βΌ CVE-2020-8566 βΌ
π Read
via "National Vulnerability Database".
In Kubernetes clusters using Ceph RBD as a storage provisioner, with logging level of at least 4, Ceph RBD admin secrets can be written to logs. This occurs in kube-controller-manager's logs during provisioning of Ceph RBD persistent claims.π Read
via "National Vulnerability Database".
βΌ CVE-2020-8563 βΌ
π Read
via "National Vulnerability Database".
In Kubernetes clusters using VSphere as a cloud provider, with a logging level set to 4 or above, VSphere cloud credentials will be leaked in the cloud controller manager's log.π Read
via "National Vulnerability Database".
βΌ CVE-2020-27641 βΌ
π Read
via "National Vulnerability Database".
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2020-29136. Reason: This candidate is a reservation duplicate of CVE-2020-29136. Notes: All CVE users should reference CVE-2020-29136 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.π Read
via "National Vulnerability Database".
βΌ CVE-2020-28935 βΌ
π Read
via "National Vulnerability Database".
NLnet Labs Unbound, up to and including version 1.12.0, and NLnet Labs NSD, up to and including version 4.3.3, contain a local vulnerability that would allow for a local symlink attack. When writing the PID file, Unbound and NSD create the file if it is not there, or open an existing file for writing. In case the file was already present, they would follow symlinks if the file happened to be a symlink instead of a regular file. An additional chown of the file would then take place after it was written, making the user Unbound/NSD is supposed to run as the new owner of the file. If an attacker has local access to the user Unbound/NSD runs as, she could create a symlink in place of the PID file pointing to a file that she would like to erase. If then Unbound/NSD is killed and the PID file is not cleared, upon restarting with root privileges, Unbound/NSD will rewrite any file pointed at by the symlink. This is a local vulnerability that could create a Denial of Service of the system Unbound/NSD is running on. It requires an attacker having access to the limited permission user Unbound/NSD runs as and point through the symlink to a critical file on the system.π Read
via "National Vulnerability Database".
βΌ CVE-2020-8565 βΌ
π Read
via "National Vulnerability Database".
In Kubernetes, if the logging level is set to at least 9, authorization and bearer tokens will be written to log files. This can occur both in API server logs and client tool output like kubectl.π Read
via "National Vulnerability Database".
βΌ CVE-2020-8564 βΌ
π Read
via "National Vulnerability Database".
In Kubernetes clusters using a logging level of at least 4, processing a malformed docker config file will result in the contents of the docker config file being leaked, which can include pull secrets or other registry credentials.π Read
via "National Vulnerability Database".
βΌ CVE-2020-25692 βΌ
π Read
via "National Vulnerability Database".
A NULL pointer dereference was found in OpenLDAP server and was fixed in openldap 2.4.55, during a request for renaming RDNs. An unauthenticated attacker could remotely crash the slapd process by sending a specially crafted request, causing a Denial of Service.π Read
via "National Vulnerability Database".
βΌ CVE-2020-26253 βΌ
π Read
via "National Vulnerability Database".
Kirby is a CMS. In Kirby CMS (getkirby/cms) before version 3.3.6, and Kirby Panel before version 2.5.14 there is a vulnerability in which the admin panel may be accessed if hosted on a .dev domain. In order to protect new installations on public servers that don't have an admin account for the Panel yet, we block account registration there by default. This is a security feature, which we implemented years ago in Kirby 2. It helps to avoid that you forget registering your first admin account on a public server. In this case Γ’β¬β without our security block Γ’β¬β someone else might theoretically be able to find your site, find out it's running on Kirby, find the Panel and then register the account first. It's an unlikely situation, but it's still a certain risk. To be able to register the first Panel account on a public server, you have to enforce the installer via a config setting. This helps to push all users to the best practice of registering your first Panel account on your local machine and upload it together with the rest of the site. This installation block implementation in Kirby versions before 3.3.6 still assumed that .dev domains are local domains, which is no longer true. In the meantime, those domains became publicly available. This means that our installation block is no longer working as expected if you use a .dev domain for your Kirby site. Additionally the local installation check may also fail if your site is behind a reverse proxy. You are only affected if you use a .dev domain or your site is behind a reverse proxy and you have not yet registered your first Panel account on the public server and someone finds your site and tries to login at `yourdomain.dev/panel` before you register your first account. You are not affected if you have already created one or multiple Panel accounts (no matter if on a .dev domain or behind a reverse proxy). The problem has been patched in Kirby 3.3.6. Please upgrade to this or a later version to fix the vulnerability.π Read
via "National Vulnerability Database".
βΌ CVE-2020-25630 βΌ
π Read
via "National Vulnerability Database".
