βΌ CVE-2020-8565 βΌ
π Read
via "National Vulnerability Database".
In Kubernetes, if the logging level is set to at least 9, authorization and bearer tokens will be written to log files. This can occur both in API server logs and client tool output like kubectl.π Read
via "National Vulnerability Database".
βΌ CVE-2020-8564 βΌ
π Read
via "National Vulnerability Database".
In Kubernetes clusters using a logging level of at least 4, processing a malformed docker config file will result in the contents of the docker config file being leaked, which can include pull secrets or other registry credentials.π Read
via "National Vulnerability Database".
βΌ CVE-2020-25692 βΌ
π Read
via "National Vulnerability Database".
A NULL pointer dereference was found in OpenLDAP server and was fixed in openldap 2.4.55, during a request for renaming RDNs. An unauthenticated attacker could remotely crash the slapd process by sending a specially crafted request, causing a Denial of Service.π Read
via "National Vulnerability Database".
βΌ CVE-2020-26253 βΌ
π Read
via "National Vulnerability Database".
Kirby is a CMS. In Kirby CMS (getkirby/cms) before version 3.3.6, and Kirby Panel before version 2.5.14 there is a vulnerability in which the admin panel may be accessed if hosted on a .dev domain. In order to protect new installations on public servers that don't have an admin account for the Panel yet, we block account registration there by default. This is a security feature, which we implemented years ago in Kirby 2. It helps to avoid that you forget registering your first admin account on a public server. In this case Γ’β¬β without our security block Γ’β¬β someone else might theoretically be able to find your site, find out it's running on Kirby, find the Panel and then register the account first. It's an unlikely situation, but it's still a certain risk. To be able to register the first Panel account on a public server, you have to enforce the installer via a config setting. This helps to push all users to the best practice of registering your first Panel account on your local machine and upload it together with the rest of the site. This installation block implementation in Kirby versions before 3.3.6 still assumed that .dev domains are local domains, which is no longer true. In the meantime, those domains became publicly available. This means that our installation block is no longer working as expected if you use a .dev domain for your Kirby site. Additionally the local installation check may also fail if your site is behind a reverse proxy. You are only affected if you use a .dev domain or your site is behind a reverse proxy and you have not yet registered your first Panel account on the public server and someone finds your site and tries to login at `yourdomain.dev/panel` before you register your first account. You are not affected if you have already created one or multiple Panel accounts (no matter if on a .dev domain or behind a reverse proxy). The problem has been patched in Kirby 3.3.6. Please upgrade to this or a later version to fix the vulnerability.π Read
via "National Vulnerability Database".
βΌ CVE-2020-25630 βΌ
π Read
via "National Vulnerability Database".
A vulnerability was found in Moodle where the decompressed size of zip files was not checked against available user quota before unzipping them, which could lead to a denial of service risk. This affects versions 3.9 to 3.9.1, 3.8 to 3.8.4, 3.7 to 3.7.7, 3.5 to 3.5.13 and earlier unsupported versions. Fixed in 3.9.2, 3.8.5, 3.7.8 and 3.5.14.π Read
via "National Vulnerability Database".
βΌ CVE-2020-27818 βΌ
π Read
via "National Vulnerability Database".
A flaw was found in the check_chunk_name() function of pngcheck-2.4.0. An attacker able to pass a malicious file to be processed by pngcheck could cause a temporary denial of service, posing a low risk to application availability.π Read
via "National Vulnerability Database".
βΌ CVE-2020-27822 βΌ
π Read
via "National Vulnerability Database".
A flaw was found in Wildfly affecting versions 19.0.0.Final, 19.1.0.Final, 20.0.0.Final, 20.0.1.Final, and 21.0.0.Final. When an application uses the OpenTracing API's java-interceptors, there is a possibility of a memory leak. This flaw allows an attacker to impact the availability of the server. The highest threat from this vulnerability is to system availability.π Read
via "National Vulnerability Database".
βΌ CVE-2020-25677 βΌ
π Read
via "National Vulnerability Database".
Ceph-ansible 4.0.34.1 creates /etc/ceph/iscsi-gateway.conf with insecure default permissions, allowing any user to read the sensitive information within.π Read
via "National Vulnerability Database".
βΌ CVE-2020-25629 βΌ
π Read
via "National Vulnerability Database".
A vulnerability was found in Moodle where users with "Log in as" capability in a course context (typically, course managers) may gain access to some site administration capabilities by "logging in as" a System manager. This affects 3.9 to 3.9.1, 3.8 to 3.8.4, 3.7 to 3.7.7, 3.5 to 3.5.13 and earlier unsupported versions. This is fixed in 3.9.2, 3.8.5, 3.7.8 and 3.5.14.π Read
via "National Vulnerability Database".
