βΌ CVE-2020-25631 βΌ
π Read
via "National Vulnerability Database".
A vulnerability was found in Moodle 3.9 to 3.9.1, 3.8 to 3.8.4 and 3.7 to 3.7.7 where it was possible to include JavaScript in a book's chapter title, which was not escaped on the "Add new chapter" page. This is fixed in 3.9.2, 3.8.5 and 3.7.8.π Read
via "National Vulnerability Database".
βΌ CVE-2020-25628 βΌ
π Read
via "National Vulnerability Database".
The filter in the tag manager required extra sanitizing to prevent a reflected XSS risk. This affects 3.9 to 3.9.1, 3.8 to 3.8.4, 3.7 to 3.7.7, 3.5 to 3.5.13 and earlier unsupported versions. Fixed in 3.9.2, 3.8.5, 3.7.8 and 3.5.14.π Read
via "National Vulnerability Database".
β Vishing criminals let rip with two scams at once β
π Read
via "Naked Security".
It would be funny if it weren't a crime.π Read
via "Naked Security".
Naked Security
Vishing criminals let rip with two scams at once
It would be funny if it werenβt a crime.
π΄ Attackers Know Microsoft 365 Better Than You Do π΄
π Read
via "Dark Reading".
Users have taken to Microsoft Office 365's tools, but many are unaware of free features that come with their accounts -- features that would keep them safe.π Read
via "Dark Reading".
Darkreading
Attackers Know Microsoft 365 Better Than You Do
Users have taken to Microsoft Office 365's tools, but many are unaware of free features that come with their accounts -- features that would keep them safe.
βΌ CVE-2020-29539 βΌ
π Read
via "National Vulnerability Database".
A Cross-Site Scripting (XSS) issue in WebUI Translation in Systran Pure Neural Server before 9.7.0 allows a threat actor to have a remote authenticated user run JavaScript from a malicious site.π Read
via "National Vulnerability Database".
βΌ CVE-2020-25889 βΌ
π Read
via "National Vulnerability Database".
A SQL injection vulnerability in Online Bus Booking System Project Using PHP/MySQL version 1.0 allows remote attackers to bypass authentication and execute arbitrary SQL commands.π Read
via "National Vulnerability Database".
βΌ CVE-2020-25955 βΌ
π Read
via "National Vulnerability Database".
There is a cross-site scripting (XSS) vulnerability in SourceCodester Student Management System Project in PHP 1.0 via the 'add subject' tab.π Read
via "National Vulnerability Database".
βΌ CVE-2020-29540 βΌ
π Read
via "National Vulnerability Database".
API calls in the Translation API feature in Systran Pure Neural Server before 9.7.0 allow a threat actor to use the Systran Pure Neural Server as a Denial-of-Service proxy by sending a large amount of translation requests to a destination host on any given TCP port regardless of whether a web service is running on the destination port.π Read
via "National Vulnerability Database".
βΌ CVE-2020-17531 βΌ
π Read
via "National Vulnerability Database".
A Java Serialization vulnerability was found in Apache Tapestry 4. Apache Tapestry 4 will attempt to deserialize the "sp" parameter even before invoking the page's validate method, leading to deserialization without authentication. Apache Tapestry 4 reached end of life in 2008 and no update to address this issue will be released. Apache Tapestry 5 versions are not vulnerable to this issue. Users of Apache Tapestry 4 should upgrade to the latest Apache Tapestry 5 version.π Read
via "National Vulnerability Database".
π¦Ώ How the coronavirus outbreak will affect cybersecurity in 2021 π¦Ώ
π Read
via "Tech Republic".
Ensuring security for employees working remotely was cited as the biggest challenge going into the new year, says Check Point.π Read
via "Tech Republic".
TechRepublic
How the coronavirus outbreak will affect cybersecurity in 2021
Ensuring security for employees working remotely was cited as the biggest challenge going into the new year, says Check Point.
β Adobe Warns Windows, macOS Users of Critical-Severity Flaws β
π Read
via "Threat Post".
Adobe fixed three critical-severity flaws in Adobe Prelude, Adobe Experience Manager and Adobe Lightroom.π Read
via "Threat Post".
Threat Post
Adobe Warns Windows, macOS Users of Critical-Severity Flaws
Adobe fixed three critical-severity flaws in Adobe Prelude, Adobe Experience Manager and Adobe Lightroom.
π OpenSSL Toolkit 1.1.1i π
π Read
via "Packet Storm Security".
OpenSSL is a robust, fully featured Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols with full-strength cryptography world-wide.π Read
via "Packet Storm Security".
Packetstormsecurity
OpenSSL Toolkit 1.1.1i β Packet Storm
Information Security Services, News, Files, Tools, Exploits, Advisories and Whitepapers
βΌ CVE-2020-29575 βΌ
π Read
via "National Vulnerability Database".
