🕴 Automated Pen Testing: Can It Replace Humans? 🕴
📖 Read
via "Dark Reading".
These tools have come a long way, but are they far enough along to make human pen testers obsolete?📖 Read
via "Dark Reading".
Dark Reading
Automated Pen Testing: Can It Replace Humans?
These tools have come a long way, but are they far enough along to make human pen testers obsolete?
‼ CVE-2020-13494 ‼
📖 Read
via "National Vulnerability Database".
A heap overflow vulnerability exists in the Pixar OpenUSD 20.05 parsing of compressed string tokens in binary USD files. A specially crafted malformed file can trigger a heap overflow which can result in out of bounds memory access which could lead to information disclosure. This vulnerability could be used to bypass mitigations and aid further exploitation. To trigger this vulnerability, victim needs to access an attacker-provided malformed file.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-25266 ‼
📖 Read
via "National Vulnerability Database".
AppImage appimaged before 1.0.3 does not properly check whether a downloaded file is a valid appimage. For example, it will accept a crafted mp3 file that contains an appimage, and install it.📖 Read
via "National Vulnerability Database".
‼ CVE-2017-14451 ‼
📖 Read
via "National Vulnerability Database".
An exploitable out-of-bounds read vulnerability exists in libevm (Ethereum Virtual Machine) of CPP-Ethereum. A specially crafted smart contract code can cause an out-of-bounds read which can subsequently trigger an out-of-bounds write resulting in remote code execution. An attacker can create/send malicious smart contract to trigger this vulnerability.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-13496 ‼
📖 Read
via "National Vulnerability Database".
An exploitable vulnerability exists in the way Pixar OpenUSD 20.05 handles parses certain encoded types. A specially crafted malformed file can trigger an arbitrary out of bounds memory access in TfToken Type Index. This vulnerability could be used to bypass mitigations and aid further exploitation. To trigger this vulnerability, the victim needs to access an attacker-provided malformed file.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-13493 ‼
📖 Read
via "National Vulnerability Database".
A heap overflow vulnerability exists in Pixar OpenUSD 20.05 when the software parses compressed sections in binary USD files. A specially crafted USDC file format path jumps decompression heap overflow in a way path jumps are processed. To trigger this vulnerability, the victim needs to open an attacker-provided malformed file.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-29389 ‼
📖 Read
via "National Vulnerability Database".
The official Crux Linux Docker images 3.0 through 3.4 contain a blank password for a root user. System using the Crux Linux Docker container deployed by affected versions of the Docker image may allow an attacker to achieve root access with a blank password.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-13497 ‼
📖 Read
via "National Vulnerability Database".
An exploitable vulnerability exists in the way Pixar OpenUSD 20.05 handles parses certain encoded types. A specially crafted malformed file can trigger an arbitrary out of bounds memory access in String Type Index. This vulnerability could be used to bypass mitigations and aid further exploitation. To trigger this vulnerability, the victim needs to access an attacker-provided malformed file.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-13956 ‼
📖 Read
via "National Vulnerability Database".
Apache HttpClient versions prior to version 4.5.13 and 5.0.3 can misinterpret malformed authority component in request URIs passed to the library as java.net.URI object and pick the wrong target host for request execution.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-29239 ‼
📖 Read
via "National Vulnerability Database".
Online Birth Certificate System Project V 1.0 is affected by cross-site scripting (XSS). This vulnerability can result in an attacker injecting the XSS payload in the User Registration section. When an admin visits the View Detail of Application section from the admin panel, the attacker can able to steal the cookie according to the crafted payload.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-13498 ‼
📖 Read
via "National Vulnerability Database".
An exploitable vulnerability exists in the way Pixar OpenUSD 20.05 handles parses certain encoded types. A specially crafted malformed file can trigger an arbitrary out of bounds memory access in SdfPath Type Index. This vulnerability could be used to bypass mitigations and aid further exploitation. To trigger this vulnerability, the victim needs to access an attacker-provided malformed file.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-29240 ‼
📖 Read
via "National Vulnerability Database".