A vulnerability was found in Moodle where the decompressed size of zip files was not checked against available user quota before unzipping them, which could lead to a denial of service risk. This affects versions 3.9 to 3.9.1, 3.8 to 3.8.4, 3.7 to 3.7.7, 3.5 to 3.5.13 and earlier unsupported versions. Fixed in 3.9.2, 3.8.5, 3.7.8 and 3.5.14.π Read
via "National Vulnerability Database".
βΌ CVE-2020-27818 βΌ
π Read
via "National Vulnerability Database".
A flaw was found in the check_chunk_name() function of pngcheck-2.4.0. An attacker able to pass a malicious file to be processed by pngcheck could cause a temporary denial of service, posing a low risk to application availability.π Read
via "National Vulnerability Database".
βΌ CVE-2020-27822 βΌ
π Read
via "National Vulnerability Database".
A flaw was found in Wildfly affecting versions 19.0.0.Final, 19.1.0.Final, 20.0.0.Final, 20.0.1.Final, and 21.0.0.Final. When an application uses the OpenTracing API's java-interceptors, there is a possibility of a memory leak. This flaw allows an attacker to impact the availability of the server. The highest threat from this vulnerability is to system availability.π Read
via "National Vulnerability Database".
βΌ CVE-2020-25677 βΌ
π Read
via "National Vulnerability Database".
Ceph-ansible 4.0.34.1 creates /etc/ceph/iscsi-gateway.conf with insecure default permissions, allowing any user to read the sensitive information within.π Read
via "National Vulnerability Database".
βΌ CVE-2020-25629 βΌ
π Read
via "National Vulnerability Database".
A vulnerability was found in Moodle where users with "Log in as" capability in a course context (typically, course managers) may gain access to some site administration capabilities by "logging in as" a System manager. This affects 3.9 to 3.9.1, 3.8 to 3.8.4, 3.7 to 3.7.7, 3.5 to 3.5.13 and earlier unsupported versions. This is fixed in 3.9.2, 3.8.5, 3.7.8 and 3.5.14.π Read
via "National Vulnerability Database".
βΌ CVE-2020-25631 βΌ
π Read
via "National Vulnerability Database".
A vulnerability was found in Moodle 3.9 to 3.9.1, 3.8 to 3.8.4 and 3.7 to 3.7.7 where it was possible to include JavaScript in a book's chapter title, which was not escaped on the "Add new chapter" page. This is fixed in 3.9.2, 3.8.5 and 3.7.8.π Read
via "National Vulnerability Database".
βΌ CVE-2020-25628 βΌ
π Read
via "National Vulnerability Database".
The filter in the tag manager required extra sanitizing to prevent a reflected XSS risk. This affects 3.9 to 3.9.1, 3.8 to 3.8.4, 3.7 to 3.7.7, 3.5 to 3.5.13 and earlier unsupported versions. Fixed in 3.9.2, 3.8.5, 3.7.8 and 3.5.14.π Read
via "National Vulnerability Database".
β Vishing criminals let rip with two scams at once β
π Read
via "Naked Security".
It would be funny if it weren't a crime.π Read
via "Naked Security".
Naked Security
Vishing criminals let rip with two scams at once
It would be funny if it werenβt a crime.
π΄ Attackers Know Microsoft 365 Better Than You Do π΄
π Read
via "Dark Reading".
Users have taken to Microsoft Office 365's tools, but many are unaware of free features that come with their accounts -- features that would keep them safe.π Read
via "Dark Reading".
Darkreading
Attackers Know Microsoft 365 Better Than You Do
Users have taken to Microsoft Office 365's tools, but many are unaware of free features that come with their accounts -- features that would keep them safe.
βΌ CVE-2020-29539 βΌ
π Read
via "National Vulnerability Database".
A Cross-Site Scripting (XSS) issue in WebUI Translation in Systran Pure Neural Server before 9.7.0 allows a threat actor to have a remote authenticated user run JavaScript from a malicious site.π Read
via "National Vulnerability Database".
βΌ CVE-2020-25889 βΌ
π Read
via "National Vulnerability Database".
A SQL injection vulnerability in Online Bus Booking System Project Using PHP/MySQL version 1.0 allows remote attackers to bypass authentication and execute arbitrary SQL commands.π Read
via "National Vulnerability Database".
βΌ CVE-2020-25955 βΌ
π Read
via "National Vulnerability Database".
There is a cross-site scripting (XSS) vulnerability in SourceCodester Student Management System Project in PHP 1.0 via the 'add subject' tab.π Read
via "National Vulnerability Database".
βΌ CVE-2020-29540 βΌ
π Read
via "National Vulnerability Database".
API calls in the Translation API feature in Systran Pure Neural Server before 9.7.0 allow a threat actor to use the Systran Pure Neural Server as a Denial-of-Service proxy by sending a large amount of translation requests to a destination host on any given TCP port regardless of whether a web service is running on the destination port.π Read
via "National Vulnerability Database".