‼ CVE-2020-27763 ‼
📖 Read
via "National Vulnerability Database".
A flaw was found in ImageMagick in MagickCore/resize.c. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of math division by zero. This would most likely lead to an impact to application availability, but could potentially cause other problems related to undefined behavior. This flaw affects ImageMagick versions prior to 7.0.8-68.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-14351 ‼
📖 Read
via "National Vulnerability Database".
A flaw was found in the Linux kernel. A use-after-free memory flaw was found in the perf subsystem allowing a local attacker with permission to monitor perf events to corrupt memory and possibly escalate privileges. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-13525 ‼
📖 Read
via "National Vulnerability Database".
The sort parameter in the download page /sysworkflow/en/neoclassic/reportTables/reportTables_Ajax is vulnerable to SQL injection in ProcessMaker 3.4.11. A specially crafted HTTP request can cause an SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerability.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-23726 ‼
📖 Read
via "National Vulnerability Database".
There is a local denial of service vulnerability in Wise Care 365 5.5.4, attackers can cause computer crash (BSOD).📖 Read
via "National Vulnerability Database".
‼ CVE-2020-23735 ‼
📖 Read
via "National Vulnerability Database".
In Saibo Cyber Game Accelerator 3.7.9 there is a local privilege escalation vulnerability. Attackers can use the constructed program to increase user privileges📖 Read
via "National Vulnerability Database".
‼ CVE-2020-13543 ‼
📖 Read
via "National Vulnerability Database".
A code execution vulnerability exists in the WebSocket functionality of Webkit WebKitGTK 2.30.0. A specially crafted web page can trigger a use-after-free vulnerability which can lead to remote code execution. An attacker can get a user to visit a webpage to trigger this vulnerability.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-23727 ‼
📖 Read
via "National Vulnerability Database".
There is a local denial of service vulnerability in the Antiy Zhijia Terminal Defense System 5.0.2.10121559 and an attacker can cause a computer crash (BSOD).📖 Read
via "National Vulnerability Database".
‼ CVE-2020-27759 ‼
📖 Read
via "National Vulnerability Database".
In IntensityCompare() of /MagickCore/quantize.c, a double value was being casted to int and returned, which in some cases caused a value outside the range of type `int` to be returned. The flaw could be triggered by a crafted input file under certain conditions when processed by ImageMagick. Red Hat Product Security marked this as Low severity because although it could potentially lead to an impact to application availability, no specific impact was shown in this case. This flaw affects ImageMagick versions prior to 7.0.8-68.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-28251 ‼
📖 Read
via "National Vulnerability Database".
NETSCOUT AirMagnet Enterprise 11.1.4 build 37257 and earlier has a sensor escalated privileges vulnerability that can be exploited to provide someone with administrative access to a sensor, with credentials to invoke a command to provide root access to the operating system. The attacker must complete a straightforward password-cracking exercise.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-27783 ‼
📖 Read
via "National Vulnerability Database".
A XSS vulnerability was discovered in python-lxml's clean module. The module's parser didn't properly imitate browsers, which caused different behaviors between the sanitizer and the user's page. A remote attacker could exploit this flaw to run arbitrary HTML/JS code.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-27761 ‼
📖 Read
via "National Vulnerability Database".
WritePALMImage() in /coders/palm.c used size_t casts in several areas of a calculation which could lead to values outside the range of representable type `unsigned long` undefined behavior when a crafted input file was processed by ImageMagick. The patch casts to `ssize_t` instead to avoid this issue. Red Hat Product Security marked the Severity as Low because although it could potentially lead to an impact to application availability, no specific impact was shown in this case. This flaw affects ImageMagick versions prior to ImageMagick 7.0.9-0.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-25711 ‼
📖 Read
via "National Vulnerability Database".
A flaw was found in infinispan 10 REST API, where authorization permissions are not checked while performing some server management operations. When authz is enabled, any user with authentication can perform operations like shutting down the server without the ADMIN role.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-28923 ‼
📖 Read
via "National Vulnerability Database".
An issue was discovered in Play Framework 2.8.0 through 2.8.4. Carefully crafted JSON payloads sent as a form field lead to Data Amplification. This affects users migrating from a Play version prior to 2.8.0 that used the Play Java API to serialize classes with protected or private fields to JSON.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-27764 ‼
📖 Read
via "National Vulnerability Database".
In /MagickCore/statistic.c, there are several areas in ApplyEvaluateOperator() where a size_t cast should have been a ssize_t cast, which causes out-of-range values under some circumstances when a crafted input file is processed by ImageMagick. Red Hat Product Security marked this as Low severity because although it could potentially lead to an impact to application availability, no specific impact was shown in this case. This flaw affects ImageMagick versions prior to 6.9.10-69.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-28175 ‼
📖 Read
via "National Vulnerability Database".
There is a local privilege escalation vulnerability in Alfredo Milani Comparetti SpeedFan 4.52. Attackers can use constructed programs to increase user privileges📖 Read
via "National Vulnerability Database".
‼ CVE-2020-25693 ‼
📖 Read
via "National Vulnerability Database".
A flaw was found in CImg in versions prior to 2.9.3. Integer overflows leading to heap buffer overflows in load_pnm() can be triggered by a specially crafted input file processed by CImg, which can lead to an impact to application availability or data integrity.📖 Read
via "National Vulnerability Database".
❌ TrickBot Returns with a Vengeance, Sporting Rare Bootkit Functions ❌
📖 Read
via "Threat Post".
A new "TrickBoot" module scans for vulnerable firmware and has the ability to read, write and erase it on devices.📖 Read
via "Threat Post".
Threat Post
TrickBot Returns with a Vengeance, Sporting Rare Bootkit Functions
A new "TrickBoot" module scans for vulnerable firmware and has the ability to read, write and erase it on devices.
🔏 Phishing Campaign Takes Aim at COVID-19 Vaccine Transportation Chain 🔏
📖 Read
via "Digital Guardian".
The latest attack on COVID-19 vaccine research is aimed squarely at the supply chain of companies and government organizations working to keep the vaccines refrigerated in transit.📖 Read
via "Digital Guardian".
Digital Guardian
Phishing Campaign Takes Aim at COVID-19 Vaccine Transportation Chain
The latest attack on COVID-19 vaccine research is aimed squarely at the supply chain of companies and government organizations working to keep the vaccines refrigerated in transit.
🦿 6 security predictions that will impact healthcare in 2021 🦿
📖 Read
via "Tech Republic".
Attacks against COVID-19 vaccine developers will continue, while more reports will surface about patient data leaks in the cloud, says Kaspersky.📖 Read
via "Tech Republic".
TechRepublic
6 security predictions that will impact healthcare in 2021
Attacks against COVID-19 vaccine developers will continue, while more reports will surface about patient data leaks in the cloud, says Kaspersky.
‼ CVE-2020-23741 ‼
📖 Read
via "National Vulnerability Database".
In AnyView (network police) network monitoring software 4.6.0.1, there is a local denial of service vulnerability in AnyView, attackers can use a constructed program to cause a computer crash (BSOD).📖 Read
via "National Vulnerability Database".
‼ CVE-2020-17527 ‼
📖 Read
via "National Vulnerability Database".
While investigating bug 64830 it was discovered that Apache Tomcat 10.0.0-M1 to 10.0.0-M9, 9.0.0-M1 to 9.0.39 and 8.5.0 to 8.5.59 could re-use an HTTP request header value from the previous stream received on an HTTP/2 connection for the request associated with the subsequent stream. While this would most likely lead to an error and the closure of the HTTP/2 connection, it is possible that information could leak between requests.📖 Read
via "National Vulnerability Database".