Lepton-CMS 4.7.0 is affected by cross-site scripting (XSS). An attacker can inject the XSS payload in the URL field of the admin page and each time an admin visits the Menu-Pages-Pages Overview section, the XSS will be triggered.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-25265 ‼
📖 Read
via "National Vulnerability Database".
AppImage libappimage before 1.0.3 allows attackers to trigger an overwrite of a system-installed .desktop file by providing a .desktop file that contains Name= with path components.📖 Read
via "National Vulnerability Database".
‼ CVE-2017-2910 ‼
📖 Read
via "National Vulnerability Database".
An exploitable Out-of-bounds Write vulnerability exists in the xls_addCell function of libxls 2.0. A specially crafted xls file can cause a memory corruption resulting in remote code execution. An attacker can send malicious xls file to trigger this vulnerability.📖 Read
via "National Vulnerability Database".
❌ Xerox DocuShare Bugs Allowed Data Leaks ❌
📖 Read
via "Threat Post".
CISA warns the leading enterprise document management platform is open to attack and urges companies to apply fixes.📖 Read
via "Threat Post".
Threat Post
Xerox DocuShare Bugs Allow Data Leaks
CISA warns the leading enterprise document management platform is open to attack and urges companies to apply fixes.
❌ Think-Tanks Under Attack by APTs, CISA Warns ❌
📖 Read
via "Threat Post".
The feds have seen ongoing cyberattacks on think-tanks (bent on espionage, malware delivery and more), using phishing and VPN exploits as primary attack vectors.📖 Read
via "Threat Post".
Threat Post
Think-Tanks Under Attack by Foreign APTs, CISA Warns
The feds have seen ongoing cyberattacks on think-tanks (bent on espionage, malware delivery and more), using phishing and VPN exploits as primary attack vectors.
🕴 Loyal Employee ... or Cybercriminal Accomplice? 🕴
📖 Read
via "Dark Reading".
Can the bad guys' insider recruitment methods be reverse-engineered to reveal potential insider threats? Let's take a look.📖 Read
via "Dark Reading".
Dark Reading
Loyal Employee ... or Cybercriminal Accomplice?
Can the bad guys' insider recruitment methods be reverse-engineered to reveal potential insider threats? Let's take a look.
🕴 FBI: BEC Scammers Could Abuse Email Auto-Forwarding 🕴
📖 Read
via "Dark Reading".
Private Industry Notification warns of the role email auto-forwarding could be used in business email compromise attacks.📖 Read
via "Dark Reading".
Dark Reading
FBI: BEC Scammers Could Abuse Email Auto-Forwarding
Private Industry Notification warns of the role email auto-forwarding could be used in business email compromise attacks.
‼ CVE-2020-26244 ‼
📖 Read
via "National Vulnerability Database".
Python oic is a Python OpenID Connect implementation. In Python oic before version 1.2.1, there are several related cryptographic issues affecting client implementations that use the library. The issues are: 1) The IdToken signature algorithm was not checked automatically, but only if the expected algorithm was passed in as a kwarg. 2) JWA `none` algorithm was allowed in all flows. 3) oic.consumer.Consumer.parse_authz returns an unverified IdToken. The verification of the token was left to the discretion of the implementator. 4) iat claim was not checked for sanity (i.e. it could be in the future). These issues are patched in version 1.2.1.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-28206 ‼
📖 Read
via "National Vulnerability Database".
An issue was discovered in Bitrix24 Bitrix Framework (1c site management) 20.0. An "User enumeration and Improper Restriction of Excessive Authentication Attempts" vulnerability exists in the admin login form, allowing a remote user to enumerate users in the administrator group. This also allows brute-force attacks on the passwords of users not in the administrator group.📖 Read
via "National Vulnerability Database".
❌ Spotify Wrapped 2020 Rollout Marred by Pop Star Hacks ❌
📖 Read
via "Threat Post".
Spotify pages for Dua Lipa, Lana Del Rey, Future and others were defaced by an attacker pledging his love for Taylor Swift and Trump.📖 Read
via "Threat Post".
Threat Post
Spotify Wrapped 2020 Rollout Marred by Pop Star Hacks
Spotify pages for Dua Lipa, Lana Del Rey, Future and others were defaced by an attacker pledging his love for Taylor Swift and Trump.