‼ CVE-2020-7788 ‼
📖 Read
via "National Vulnerability Database".
This affects the package ini before 1.3.6. If an attacker submits a malicious INI file to an application that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited further depending on the context.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-7790 ‼
📖 Read
via "National Vulnerability Database".
This affects the package spatie/browsershot from 0.0.0. By specifying a URL in the file:// protocol an attacker is able to include arbitrary files in the resultant PDF.📖 Read
via "National Vulnerability Database".
🔏 Friday Five 12/11 🔏
📖 Read
via "Digital Guardian".
New federal cyber initiatives, phishing campaigns, and anti-trust lawsuits - catch up on all of the week's infosec news with the Friday Five!📖 Read
via "Digital Guardian".
Digital Guardian
Friday Five 12/11
New federal cyber initiatives, phishing campaigns, and anti-trust lawsuits - catch up on all of the week's infosec news with the Friday Five!
🕴 Penetration Testing: A Road Map for Improving Outcomes 🕴
📖 Read
via "Dark Reading".
As cybersecurity incidents gain sophistication, to ensure we are assessing security postures effectively, it is critical to copy real-world adversaries' tools, tactics, and procedures during testing activities.📖 Read
via "Dark Reading".
Dark Reading
Penetration Testing: A Road Map for Improving Outcomes
As cybersecurity incidents gain sophistication, to ensure we are assessing security postures effectively, it is critical to copy real-world adversaries' tools, tactics, and procedures during testing activities.
‼ CVE-2020-17515 ‼
📖 Read
via "National Vulnerability Database".
The "origin" parameter passed to some of the endpoints like '/trigger' was vulnerable to XSS exploit. This issue affects Apache Airflow versions prior to 1.10.13. This is same as CVE-2020-13944 but the implemented fix in Airflow 1.10.13 did not fix the issue completely.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-7793 ‼
📖 Read
via "National Vulnerability Database".
The package ua-parser-js before 0.7.23 are vulnerable to Regular Expression Denial of Service (ReDoS) in multiple regexes (see linked commit for more info).📖 Read
via "National Vulnerability Database".
🦿 IoT standards: The US government must create them, and businesses will follow 🦿
📖 Read
via "Tech Republic".
The Internet of Things is still in its Wild West phase of development. Standardization is necessary to ensure safety and easier integration.📖 Read
via "Tech Republic".
TechRepublic
IoT standards: The US government must create them, and businesses will follow
The Internet of Things is still in its Wild West phase of development. Standardization is necessary to ensure safety and easier integration.
🦿 How cybercriminals are now exploiting COVID-19 vaccines 🦿
📖 Read
via "Tech Republic".
Vaccine-related phishing emails and domains are popping up, while criminals are selling phony vaccines via the Dark Web, says Check Point.📖 Read
via "Tech Republic".
TechRepublic
How cybercriminals are now exploiting COVID-19 vaccines
Vaccine-related phishing emails and domains are popping up, while criminals are selling phony vaccines via the Dark Web, says Check Point.
‼ CVE-2020-7537 ‼
📖 Read
via "National Vulnerability Database".
A CWE-754: Improper Check for Unusual or Exceptional Conditions vulnerability exists in Modicon M580, Modicon M340, Legacy Controllers Modicon Quantum & Modicon Premium (see security notifications for affected versions), that could cause denial of service when a specially crafted Read Physical Memory request over Modbus is sent to the controller.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-28220 ‼
📖 Read
via "National Vulnerability Database".
A CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability exists in Modicon M258 Firmware (All versions prior to V5.0.4.11) and SoMachine/SoMachine Motion software (All versions), that could cause a buffer overflow when the length of a file transferred to the webserver is not verified.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-7535 ‼
📖 Read
via "National Vulnerability Database".
A CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal' Vulnerability Type) vulnerability exists in the Web Server on Modicon M340, Legacy Offers Modicon Quantum and Modicon Premium and associated Communication Modules (see security notification for affected versions), that could cause disclosure of information when sending a specially crafted request to the controller over HTTP.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-26409 ‼
📖 Read
via "National Vulnerability Database".
A DOS vulnerability exists in Gitlab CE/EE >=10.3, <13.4.7,>=13.5, <13.5.5,>=13.6, <13.6.2 that allows an attacker to trigger uncontrolled resource by bypassing input validation in markdown fields.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-7539 ‼
📖 Read
via "National Vulnerability Database".
A CWE-754 Improper Check for Unusual or Exceptional Conditions vulnerability exists in the Web Server on Modicon M340, Legacy Offers Modicon Quantum and Modicon Premium and associated Communication Modules (see security notification for affected versions), that could cause a denial of service vulnerability when a specially crafted packet is sent to the controller over HTTP.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-28214 ‼
📖 Read
via "National Vulnerability Database".
A CWE-760: Use of a One-Way Hash with a Predictable Salt vulnerability exists in Modicon M221 (all references, all versions), that could allow an attacker to pre-compute the hash value using dictionary attack technique such as rainbow tables, effectively disabling the protection that an unpredictable salt would provide.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-26415 ‼
📖 Read
via "National Vulnerability Database".
Information about the starred projects for private user profiles was exposed via the GraphQL API starting from 12.2 via the REST API. This affects GitLab >=12.2 to <13.4.7, >=13.5 to <13.5.5, and >=13.6 to <13.6.2.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-13357 ‼
📖 Read
via "National Vulnerability Database".
An issue was discovered in Gitlab CE/EE versions >= 13.1 to <13.4.7, >= 13.5 to <13.5.5, and >= 13.6 to <13.6.2 allowed an unauthorized user to access the user list corresponding to a feature flag in a project.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-7789 ‼
📖 Read
via "National Vulnerability Database".
This affects the package node-notifier before 9.0.0. It allows an attacker to run arbitrary commands on Linux machines due to the options params not being sanitised when being passed an array.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-7792 ‼
📖 Read
via "National Vulnerability Database".
This affects all versions of package mout. The deepFillIn function can be used to 'fill missing properties recursively', while the deepMixIn 'mixes objects into the target object, recursively mixing existing child objects as well'. In both cases, the key used to access the target object recursively is not checked, leading to a Prototype Pollution.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-7788 ‼
📖 Read
via "National Vulnerability Database".
This affects the package ini before 1.3.6. If an attacker submits a malicious INI file to an application that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited further depending on the context.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-7790 ‼
📖 Read
via "National Vulnerability Database".
This affects the package spatie/browsershot from 0.0.0. By specifying a URL in the file:// protocol an attacker is able to include arbitrary files in the resultant PDF.📖 Read
via "National Vulnerability Database".
🔏 Friday Five 12/11 🔏
📖 Read
via "Digital Guardian".
New federal cyber initiatives, phishing campaigns, and anti-trust lawsuits - catch up on all of the week's infosec news with the Friday Five!📖 Read
via "Digital Guardian".
Digital Guardian
Friday Five 12/11
New federal cyber initiatives, phishing campaigns, and anti-trust lawsuits - catch up on all of the week's infosec news with the Friday Five!