βΌ CVE-2020-8539 βΌ
π Read
via "National Vulnerability Database".
Kia Motors Head Unit with Software version: SOP.003.30.18.0703, SOP.005.7.181019, and SOP.007.1.191209 may allow an attacker to inject unauthorized commands, by executing the micomd executable deamon, to trigger unintended functionalities. In addition, this executable may be used by an attacker to inject commands to generate CAN frames that are sent into the M-CAN bus (Multimedia CAN bus) of the vehicle.π Read
via "National Vulnerability Database".
βΌ CVE-2020-11990 βΌ
π Read
via "National Vulnerability Database".
We have resolved a security issue in the camera plugin that could have affected certain Cordova (Android) applications. An attacker who could install (or lead the victim to install) a specially crafted (or malicious) Android application would be able to access pictures taken with the app externally.π Read
via "National Vulnerability Database".
βΌ CVE-2019-16958 βΌ
π Read
via "National Vulnerability Database".
Cross-site Scripting (XSS) vulnerability in SolarWinds Web Help Desk 12.7.0 allows attacker to inject arbitrary web script or HTML via Location Name.π Read
via "National Vulnerability Database".
β Cayman Islands Bank Records Exposed in Open Azure Blob β
π Read
via "Threat Post".
An offshore Cayman Islands bankβs backups, covering a $500 million investment portfolio, were left unsecured and leaking personal banking information, passport data and even online banking PINs.π Read
via "Threat Post".
Threat Post
Cayman Islands Bank Records Exposed in Open Azure Blob
An offshore Cayman Islands bankβs backups, covering a $500 million investment portfolio, were left unsecured and leaking personal banking information, passport data and even online banking PINs.
βΌ CVE-2020-28583 βΌ
π Read
via "National Vulnerability Database".
An improper access control information disclosure vulnerability in Trend Micro Apex One and OfficeScan XG SP1 could allow an unauthenticated user to connect to the product server and reveal version, build and patch information.π Read
via "National Vulnerability Database".
βΌ CVE-2020-28582 βΌ
π Read
via "National Vulnerability Database".
An improper access control information disclosure vulnerability in Trend Micro Apex One and OfficeScan XG SP1 could allow an unauthenticated user to connect to the product server and reveal number of managed agents.π Read
via "National Vulnerability Database".
βΌ CVE-2020-28575 βΌ
π Read
via "National Vulnerability Database".
A heap-based buffer overflow privilege escalation vulnerability in Trend Micro ServerProtect for Linux 3.0 may allow an attacker to escalate privileges on affected installations. An attacker must first obtain the ability to execute high-privileged code on the target in order to exploit this vulnerability.π Read
via "National Vulnerability Database".
βΌ CVE-2020-28573 βΌ
π Read
via "National Vulnerability Database".
An improper access control information disclosure vulnerability in Trend Micro Apex One and OfficeScan XG SP1 could allow an unauthenticated user to connect to the product server and reveal the total agents managed by the server.π Read
via "National Vulnerability Database".
βΌ CVE-2020-28576 βΌ
π Read
via "National Vulnerability Database".
An improper access control information disclosure vulnerability in Trend Micro Apex One and OfficeScan XG SP1 could allow an unauthenticated user to connect to the product server and reveal version and build information.π Read
via "National Vulnerability Database".
βΌ CVE-2020-28577 βΌ
π Read
via "National Vulnerability Database".
An improper access control information disclosure vulnerability in Trend Micro Apex One and OfficeScan XG SP1 could allow an unauthenticated user to connect to the product server and reveal server hostname and db names.π Read
via "National Vulnerability Database".
β Android Messenger App Still Leaking Photos, Videos β
π Read
via "Threat Post".
The GO SMS Pro app has been downloaded 100 million times; now, underground forums are actively sharing images stolen from GO SMS servers.π Read
via "Threat Post".
Threat Post
Android Messenger App Still Leaking Photos, Videos
The GO SMS Pro app has been downloaded 100 million times; now, underground forums are actively sharing images stolen from GO SMS servers.
β Misconfigured Docker Servers Under Attack by Xanthe Malware β
π Read
via "Threat Post".
The never-before-seen Xanthe cryptomining botnet has been targeting misconfigured Docker APIs.π Read
via "Threat Post".
Threat Post
Misconfigured Docker Servers Under Attack by Xanthe Malware
The never-before-seen Xanthe cryptomining botnet has been targeting misconfigured Docker APIs.
π΄ SASE 101: Why All the Buzz? π΄
π Read
via "Dark Reading".
