βΌ CVE-2020-16103 βΌ
π Read
via "National Vulnerability Database".
Type confusion in Gallagher Command Centre Server allows a remote attacker to crash the server or possibly cause remote code execution. This issue affects: Gallagher Command Centre 8.30 versions prior to 8.30.1236(MR1); 8.20 versions prior to 8.20.1166(MR3); 8.10 versions prior to 8.10.1211(MR5); version 8.00 and prior versions.π Read
via "National Vulnerability Database".
βΌ CVE-2020-8169 βΌ
π Read
via "National Vulnerability Database".
curl 7.62.0 through 7.70.0 is vulnerable to an information disclosure vulnerability that can lead to a partial password being leaked over the network and to the DNS server(s).π Read
via "National Vulnerability Database".
βΌ CVE-2020-16104 βΌ
π Read
via "National Vulnerability Database".
SQL Injection vulnerability in Enterprise Data Interface of Gallagher Command Centre allows a remote attacker with 'Edit Enterprise Data Interfaces' privilege to execute arbitrary SQL against a third party database if EDI is configured to import data from this database. This issue affects: Gallagher Command Centre 8.30 versions prior to 8.30.1236(MR1); 8.20 versions prior to 8.20.1166(MR3); 8.10 versions prior to 8.10.1211(MR5); 8.00 versions prior to 8.00.1228(MR6); version 7.90 and prior versions.π Read
via "National Vulnerability Database".
βΌ CVE-2020-8257 βΌ
π Read
via "National Vulnerability Database".
Improper privilege management on services run by Citrix Gateway Plug-in for Windows, versions before and including 13.0-61.48 and 12.1-58.15, lead to privilege escalation attacksπ Read
via "National Vulnerability Database".
βΌ CVE-2020-8284 βΌ
π Read
via "National Vulnerability Database".
A malicious server can use the FTP PASV response to trick curl 7.73.0 and earlier into connecting back to a given IP address and port, and this way potentially make curl extract information about services that are otherwise private and not disclosed, for example doing port scanning and service banner extractions.π Read
via "National Vulnerability Database".
βΌ CVE-2020-8258 βΌ
π Read
via "National Vulnerability Database".
Improper privilege management on services run by Citrix Gateway Plug-in for Windows, versions before and including 13.0-61.48 and 12.1-58.15, allows an attacker to modify arbitrary files.π Read
via "National Vulnerability Database".
βΌ CVE-2020-25183 βΌ
π Read
via "National Vulnerability Database".
Medtronic MyCareLink Smart 25000 all versions contain an authentication protocol vuln where the method used to auth between MCL Smart Patient Reader and MyCareLink Smart mobile app is vulnerable to bypass. This vuln allows attacker to use other mobile device or malicious app on smartphone to auth to the patientΓ’β¬β’s Smart Reader, fools the device into thinking its communicating with the actual smart phone application when executed in range of Bluetooth.π Read
via "National Vulnerability Database".
βΌ CVE-2020-28861 βΌ
π Read
via "National Vulnerability Database".
OpenAsset Digital Asset Management (DAM) 12.0.19 and earlier failed to implement access controls on /Stream/ProjectsCSV endpoint, allowing unauthenticated attackers to gain access to potentially sensitive project information stored by the application.π Read
via "National Vulnerability Database".
βΌ CVE-2020-28857 βΌ
π Read
via "National Vulnerability Database".
OpenAsset Digital Asset Management (DAM) through 12.0.19, does not correctly sanitize user supplied input in multiple parameters and endpoints, allowing for stored cross-site scripting attacks.π Read
via "National Vulnerability Database".
βΌ CVE-2020-25187 βΌ
π Read
via "National Vulnerability Database".
Medtronic MyCareLink Smart 25000 all versions are vulnerable when an attacker who gains auth runs a debug command, which is sent to the reader causing heap overflow in the MCL Smart Reader stack. A heap overflow allows attacker to remotely execute code on the MCL Smart Reader, could lead to control of device.π Read
via "National Vulnerability Database".
