‼ CVE-2020-28838 ‼
📖 Read
via "National Vulnerability Database".
Cross Site Request Forgery (CSRF) in CART option in OpenCart Ltd. Opencart CMS 3.0.3.6 allows attacker to add cart items via Add to cart.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-15357 ‼
📖 Read
via "National Vulnerability Database".
Network Analysis functionality in Askey AP5100W_Dual_SIG_1.01.097 and all prior versions allows remote attackers to execute arbitrary commands via a shell metacharacter in the ping, traceroute, or route options.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-35144 ‼
📖 Read
via "National Vulnerability Database".
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-29590 ‼
📖 Read
via "National Vulnerability Database".
Versions of the Official teamspeak Docker images through 3.6.0 contain a blank password for the root user. Systems deployed using affected versions of the teamspeak container may allow a remote attacker to achieve root access with a blank password.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-29254 ‼
📖 Read
via "National Vulnerability Database".
TikiWiki 21.2 allows templates to be edited without CSRF protection. This could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack and perform arbitrary actions on an affected system. The vulnerability is due to insufficient CSRF protections for the web-based management interface of the affected system. An attacker could exploit this vulnerability by persuading a user of the interface to follow a maliciously crafted link. A successful exploit could allow the attacker to perform arbitrary actions on an affected system with the privileges of the user. These action include allowing attackers to submit their own code through an authenticated user resulting in local file Inclusion. If an authenticated user who is able to edit TikiWiki templates visits an malicious website, template code can be edited.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-15023 ‼
📖 Read
via "National Vulnerability Database".
Askey AP5100W devices through AP5100W_Dual_SIG_1.01.097 are affected by WPS PIN offline brute-force cracking. This arises because of issues with the random number selection for the Diffie-Hellman exchange. By capturing an attempted (and even failed) WPS authentication attempt, it is possible to brute force the overall authentication exchange. This allows an attacker to obtain the recovered WPS PIN in minutes or even seconds, and eventually obtain the Wi-Fi PSK key, gaining access to the Wi=Fi network.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-12149 ‼
📖 Read
via "National Vulnerability Database".
The configuration backup/restore function in Silver Peak Unity ECOSTM (ECOS) appliance software was found to directly incorporate the user-controlled config filename in a subsequent shell command, allowing an attacker to manipulate the resulting command by injecting valid OS command input. This vulnerability can be exploited by an attacker with authenticated access to the Orchestrator UI or EdgeConnect UI. This affects ll current ECOS versions: 8.1.9.15, 8.3.0.8, 8.3.1.2, 8.3.2.0, 9.0.2.0, and 9.1.0.0.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-29591 ‼
📖 Read
via "National Vulnerability Database".
Versions of the Official registry Docker images through 2.7.0 contain a blank password for the root user. Systems deployed using affected versions of the registry container may allow a remote attacker to achieve root access with a blank password.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-29589 ‼
📖 Read
via "National Vulnerability Database".
Versions of the Official kapacitor Docker images through 1.5.0-alpine contain a blank password for the root user. Systems deployed using affected versions of the kapacitor container may allow a remote attacker to achieve root access with a blank password.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-4633 ‼
📖 Read
via "National Vulnerability Database".
IBM Resilient SOAR V38.0 could allow a remote attacker to execute arbitrary code on the system, caused by formula injection due to improper input validation.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-27508 ‼
📖 Read
via "National Vulnerability Database".
In two-factor authentication, the system also sending 2fa secret key in response, which enables an intruder to breach the 2fa security.📖 Read
via "National Vulnerability Database".
❌ Feds: K-12 Cyberattacks Dramatically on the Rise ❌
📖 Read
via "Threat Post".
Attackers are targeting students and faculty alike with malware, phishing, DDoS, Zoom bombs and more, the FBI and CISA said.📖 Read
via "Threat Post".
Threat Post
Feds: K-12 Cyberattacks Dramatically on the Rise
Attackers are targeting students and faculty alike with malware, phishing, DDoS, Zoom bombs and more, the FBI and CISA said.
🕴 Microsoft Warns of Powerful New Adware 🕴
📖 Read
via "Dark Reading".
The new adware, dubbed Adrozek, is being distributed by large, well organized threat actors, according to Microsoft research.📖 Read
via "Dark Reading".
Dark Reading
Vulnerabilities & Threats recent news | Dark Reading
Explore the latest news and expert commentary on Vulnerabilities & Threats, brought to you by the editors of Dark Reading
‼ CVE-2020-29590 ‼
📖 Read
via "National Vulnerability Database".
Versions of the Official teamspeak Docker images through 3.6.0 contain a blank password for the root user. Systems deployed using affected versions of the teamspeak container may allow a remote attacker to achieve root access with a blank password.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-29254 ‼
📖 Read
via "National Vulnerability Database".
TikiWiki 21.2 allows templates to be edited without CSRF protection. This could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack and perform arbitrary actions on an affected system. The vulnerability is due to insufficient CSRF protections for the web-based management interface of the affected system. An attacker could exploit this vulnerability by persuading a user of the interface to follow a maliciously crafted link. A successful exploit could allow the attacker to perform arbitrary actions on an affected system with the privileges of the user. These action include allowing attackers to submit their own code through an authenticated user resulting in local file Inclusion. If an authenticated user who is able to edit TikiWiki templates visits an malicious website, template code can be edited.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-15023 ‼
📖 Read
via "National Vulnerability Database".
Askey AP5100W devices through AP5100W_Dual_SIG_1.01.097 are affected by WPS PIN offline brute-force cracking. This arises because of issues with the random number selection for the Diffie-Hellman exchange. By capturing an attempted (and even failed) WPS authentication attempt, it is possible to brute force the overall authentication exchange. This allows an attacker to obtain the recovered WPS PIN in minutes or even seconds, and eventually obtain the Wi-Fi PSK key, gaining access to the Wi=Fi network.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-12149 ‼
📖 Read
via "National Vulnerability Database".
The configuration backup/restore function in Silver Peak Unity ECOSTM (ECOS) appliance software was found to directly incorporate the user-controlled config filename in a subsequent shell command, allowing an attacker to manipulate the resulting command by injecting valid OS command input. This vulnerability can be exploited by an attacker with authenticated access to the Orchestrator UI or EdgeConnect UI. This affects ll current ECOS versions: 8.1.9.15, 8.3.0.8, 8.3.1.2, 8.3.2.0, 9.0.2.0, and 9.1.0.0.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-29591 ‼
📖 Read
via "National Vulnerability Database".
Versions of the Official registry Docker images through 2.7.0 contain a blank password for the root user. Systems deployed using affected versions of the registry container may allow a remote attacker to achieve root access with a blank password.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-29589 ‼
📖 Read
via "National Vulnerability Database".
Versions of the Official kapacitor Docker images through 1.5.0-alpine contain a blank password for the root user. Systems deployed using affected versions of the kapacitor container may allow a remote attacker to achieve root access with a blank password.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-4633 ‼
📖 Read
via "National Vulnerability Database".
IBM Resilient SOAR V38.0 could allow a remote attacker to execute arbitrary code on the system, caused by formula injection due to improper input validation.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-27508 ‼
📖 Read
via "National Vulnerability Database".
In two-factor authentication, the system also sending 2fa secret key in response, which enables an intruder to breach the 2fa security.📖 Read
via "National Vulnerability Database".