which is world-readable. This flaw allows local users to obtain sensitive information by reading the log file. The highest threat from this vulnerability is to data confidentiality.π Read
via "National Vulnerability Database".
βΌ CVE-2020-28726 βΌ
π Read
via "National Vulnerability Database".
Open redirect in SeedDMS 6.0.13 via the dropfolderfileform1 parameter to out/out.AddDocument.php.π Read
via "National Vulnerability Database".
βΌ CVE-2020-10763 βΌ
π Read
via "National Vulnerability Database".
An information-disclosure flaw was found in the way Heketi before 10.1.0 logs sensitive information. This flaw allows an attacker with local access to the Heketi server to read potentially sensitive information such as gluster-block passwords.π Read
via "National Vulnerability Database".
π΄ Cloud Security Startup Lightspin Emerges From Stealth π΄
π Read
via "Dark Reading".
The startup, founded by former white-hat hackers, has secured a $4 million seed round to close security gaps in cloud environments.π Read
via "Dark Reading".
Dark Reading
Cloud Security Startup Lightspin Emerges From Stealth
The startup, founded by former white-hat hackers, has secured a $4 million seed round to close security gaps in cloud environments.
β βMinecraft Modsβ Attack More Than 1 Million Android Devices β
π Read
via "Threat Post".
Fake Minecraft Modpacks on Google Play deliver millions of abusive ads and make normal phone use impossible.π Read
via "Threat Post".
Threat Post
βMinecraft Modsβ Attack More Than 1 Million Android Devices
Fake Minecraft Modpacks on Google Play deliver millions of abusive ads and make normal phone use impossible.