‼ CVE-2020-3471 ‼
📖 Read
via "National Vulnerability Database".
A vulnerability in Cisco Webex Meetings and Cisco Webex Meetings Server could allow an unauthenticated, remote attacker to maintain bidirectional audio despite being expelled from an active Webex session. The vulnerability is due to a synchronization issue between meeting and media services on a vulnerable Webex site. An attacker could exploit this vulnerability by sending crafted requests to a vulnerable Cisco Webex Meetings or Cisco Webex Meetings Server site. A successful exploit could allow the attacker to maintain the audio connection of a Webex session despite being expelled.📖 Read
via "National Vulnerability Database".
❌ Widespread Scans Underway for RCE Bugs in WordPress Websites ❌
📖 Read
via "Threat Post".
WordPress websites using buggy Epsilon Framework themes are being hunted by hackers.📖 Read
via "Threat Post".
Threat Post
Widespread Scans Underway for RCE Bugs in WordPress Websites
WordPress websites using buggy Epsilon Framework themes are being hunted by hackers.
🕴 Online Shopping Surge Puts Focus on Consumer Security Habits 🕴
📖 Read
via "Dark Reading".
Companies will have to tread a fine line between delivering security and a frictionless shopping experience, security firms say.📖 Read
via "Dark Reading".
Dark Reading
Online Shopping Surge Puts Focus on Consumer Security Habits
Companies will have to tread a fine line between delivering security and a frictionless shopping experience, security firms say.
🕴 Cisco Webex Vulns Let 'Ghost' Attendees Spy on Meetings 🕴
📖 Read
via "Dark Reading".
Three vulnerabilities, patched today, could let an attacker snoop on meetings undetected after the host removes them.📖 Read
via "Dark Reading".
Dark Reading
Cisco Webex Vulns Let 'Ghost' Attendees Spy on Meetings
Three vulnerabilities, patched today, could let an attacker snoop on meetings undetected after the host removes them.
‼ CVE-2020-26215 ‼
📖 Read
via "National Vulnerability Database".
Jupyter Notebook before version 6.1.5 has an Open redirect vulnerability. A maliciously crafted link to a notebook server could redirect the browser to a different website. All notebook servers are technically affected, however, these maliciously crafted links can only be reasonably made for known notebook server hosts. A link to your notebook server may appear safe, but ultimately redirect to a spoofed server on the public internet. The issue is patched in version 6.1.5.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-22723 ‼
📖 Read
via "National Vulnerability Database".
A cross-site scripting (XSS) vulnerability in Beijing Liangjing Zhicheng Technology Co., Ltd ljcmsshop version 1.14 allows remote attackers to inject arbitrary web script or HTML via user.php by registering an account directly in the user center, and then adding the payload to the delivery address.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-15301 ‼
📖 Read
via "National Vulnerability Database".
SuiteCRM through 7.11.13 allows CSV Injection via registration fields in the Accounts, Contacts, Opportunities, and Leads modules. These fields are mishandled during a Download Import File Template operation.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-26226 ‼
📖 Read
via "National Vulnerability Database".
In the npm package semantic-release before version 17.2.3, secrets that would normally be masked by `semantic-release` can be accidentally disclosed if they contain characters that become encoded when included in a URL. Secrets that do not contain characters that become encoded when included in a URL are already masked properly. The issue is fixed in version 17.2.3.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-14208 ‼
📖 Read
via "National Vulnerability Database".
SuiteCRM 7.11.13 is affected by stored Cross-Site Scripting (XSS) in the Documents preview functionality. This vulnerability could allow remote authenticated attackers to inject arbitrary web script or HTML.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-15300 ‼
📖 Read
via "National Vulnerability Database".
SuiteCRM through 7.11.13 has an Open Redirect in the Documents module via a crafted SVG document.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-13799 ‼
📖 Read
via "National Vulnerability Database".
Western Digital iNAND devices through 2020-06-03 allow Authentication Bypass via a capture-replay attack.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-25454 ‼
📖 Read
via "National Vulnerability Database".
Cross-site Scripting (XSS) vulnerability in grocy 2.7.1 via the add recipe module, which gets executed when deleting the recipe.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-13356 ‼
📖 Read
via "National Vulnerability Database".
An issue has been discovered in GitLab CE/EE affecting all versions starting from 8.8.9. A specially crafted request could bypass Multipart protection and read files in certain specific paths on the server. Affected versions are: >=8.8.9, <13.3.9,>=13.4, <13.4.5,>=13.5, <13.5.2.📖 Read
via "National Vulnerability Database".
‼ CVE-2019-12412 ‼
📖 Read
via "National Vulnerability Database".
A flaw in the libapreq2 v2.07 to v2.13 multipart parser can deference a null pointer leading to a process crash. A remote attacker could send a request causing a process crash which could lead to a denial of service attack.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-13359 ‼
📖 Read
via "National Vulnerability Database".
The Terraform API in GitLab CE/EE 12.10+ exposed the object storage signed URL on the delete operation allowing a malicious project maintainer to overwrite the Terraform state, bypassing audit and other business controls. Affected versions are >=12.10, <13.3.9,>=13.4, <13.4.5,>=13.5, <13.5.2.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-13355 ‼
📖 Read
via "National Vulnerability Database".
An issue has been discovered in GitLab CE/EE affecting all versions starting from 8.14. A path traversal is found in LFS Upload that allows attacker to overwrite certain specific paths on the server. Affected versions are: >=8.14, <13.3.9,>=13.4, <13.4.5,>=13.5, <13.5.2.📖 Read
via "National Vulnerability Database".
🔏 Friday Five 11/20 🔏
📖 Read
via "Digital Guardian".
IoT legislation, automation in cybersecurity, and privacy rights - catch up on all of the week's infosec news with the Friday Five!📖 Read
via "Digital Guardian".
Digital Guardian
Friday Five 11/20
IoT legislation, automation in cybersecurity, and privacy rights - catch up on all of the week's infosec news with the Friday Five!
‼ CVE-2020-13671 ‼
📖 Read
via "National Vulnerability Database".
Drupal core does not properly sanitize certain filenames on uploaded files, which can lead to files being interpreted as the incorrect extension and served as the wrong MIME type or executed as PHP for certain hosting configurations. This issue affects: Drupal Drupal Core 9.0 versions prior to 9.0.8, 8.9 versions prior to 8.9.9, 8.8 versions prior to 8.8.11, and 7 versions prior to 7.74.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-19667 ‼
📖 Read
via "National Vulnerability Database".
Stack-based buffer overflow and unconditional jump in ReadXPMImage in coders/xpm.c in ImageMagick 7.0.10-7.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-7842 ‼
📖 Read
via "National Vulnerability Database".
Improper Input validation vulnerability exists in Netis Korea D'live AP which could cause arbitrary command injection and execution when the time setting (using ntpServerlp1 parameter) for the users. This affects D'live set-top box AP(WF2429TB) v1.1.10.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-28877 ‼
📖 Read
via "National Vulnerability Database".
Buffer overflow in in the copy_msg_element function for the devDiscoverHandle server in the TP-Link WR and WDR series, including WDR7400, WDR7500, WDR7660, WDR7800, WDR8400, WDR8500, WDR8600, WDR8620, WDR8640, WDR8660, WR880N, WR886N, WR890N, WR890N, WR882N, and WR708N.📖 Read
via "National Vulnerability Database".