βΌ CVE-2020-8282 βΌ
π Read
via "National Vulnerability Database".
A security issue was found in EdgePower 24V/54V firmware v1.7.0 and earlier where, due to missing CSRF protections, an attacker would have been able to perform unauthorized remote code execution.π Read
via "National Vulnerability Database".
βΌ CVE-2020-29511 βΌ
π Read
via "National Vulnerability Database".
The encoding/xml package in Go (all versions) does not correctly preserve the semantics of element namespace prefixes during tokenization round-trips, which allows an attacker to craft inputs that behave in conflicting ways during different stages of processing in affected downstream applications.π Read
via "National Vulnerability Database".
βΌ CVE-2020-8177 βΌ
π Read
via "National Vulnerability Database".
curl 7.20.0 through 7.70.0 is vulnerable to improper restriction of names for files and other resources that can lead too overwriting a local file when the -J flag is used.π Read
via "National Vulnerability Database".
βΌ CVE-2020-20183 βΌ
π Read
via "National Vulnerability Database".
Insecure direct object reference vulnerability in ZyxelΓ’β¬β’s P1302-T10 v3 with firmware version 2.00(ABBX.3) and earlier allows attackers to gain privileges and access certain admin pages.π Read
via "National Vulnerability Database".
βΌ CVE-2020-29303 βΌ
π Read
via "National Vulnerability Database".
A cross-site scripting (XSS) vulnerability in the SabaiApp Directories Pro plugin 1.3.45 for WordPress allows remote attackers to inject arbitrary web script or HTML via a POST to /wp-admin/admin.php?page=drts/directories&q=%2F with _drts_form_build_id parameter containing the XSS payload and _t_ parameter set to an invalid or non-existent CSRF token.π Read
via "National Vulnerability Database".
βΌ CVE-2020-20184 βΌ
π Read
via "National Vulnerability Database".
GateOne allows remote attackers to execute arbitrary commands via shell metacharacters in the port field when attempting an SSH connection.π Read
via "National Vulnerability Database".
βΌ CVE-2020-28858 βΌ
π Read
via "National Vulnerability Database".
OpenAsset Digital Asset Management (DAM) through 12.0.19 does not correctly verify whether a request made to the application was intentionally made by the user, allowing for cross-site request forgery attacks on all user functions.π Read
via "National Vulnerability Database".
βΌ CVE-2020-28860 βΌ
π Read
via "National Vulnerability Database".
OpenAssetDigital Asset Management (DAM) through 12.0.19 does not correctly sanitize user supplied input, incorporating it into its SQL queries, allowing for authenticated blind SQL injection.π Read
via "National Vulnerability Database".
βΌ CVE-2020-28859 βΌ
π Read
via "National Vulnerability Database".
OpenAsset Digital Asset Management (DAM) through 12.0.19 does not correctly sanitize user supplied input in multiple parameters and endpoints, allowing for reflected cross-site scripting attacks.π Read
via "National Vulnerability Database".
π΄ 18,000 Organizations Possibly Compromised in Massive Supply-Chain Cyberattack π΄
π Read
via "Dark Reading".
Nation-state attackers used poisoned SolarWinds network management software updates to distribute malware; US government orders federal civilian agencies to immediately power down the technology.π Read
via "Dark Reading".
Dark Reading
18,000 Organizations Possibly Compromised in Massive Supply-Chain Cyberattack
Nation-state attackers used poisoned SolarWinds network management software updates to distribute malware; US government orders federal civilian agencies to immediately power down the technology.
π¦Ώ 5 building blocks of a well-developed security culture π¦Ώ
π Read
via "Tech Republic".
A defined security culture is helping the financial industry, though the fundamentals should apply to any business.π Read
via "Tech Republic".
TechRepublic
5 building blocks of a well-developed security culture
A defined security culture is helping the financial industry, though the fundamentals should apply to any business.