The official elixir Docker images before 1.8.0-alpine (Alpine specific) contain a blank password for a root user. Systems using the elixir Linux Docker container deployed by affected versions of the Docker image may allow a remote attacker to achieve root access with a blank password.π Read
via "National Vulnerability Database".
βΌ CVE-2020-26255 βΌ
π Read
via "National Vulnerability Database".
Kirby is a CMS. In Kirby CMS (getkirby/cms) before version 3.4.5, and Kirby Panel before version 2.5.14 , an editor with full access to the Kirby Panel can upload a PHP .phar file and execute it on the server. This vulnerability is critical if you might have potential attackers in your group of authenticated Panel users, as they can gain access to the server with such a Phar file. Visitors without Panel access *cannot* use this attack vector. The problem has been patched in Kirby 2.5.14 and Kirby 3.4.5. Please update to one of these or a later version to fix the vulnerability. Note: Kirby 2 reaches end of life on December 31, 2020. We therefore recommend to upgrade your Kirby 2 sites to Kirby 3. If you cannot upgrade, we still recommend to update to Kirby 2.5.14.π Read
via "National Vulnerability Database".
βΌ CVE-2020-29564 βΌ
π Read
via "National Vulnerability Database".
The official Consul Docker images 0.7.1 through 1.4.2 contain a blank password for a root user. System using the Consul Docker container deployed by affected versions of the Docker image may allow a remote attacker to achieve root access with a blank password.π Read
via "National Vulnerability Database".
βΌ CVE-2020-29579 βΌ
π Read
via "National Vulnerability Database".
The official Express Gateway Docker images before 1.14.0 contain a blank password for a root user. Systems using the Express Gateway Docker container deployed by affected versions of the Docker image may allow an remote attacker to achieve root access.π Read
via "National Vulnerability Database".
βΌ CVE-2020-29580 βΌ
π Read
via "National Vulnerability Database".
The official storm Docker images before 1.2.1 contain a blank password for a root user. Systems using the Storm Docker container deployed by affected versions of the Docker image may allow an remote attacker to achieve root access with a blank password.π Read
via "National Vulnerability Database".
βΌ CVE-2020-1971 βΌ
π Read
via "National Vulnerability Database".
The X.509 GeneralName type is a generic type for representing different types of names. One of those name types is known as EDIPartyName. OpenSSL provides a function GENERAL_NAME_cmp which compares different instances of a GENERAL_NAME to see if they are equal or not. This function behaves incorrectly when both GENERAL_NAMEs contain an EDIPARTYNAME. A NULL pointer dereference and a crash may occur leading to a possible denial of service attack. OpenSSL itself uses the GENERAL_NAME_cmp function for two purposes: 1) Comparing CRL distribution point names between an available CRL and a CRL distribution point embedded in an X509 certificate 2) When verifying that a timestamp response token signer matches the timestamp authority name (exposed via the API functions TS_RESP_verify_response and TS_RESP_verify_token) If an attacker can control both items being compared then that attacker could trigger a crash. For example if the attacker can trick a client or server into checking a malicious certificate against a malicious CRL then this may occur. Note that some applications automatically download CRLs based on a URL embedded in a certificate. This checking happens prior to the signatures on the certificate and CRL being verified. OpenSSL's s_server, s_client and verify tools have support for the "-crl_download" option which implements automatic CRL downloading and this attack has been demonstrated to work against those tools. Note that an unrelated bug means that affected versions of OpenSSL cannot parse or construct correct encodings of EDIPARTYNAME. However it is possible to construct a malformed EDIPARTYNAME that OpenSSL's parser will accept and hence trigger this attack. All OpenSSL 1.1.1 and 1.0.2 versions are affected by this issue. Other OpenSSL releases are out of support and have not been checked. Fixed in OpenSSL 1.1.1i (Affected 1.1.1-1.1.1h). Fixed in OpenSSL 1.0.2x (Affected 1.0.2-1.0.2w).π Read
via "National Vulnerability Database".
βΌ CVE-2020-29601 βΌ
π Read
via "National Vulnerability Database".
The official notary docker images before signer-0.6.1-1 contain a blank password for a root user. System using the notary docker container deployed by affected versions of the docker image may allow an remote attacker to achieve root access with a blank password.π Read
via "National Vulnerability Database".
βΌ CVE-2020-29602 βΌ
π Read
via "National Vulnerability Database".
The official irssi docker images before 1.1-alpine (Alpine specific) contain a blank password for a root user. System using the irssi docker container deployed by affected versions of the Docker image may allow an remote attacker to achieve root access with a blank password.π Read
via "National Vulnerability Database".
βΌ CVE-2020-29576 βΌ
π Read
via "National Vulnerability Database".
The official eggdrop Docker images before 1.8.4rc2 contain a blank password for a root user. Systems using the Eggdrop Docker container deployed by affected versions of the Docker image may allow an remote attacker to achieve root access with a blank password.π Read
via "National Vulnerability Database".