βΌ CVE-2020-29040 βΌ
π Read
via "National Vulnerability Database".
An issue was discovered in Xen through 4.14.x allowing x86 HVM guest OS users to cause a denial of service (stack corruption), cause a data leak, or possibly gain privileges because of an off-by-one error. NOTE: this issue is caused by an incorrect fix for CVE-2020-27671.π Read
via "National Vulnerability Database".
βΌ CVE-2020-13942 βΌ
π Read
via "National Vulnerability Database".
It is possible to inject malicious OGNL or MVEL scripts into the /context.json public endpoint. This was partially fixed in 1.5.1 but a new attack vector was found. In Apache Unomi version 1.5.2 scripts are now completely filtered from the input. It is highly recommended to upgrade to the latest available version of the 1.5.x release to fix this problem.π Read
via "National Vulnerability Database".
βΌ CVE-2020-24815 βΌ
π Read
via "National Vulnerability Database".
A Server-Side Request Forgery (SSRF) affecting the PDF generation in MicroStrategy 10.4, 2019 before Update 6, and 2020 before Update 2 allows authenticated users to access the content of internal network resources or leak files from the local system via HTML containers embedded in a dossier/dashboard document. NOTE: 10.4., no fix will be released as version will reach end-of-life on 31/12/2020.π Read
via "National Vulnerability Database".
βΌ CVE-2020-28331 βΌ
π Read
via "National Vulnerability Database".
Barco wePresent WiPG-1600W devices have Improper Access Control. Affected Version(s): 2.5.1.8. The Barco wePresent WiPG-1600W device has an SSH daemon included in the firmware image. By default, the SSH daemon is disabled and does not start at system boot. The system initialization scripts read a device configuration file variable to see if the SSH daemon should be started. The web interface does not provide a visible capability to alter this configuration file variable. However, a malicious actor can include this variable in a POST such that the SSH daemon will be started when the device boots.π Read
via "National Vulnerability Database".
βΌ CVE-2020-28928 βΌ
π Read
via "National Vulnerability Database".
In musl libc through 1.2.1, wcsnrtombs mishandles particular combinations of destination buffer size and source character limit, as demonstrated by an invalid write access (buffer overflow).π Read
via "National Vulnerability Database".
βΌ CVE-2020-10762 βΌ
π Read
via "National Vulnerability Database".
An information-disclosure flaw was found in the way that gluster-block before 0.5.1 logs the output from gluster-block CLI operations. This includes recording passwords to the cmd_history.log file which is world-readable. This flaw allows local users to obtain sensitive information by reading the log file. The highest threat from this vulnerability is to data confidentiality.π Read
via "National Vulnerability Database".
βΌ CVE-2020-28726 βΌ
π Read
via "National Vulnerability Database".
Open redirect in SeedDMS 6.0.13 via the dropfolderfileform1 parameter to out/out.AddDocument.php.π Read
via "National Vulnerability Database".
βΌ CVE-2020-10763 βΌ
π Read
via "National Vulnerability Database".
An information-disclosure flaw was found in the way Heketi before 10.1.0 logs sensitive information. This flaw allows an attacker with local access to the Heketi server to read potentially sensitive information such as gluster-block passwords.π Read
via "National Vulnerability Database".
π΄ Cloud Security Startup Lightspin Emerges From Stealth π΄
π Read
via "Dark Reading".
The startup, founded by former white-hat hackers, has secured a $4 million seed round to close security gaps in cloud environments.π Read
via "Dark Reading".
Dark Reading
Cloud Security Startup Lightspin Emerges From Stealth
The startup, founded by former white-hat hackers, has secured a $4 million seed round to close security gaps in cloud environments.
β βMinecraft Modsβ Attack More Than 1 Million Android Devices β
π Read
via "Threat Post".
Fake Minecraft Modpacks on Google Play deliver millions of abusive ads and make normal phone use impossible.π Read
via "Threat Post".
Threat Post
βMinecraft Modsβ Attack More Than 1 Million Android Devices
Fake Minecraft Modpacks on Google Play deliver millions of abusive ads and make normal phone use impossible.
π¦Ώ How to use the Google One VPN on Android π¦Ώ
π Read
via "Tech Republic".
If you're looking for the best Android VPN, Jack Wallen thinks Google's take on the service might be the perfect fit for those wanting both performance and security.π Read
via "Tech Republic".
