‼ CVE-2020-26255 ‼
📖 Read
via "National Vulnerability Database".
Kirby is a CMS. In Kirby CMS (getkirby/cms) before version 3.4.5, and Kirby Panel before version 2.5.14 , an editor with full access to the Kirby Panel can upload a PHP .phar file and execute it on the server. This vulnerability is critical if you might have potential attackers in your group of authenticated Panel users, as they can gain access to the server with such a Phar file. Visitors without Panel access *cannot* use this attack vector. The problem has been patched in Kirby 2.5.14 and Kirby 3.4.5. Please update to one of these or a later version to fix the vulnerability. Note: Kirby 2 reaches end of life on December 31, 2020. We therefore recommend to upgrade your Kirby 2 sites to Kirby 3. If you cannot upgrade, we still recommend to update to Kirby 2.5.14.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-29564 ‼
📖 Read
via "National Vulnerability Database".
The official Consul Docker images 0.7.1 through 1.4.2 contain a blank password for a root user. System using the Consul Docker container deployed by affected versions of the Docker image may allow a remote attacker to achieve root access with a blank password.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-29579 ‼
📖 Read
via "National Vulnerability Database".
The official Express Gateway Docker images before 1.14.0 contain a blank password for a root user. Systems using the Express Gateway Docker container deployed by affected versions of the Docker image may allow an remote attacker to achieve root access.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-29580 ‼
📖 Read
via "National Vulnerability Database".
The official storm Docker images before 1.2.1 contain a blank password for a root user. Systems using the Storm Docker container deployed by affected versions of the Docker image may allow an remote attacker to achieve root access with a blank password.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-1971 ‼
📖 Read
via "National Vulnerability Database".
The X.509 GeneralName type is a generic type for representing different types of names. One of those name types is known as EDIPartyName. OpenSSL provides a function GENERAL_NAME_cmp which compares different instances of a GENERAL_NAME to see if they are equal or not. This function behaves incorrectly when both GENERAL_NAMEs contain an EDIPARTYNAME. A NULL pointer dereference and a crash may occur leading to a possible denial of service attack. OpenSSL itself uses the GENERAL_NAME_cmp function for two purposes: 1) Comparing CRL distribution point names between an available CRL and a CRL distribution point embedded in an X509 certificate 2) When verifying that a timestamp response token signer matches the timestamp authority name (exposed via the API functions TS_RESP_verify_response and TS_RESP_verify_token) If an attacker can control both items being compared then that attacker could trigger a crash. For example if the attacker can trick a client or server into checking a malicious certificate against a malicious CRL then this may occur. Note that some applications automatically download CRLs based on a URL embedded in a certificate. This checking happens prior to the signatures on the certificate and CRL being verified. OpenSSL's s_server, s_client and verify tools have support for the "-crl_download" option which implements automatic CRL downloading and this attack has been demonstrated to work against those tools. Note that an unrelated bug means that affected versions of OpenSSL cannot parse or construct correct encodings of EDIPARTYNAME. However it is possible to construct a malformed EDIPARTYNAME that OpenSSL's parser will accept and hence trigger this attack. All OpenSSL 1.1.1 and 1.0.2 versions are affected by this issue. Other OpenSSL releases are out of support and have not been checked. Fixed in OpenSSL 1.1.1i (Affected 1.1.1-1.1.1h). Fixed in OpenSSL 1.0.2x (Affected 1.0.2-1.0.2w).📖 Read
via "National Vulnerability Database".
‼ CVE-2020-29601 ‼
📖 Read
via "National Vulnerability Database".
The official notary docker images before signer-0.6.1-1 contain a blank password for a root user. System using the notary docker container deployed by affected versions of the docker image may allow an remote attacker to achieve root access with a blank password.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-29602 ‼
📖 Read
via "National Vulnerability Database".
The official irssi docker images before 1.1-alpine (Alpine specific) contain a blank password for a root user. System using the irssi docker container deployed by affected versions of the Docker image may allow an remote attacker to achieve root access with a blank password.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-29576 ‼
📖 Read
via "National Vulnerability Database".
The official eggdrop Docker images before 1.8.4rc2 contain a blank password for a root user. Systems using the Eggdrop Docker container deployed by affected versions of the Docker image may allow an remote attacker to achieve root access with a blank password.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-29581 ‼
📖 Read
via "National Vulnerability Database".
The official spiped docker images before 1.5-alpine contain a blank password for a root user. Systems using the spiped docker container deployed by affected versions of the docker image may allow an remote attacker to achieve root access with a blank password.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-26254 ‼
📖 Read
via "National Vulnerability Database".
omniauth-apple is the OmniAuth strategy for "Sign In with Apple" (RubyGem omniauth-apple). In omniauth-apple before version 1.0.1 attackers can fake their email address during authentication. This vulnerability impacts applications using the omniauth-apple strategy of OmniAuth and using the info.email field of OmniAuth's Auth Hash Schema for any kind of identification. The value of this field may be set to any value of the attacker's choice including email addresses of other users. Applications not using info.email for identification but are instead using the uid field are not impacted in the same manner. Note, these applications may still be negatively affected if the value of info.email is being used for other purposes. Applications using affected versions of omniauth-apple are advised to upgrade to omniauth-apple version 1.0.1 or later.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-29578 ‼
📖 Read
via "National Vulnerability Database".
