‼ CVE-2020-15301 ‼
📖 Read
via "National Vulnerability Database".
SuiteCRM through 7.11.13 allows CSV Injection via registration fields in the Accounts, Contacts, Opportunities, and Leads modules. These fields are mishandled during a Download Import File Template operation.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-26226 ‼
📖 Read
via "National Vulnerability Database".
In the npm package semantic-release before version 17.2.3, secrets that would normally be masked by `semantic-release` can be accidentally disclosed if they contain characters that become encoded when included in a URL. Secrets that do not contain characters that become encoded when included in a URL are already masked properly. The issue is fixed in version 17.2.3.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-14208 ‼
📖 Read
via "National Vulnerability Database".
SuiteCRM 7.11.13 is affected by stored Cross-Site Scripting (XSS) in the Documents preview functionality. This vulnerability could allow remote authenticated attackers to inject arbitrary web script or HTML.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-15300 ‼
📖 Read
via "National Vulnerability Database".
SuiteCRM through 7.11.13 has an Open Redirect in the Documents module via a crafted SVG document.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-13799 ‼
📖 Read
via "National Vulnerability Database".
Western Digital iNAND devices through 2020-06-03 allow Authentication Bypass via a capture-replay attack.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-25454 ‼
📖 Read
via "National Vulnerability Database".
Cross-site Scripting (XSS) vulnerability in grocy 2.7.1 via the add recipe module, which gets executed when deleting the recipe.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-13356 ‼
📖 Read
via "National Vulnerability Database".
An issue has been discovered in GitLab CE/EE affecting all versions starting from 8.8.9. A specially crafted request could bypass Multipart protection and read files in certain specific paths on the server. Affected versions are: >=8.8.9, <13.3.9,>=13.4, <13.4.5,>=13.5, <13.5.2.📖 Read
via "National Vulnerability Database".
‼ CVE-2019-12412 ‼
📖 Read
via "National Vulnerability Database".
A flaw in the libapreq2 v2.07 to v2.13 multipart parser can deference a null pointer leading to a process crash. A remote attacker could send a request causing a process crash which could lead to a denial of service attack.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-13359 ‼
📖 Read
via "National Vulnerability Database".
The Terraform API in GitLab CE/EE 12.10+ exposed the object storage signed URL on the delete operation allowing a malicious project maintainer to overwrite the Terraform state, bypassing audit and other business controls. Affected versions are >=12.10, <13.3.9,>=13.4, <13.4.5,>=13.5, <13.5.2.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-13355 ‼
📖 Read
via "National Vulnerability Database".
An issue has been discovered in GitLab CE/EE affecting all versions starting from 8.14. A path traversal is found in LFS Upload that allows attacker to overwrite certain specific paths on the server. Affected versions are: >=8.14, <13.3.9,>=13.4, <13.4.5,>=13.5, <13.5.2.📖 Read
via "National Vulnerability Database".
🔏 Friday Five 11/20 🔏
📖 Read
via "Digital Guardian".
IoT legislation, automation in cybersecurity, and privacy rights - catch up on all of the week's infosec news with the Friday Five!📖 Read
via "Digital Guardian".
Digital Guardian
Friday Five 11/20
IoT legislation, automation in cybersecurity, and privacy rights - catch up on all of the week's infosec news with the Friday Five!
‼ CVE-2020-13671 ‼
📖 Read
via "National Vulnerability Database".
Drupal core does not properly sanitize certain filenames on uploaded files, which can lead to files being interpreted as the incorrect extension and served as the wrong MIME type or executed as PHP for certain hosting configurations. This issue affects: Drupal Drupal Core 9.0 versions prior to 9.0.8, 8.9 versions prior to 8.9.9, 8.8 versions prior to 8.8.11, and 7 versions prior to 7.74.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-19667 ‼
📖 Read
via "National Vulnerability Database".
Stack-based buffer overflow and unconditional jump in ReadXPMImage in coders/xpm.c in ImageMagick 7.0.10-7.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-7842 ‼
📖 Read
via "National Vulnerability Database".
Improper Input validation vulnerability exists in Netis Korea D'live AP which could cause arbitrary command injection and execution when the time setting (using ntpServerlp1 parameter) for the users. This affects D'live set-top box AP(WF2429TB) v1.1.10.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-28877 ‼
📖 Read
via "National Vulnerability Database".
Buffer overflow in in the copy_msg_element function for the devDiscoverHandle server in the TP-Link WR and WDR series, including WDR7400, WDR7500, WDR7660, WDR7800, WDR8400, WDR8500, WDR8600, WDR8620, WDR8640, WDR8660, WR880N, WR886N, WR890N, WR890N, WR882N, and WR708N.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-19668 ‼
📖 Read
via "National Vulnerability Database".
Unverified indexs into the array lead to out of bound access in the gif_out_code function in fromgif.c in libsixel 1.8.6.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-25839 ‼
📖 Read
via "National Vulnerability Database".
NetIQ Identity Manager 4.8 prior to version 4.8 SP2 HF1 are affected by an injection vulnerability. This vulnerability is fixed in NetIQ IdM 4.8 SP2 HF1.📖 Read
via "National Vulnerability Database".
❌ New Grelos Skimmer Variants Siphon Credit Card Data ❌
📖 Read
via "Threat Post".
Domains related to the new variant of the Grelos web skimmer have compromised dozens of websites so far.📖 Read
via "Threat Post".
Threat Post
New Grelos Skimmer Variants Siphon Credit Card Data
Domains related to the new variant of the Grelos web skimmer have compromised dozens of websites so far.
‼ CVE-2020-28974 ‼
📖 Read
via "National Vulnerability Database".
A slab-out-of-bounds read in fbcon in the Linux kernel before 5.9.7 could be used by local attackers to read privileged information or potentially crash the kernel, aka CID-3c4e0dff2095. This occurs because KD_FONT_OP_COPY in drivers/tty/vt/vt.c can be used for manipulations such as font height.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-26236 ‼
📖 Read
via "National Vulnerability Database".
In ScratchVerifier before commit a603769, an attacker can hijack the verification process to log into someone else's account on any site that uses ScratchVerifier for logins. A possible exploitation would follow these steps: 1. User starts login process. 2. Attacker attempts login for user, and is given the same verification code. 3. User comments code as part of their normal login. 4. Before user can, attacker completes the login process now that the code is commented. 5. User gets a failed login and attacker now has control of the account. Since commit a603769 starting a login twice will generate different verification codes, causing both user and attacker login to fail. For clients that rely on a clone of ScratchVerifier not hosted by the developers, their users may attempt to finish the login process as soon as possible after commenting the code. There is no reliable way for the attacker to know before the user can finish the process that the user has commented the code, so this vulnerability only really affects those who comment the code and then take several seconds before finishing the login.📖 Read
via "National Vulnerability Database".
🕴 How Industrial IoT Security Can Catch Up With OT/IT Convergence 🕴
📖 Read
via "Dark Reading".
Ransomware can easily make a connection between IT and OT already. How can blue teams do the same?📖 Read
via "Dark Reading".
Dark Reading
How Industrial IoT Security Can Catch Up With OT/IT Convergence
Ransomware can easily make a connection between IT and OT already. How can blue teams do the same?