TechRepublic
How to use the Google One VPN on Android
If you're looking for the best Android VPN, Jack Wallen thinks Google's take on the service might be the perfect fit for those wanting both performance and security.
β Post-Breach, Peatix Data Reportedly Found on Instagram, Telegram β
π Read
via "Threat Post".
Events application Peatix this week disclosed a data breach, after user account information reportedly began circulating on Instagram and Telegram.π Read
via "Threat Post".
Threat Post
Post-Breach, Peatix Data Reportedly Found on Instagram, Telegram
Events application Peatix this week disclosed a data breach, after user account information reportedly began circulating on Instagram and Telegram.
π΄ Alexa, Disarm the Victim's Home Security System π΄
π Read
via "Dark Reading".
Researchers who last year hacked popular voice assistants with laser pointers take their work to the next level.π Read
via "Dark Reading".
Dark Reading
Alexa, Disarm the Victim's Home Security System
Researchers who last year hacked popular voice assistants with laser pointers take their work to the next level.
βΌ CVE-2020-28329 βΌ
π Read
via "National Vulnerability Database".
Barco wePresent WiPG-1600W firmware includes a hardcoded API account and password that is discoverable by inspecting the firmware image. A malicious actor could use this password to access authenticated, administrative functions in the API. Affected Version(s): 2.5.1.8, 2.5.0.25, 2.5.0.24, 2.4.1.19.π Read
via "National Vulnerability Database".
βΌ CVE-2020-25640 βΌ
π Read
via "National Vulnerability Database".
A flaw was discovered in WildFly before 21.0.0.Final where, Resource adapter logs plain text JMS password at warning level on connection error, inserting sensitive information in the log file.π Read
via "National Vulnerability Database".
βΌ CVE-2020-25654 βΌ
π Read
via "National Vulnerability Database".
An ACL bypass flaw was found in pacemaker before 1.1.24-rc1 and 2.0.5-rc2. An attacker having a local account on the cluster and in the haclient group could use IPC communication with various daemons directly to perform certain tasks that they would be prevented by ACLs from doing if they went through the configuration.π Read
via "National Vulnerability Database".
βΌ CVE-2020-29053 βΌ
π Read
via "National Vulnerability Database".
HRSALE 2.0.0 allows XSS via the admin/project/projects_calendar set_date parameter.π Read
via "National Vulnerability Database".
βΌ CVE-2020-28333 βΌ
π Read
via "National Vulnerability Database".
Barco wePresent WiPG-1600W devices allow Authentication Bypass. Affected Version(s): 2.5.1.8. The Barco wePresent WiPG-1600W web interface does not use session cookies for tracking authenticated sessions. Instead, the web interface uses a "SEID" token that is appended to the end of URLs in GET requests. Thus the "SEID" would be exposed in web proxy logs and browser history. An attacker that is able to capture the "SEID" and originate requests from the same IP address (via a NAT device or web proxy) would be able to access the user interface of the device without having to know the credentials.π Read
via "National Vulnerability Database".
βΌ CVE-2020-28334 βΌ
π Read
via "National Vulnerability Database".
Barco wePresent WiPG-1600W devices use Hard-coded Credentials (issue 2 of 2). Affected Version(s): 2.5.1.8, 2.5.0.25, 2.5.0.24, 2.4.1.19. The Barco wePresent WiPG-1600W device has a hardcoded root password hash included in the firmware image. Exploiting CVE-2020-28329, CVE-2020-28330 and CVE-2020-28331 could potentially be used in a simple and automated exploit chain to go from unauthenticated remote attacker to root shell.π Read
via "National Vulnerability Database".
βΌ CVE-2020-28330 βΌ
π Read
via "National Vulnerability Database".
Barco wePresent WiPG-1600W devices have Unprotected Transport of Credentials. Affected Version(s): 2.5.1.8. An attacker armed with hardcoded API credentials (retrieved by exploiting CVE-2020-28329) can issue an authenticated query to display the admin password for the main web user interface listening on port 443/tcp of a Barco wePresent WiPG-1600W device.π Read
via "National Vulnerability Database".
βΌ CVE-2020-28332 βΌ
π Read
via "National Vulnerability Database".
Barco wePresent WiPG-1600W devices download code without an Integrity Check. Affected Version(s): 2.5.1.8, 2.5.0.25, 2.5.0.24, 2.4.1.19. The Barco wePresent WiPG-1600W firmware does not perform verification of digitally signed firmware updates and is susceptible to processing and installing modified/malicious images.π Read
via "National Vulnerability Database".