βΌ CVE-2020-25631 βΌ
π Read
via "National Vulnerability Database".
A vulnerability was found in Moodle 3.9 to 3.9.1, 3.8 to 3.8.4 and 3.7 to 3.7.7 where it was possible to include JavaScript in a book's chapter title, which was not escaped on the "Add new chapter" page. This is fixed in 3.9.2, 3.8.5 and 3.7.8.π Read
via "National Vulnerability Database".
βΌ CVE-2020-25628 βΌ
π Read
via "National Vulnerability Database".
The filter in the tag manager required extra sanitizing to prevent a reflected XSS risk. This affects 3.9 to 3.9.1, 3.8 to 3.8.4, 3.7 to 3.7.7, 3.5 to 3.5.13 and earlier unsupported versions. Fixed in 3.9.2, 3.8.5, 3.7.8 and 3.5.14.π Read
via "National Vulnerability Database".
β Vishing criminals let rip with two scams at once β
π Read
via "Naked Security".
It would be funny if it weren't a crime.π Read
via "Naked Security".
Naked Security
Vishing criminals let rip with two scams at once
It would be funny if it werenβt a crime.
π΄ Attackers Know Microsoft 365 Better Than You Do π΄
π Read
via "Dark Reading".
Users have taken to Microsoft Office 365's tools, but many are unaware of free features that come with their accounts -- features that would keep them safe.π Read
via "Dark Reading".
Darkreading
Attackers Know Microsoft 365 Better Than You Do
Users have taken to Microsoft Office 365's tools, but many are unaware of free features that come with their accounts -- features that would keep them safe.
βΌ CVE-2020-29539 βΌ
π Read
via "National Vulnerability Database".
A Cross-Site Scripting (XSS) issue in WebUI Translation in Systran Pure Neural Server before 9.7.0 allows a threat actor to have a remote authenticated user run JavaScript from a malicious site.π Read
via "National Vulnerability Database".
βΌ CVE-2020-25889 βΌ
π Read
via "National Vulnerability Database".
A SQL injection vulnerability in Online Bus Booking System Project Using PHP/MySQL version 1.0 allows remote attackers to bypass authentication and execute arbitrary SQL commands.π Read
via "National Vulnerability Database".
βΌ CVE-2020-25955 βΌ
π Read
via "National Vulnerability Database".
There is a cross-site scripting (XSS) vulnerability in SourceCodester Student Management System Project in PHP 1.0 via the 'add subject' tab.π Read
via "National Vulnerability Database".
βΌ CVE-2020-29540 βΌ
π Read
via "National Vulnerability Database".
API calls in the Translation API feature in Systran Pure Neural Server before 9.7.0 allow a threat actor to use the Systran Pure Neural Server as a Denial-of-Service proxy by sending a large amount of translation requests to a destination host on any given TCP port regardless of whether a web service is running on the destination port.π Read
via "National Vulnerability Database".
βΌ CVE-2020-17531 βΌ
π Read
via "National Vulnerability Database".
A Java Serialization vulnerability was found in Apache Tapestry 4. Apache Tapestry 4 will attempt to deserialize the "sp" parameter even before invoking the page's validate method, leading to deserialization without authentication. Apache Tapestry 4 reached end of life in 2008 and no update to address this issue will be released. Apache Tapestry 5 versions are not vulnerable to this issue. Users of Apache Tapestry 4 should upgrade to the latest Apache Tapestry 5 version.π Read
via "National Vulnerability Database".
π¦Ώ How the coronavirus outbreak will affect cybersecurity in 2021 π¦Ώ
π Read
via "Tech Republic".
Ensuring security for employees working remotely was cited as the biggest challenge going into the new year, says Check Point.π Read
via "Tech Republic".
TechRepublic
How the coronavirus outbreak will affect cybersecurity in 2021
Ensuring security for employees working remotely was cited as the biggest challenge going into the new year, says Check Point.
β Adobe Warns Windows, macOS Users of Critical-Severity Flaws β
π Read
via "Threat Post".
Adobe fixed three critical-severity flaws in Adobe Prelude, Adobe Experience Manager and Adobe Lightroom.π Read
via "Threat Post".
Threat Post
Adobe Warns Windows, macOS Users of Critical-Severity Flaws
Adobe fixed three critical-severity flaws in Adobe Prelude, Adobe Experience Manager and Adobe Lightroom.
π OpenSSL Toolkit 1.1.1i π
π Read
via "Packet Storm Security".
OpenSSL is a robust, fully featured Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols with full-strength cryptography world-wide.π Read
via "Packet Storm Security".
Packetstormsecurity
OpenSSL Toolkit 1.1.1i β Packet Storm
Information Security Services, News, Files, Tools, Exploits, Advisories and Whitepapers