The official piwik Docker images before fpm-alpine (Alpine specific) contain a blank password for a root user. Systems using the Piwik Docker container deployed by affected versions of the Docker image may allow an remote attacker to achieve root access.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-29577 ‼
📖 Read
via "National Vulnerability Database".
The official znc docker images before 1.7.1-slim contain a blank password for a root user. Systems using the znc docker container deployed by affected versions of the Docker image may allow an remote attacker to achieve root access with a blank password.📖 Read
via "National Vulnerability Database".
❌ Critical, Unpatched Bug Opens GE Radiological Devices to Remote Code Execution ❌
📖 Read
via "Threat Post".
A CISA alert is flagging a critical default credentials issue that affects 100+ types of devices found in hospitals, from MRI machines to surgical imaging.📖 Read
via "Threat Post".
Threat Post
Critical, Unpatched Bugs Open GE Radiological Devices to Remote Code Execution
A CISA alert is flagging a critical default credentials issue that affects 100+ types of devices found in hospitals, from MRI machines to surgical imaging.
🦿 How to protect yourself from gift card scams 🦿
📖 Read
via "Tech Republic".
With the holiday season in bloom, watch out for scams that promise free gift cards or offer to check your gift card balance, says Bolster.📖 Read
via "Tech Republic".
TechRepublic
How to protect yourself from gift card scams
With the holiday season in bloom, watch out for scams that promise free gift cards or offer to check your gift card balance, says Bolster.
🦿 Linux Foundation debuts new, secure, open source cloud native access management software platform 🦿
📖 Read
via "Tech Republic".
Based on the Gluu server, the Janssen Project prioritizes security and performance and features signing and encryption functionalities.📖 Read
via "Tech Republic".
TechRepublic
Linux Foundation debuts new, secure, open source cloud native access management software platform
Based on the Gluu server, the Janssen Project prioritizes security and performance and features signing and encryption functionalities.
🕴 Keeping Cyber Secure at Christmas 🕴
📖 Read
via "Dark Reading".
Sylvain Cortes, Security Evangelist and cybersecurity expert at Alsid, highlights the need for security departments to raise awareness through their organizations over cyber threats this Christmas.📖 Read
via "Dark Reading".
Dark Reading
Keeping Cyber Secure at Christmas
Sylvain Cortes, Security Evangelist and cybersecurity expert at Alsid, highlights the need for security departments to raise awareness through their organizations over cyber threats this Christmas.
🕴 Fortinet Purchases Panopta 🕴
📖 Read
via "Dark Reading".
The acquisition is intended to improve the visibility and automated response capabilities of Fortinet's Security Fabri.📖 Read
via "Dark Reading".
Dark Reading
Fortinet Purchases Panopta
The acquisition is intended to improve the visibility and automated response capabilities of Fortinet's Security Fabri.
🕴 Gula Tech Foundation to Award $1M in Grants to Infosec Nonprofits 🕴
📖 Read
via "Dark Reading".
The first Gula Tech Foundation competitive grant program will focus on increasing African American engagement in cybersecurity.📖 Read
via "Dark Reading".
Dark Reading
Gula Tech Foundation to Award $1M in Grants to Infosec Nonprofits
The first Gula Tech Foundation competitive grant program will focus on increasing African American engagement in cybersecurity.
🕴 Why Compliance Is No Longer King for Financial Services Cybersecurity 🕴
📖 Read
via "Dark Reading".
Financial services companies' experience in risk management serves them well when it comes to minimizing their cyber-risk.📖 Read
via "Dark Reading".
Dark Reading
Why Compliance Is No Longer King for Financial Services Cybersecurity
Financial services companies' experience in risk management serves them well when it comes to minimizing their cyber-risk.
❌ The Remote-Work Transition Shifts Demand for Cyber Skills ❌
📖 Read
via "Threat Post".
According to Cyberseek, an interactive mapping tool that tracks the current state of the security job market, there are more than half a million open cybersecurity positions available in the U.S. alone (522,000).📖 Read
via "Threat Post".
Threat Post
The Remote-Work Transition Shifts Demand for Cyber Skills
According to Cyberseek, there are more than half a million open cybersecurity positions available in the U.S. alone (522,000).
🕴 Dragos Nets $110M in Series C Led by Major Global Energy, Manufacturing, Oil & Gas Company Investors 🕴
📖 Read
via "Dark Reading".
National Grid Partners, Saudi Aramco Energy Ventures, and Hewlett Packard Enterprise led the latest funding round for the ICS/OT security company.📖 Read
via "Dark Reading".
Dark Reading
Dragos Nets $110M in Series C Led by Major Global Energy, Manufacturing, Oil & Gas Company Investors
National Grid Partners, Saudi Aramco Energy Ventures, and Hewlett Packard Enterprise led the latest funding round for the ICS/OT security company.