Wide area networking and network security services unite to provide secure, cloud-based connectivity for enterprises' remote employees -- and these days that means billions of workers.π Read
via "Dark Reading".
Dark Reading
SASE 101: Why All the Buzz?
Wide area networking and network security services unite to provide secure, cloud-based connectivity for enterprises' remote employees -- and these days that means billions of workers.
π¦Ώ How to protect your personal data from being sold on the Dark Web π¦Ώ
π Read
via "Tech Republic".
Cybercriminals can use stolen information for extortion, scams and phishing schemes, and the direct theft of money, says Kaspersky.π Read
via "Tech Republic".
TechRepublic
How to protect your personal data from being sold on the Dark Web
Cybercriminals can use stolen information for extortion, scams and phishing schemes, and the direct theft of money, says Kaspersky.
π΄ Inside North Korea's Rapid Evolution to Cyber Superpower π΄
π Read
via "Dark Reading".
Researchers examine North Korea's rapid evolution from destructive campaigns to complex and efficient cyber operations.π Read
via "Dark Reading".
Dark Reading
Inside North Korea's Rapid Evolution to Cyber Superpower
Researchers examine North Korea's rapid evolution from destructive campaigns to complex and efficient cyber operations.
βΌ CVE-2020-26250 βΌ
π Read
via "National Vulnerability Database".
OAuthenticator is an OAuth login mechanism for JupyterHub. In oauthenticator from version 0.12.0 and before 0.12.2, the deprecated (in jupyterhub 1.2) configuration `Authenticator.whitelist`, which should be transparently mapped to `Authenticator.allowed_users` with a warning, is instead ignored by OAuthenticator classes, resulting in the same behavior as if this configuration has not been set. If this is the only mechanism of authorization restriction (i.e. no group or team restrictions in configuration) then all authenticated users will be allowed. Provider-based restrictions, including deprecated values such as `GitHubOAuthenticator.org_whitelist` are **not** affected. All users of OAuthenticator 0.12.0 and 0.12.1 with JupyterHub 1.2 (JupyterHub Helm chart 0.10.0-0.10.5) who use the `admin.whitelist.users` configuration in the jupyterhub helm chart or the `c.Authenticator.whitelist` configuration directly. Users of other deprecated configuration, e.g. `c.GitHubOAuthenticator.team_whitelist` are **not** affected. If you see a log line like this and expect a specific list of allowed usernames: "[I 2020-11-27 16:51:54.528 JupyterHub app:1717] Not using allowed_users. Any authenticated user will be allowed." you are likely affected. Updating oauthenticator to 0.12.2 is recommended. A workaround is to replace the deprecated `c.Authenticator.whitelist = ...` with `c.Authenticator.allowed_users = ...`. If any users have been authorized during this time who should not have been, they must be deleted via the API or admin interface, per the referenced documentation.π Read
via "National Vulnerability Database".
π΄ Unmanaged Devices Heighten Risks for School Networks π΄
π Read
via "Dark Reading".
Gaming consoles, Wi-Fi Pineapples, and building management systems are among many devices Armis says it discovered on K-12 school networks.π Read
via "Dark Reading".
Dark Reading
Unmanaged Devices Heighten Risks for School Networks
Gaming consoles, Wi-Fi Pineapples, and building management systems are among many devices Armis says it discovered on K-12 school networks.
βΌ CVE-2020-29458 βΌ
π Read
via "National Vulnerability Database".
Textpattern CMS 4.6.2 allows CSRF via the prefs subsystem.π Read
via "National Vulnerability Database".
βΌ CVE-2020-29456 βΌ
π Read
via "National Vulnerability Database".
Multiple cross-site scripting (XSS) vulnerabilities in Papermerge before 1.5.2 allow remote attackers to inject arbitrary web script or HTML via the rename, tag, upload, or create folder function. The payload can be in a folder, a tag, or a document's filename. If email consumption is configured in Papermerge, a malicious document can be sent by email and is automatically uploaded into the Papermerge web application. Therefore, no authentication is required to exploit XSS if email consumption is configured. Otherwise authentication is required.π Read
via "National Vulnerability Database".
π΄ Free Mobile App Measures Your Personal Cyber Risk π΄
π Read
via "Dark Reading".
New app for Android and Apple iOS uses an algorithm co-developed with MIT to gauge security posture on an ongoing basis.π Read
via "Dark Reading".
Darkreading
Free Mobile App Measures Your Personal Cyber Risk
New app for Android and Apple iOS uses an algorithm co-developed with MIT to gauge security posture on an ongoing basis.