βΌ CVE-2020-8284 βΌ
π Read
via "National Vulnerability Database".
A malicious server can use the FTP PASV response to trick curl 7.73.0 and earlier into connecting back to a given IP address and port, and this way potentially make curl extract information about services that are otherwise private and not disclosed, for example doing port scanning and service banner extractions.π Read
via "National Vulnerability Database".
βΌ CVE-2020-8258 βΌ
π Read
via "National Vulnerability Database".
Improper privilege management on services run by Citrix Gateway Plug-in for Windows, versions before and including 13.0-61.48 and 12.1-58.15, allows an attacker to modify arbitrary files.π Read
via "National Vulnerability Database".
βΌ CVE-2020-25183 βΌ
π Read
via "National Vulnerability Database".
Medtronic MyCareLink Smart 25000 all versions contain an authentication protocol vuln where the method used to auth between MCL Smart Patient Reader and MyCareLink Smart mobile app is vulnerable to bypass. This vuln allows attacker to use other mobile device or malicious app on smartphone to auth to the patientΓ’β¬β’s Smart Reader, fools the device into thinking its communicating with the actual smart phone application when executed in range of Bluetooth.π Read
via "National Vulnerability Database".
βΌ CVE-2020-28861 βΌ
π Read
via "National Vulnerability Database".
OpenAsset Digital Asset Management (DAM) 12.0.19 and earlier failed to implement access controls on /Stream/ProjectsCSV endpoint, allowing unauthenticated attackers to gain access to potentially sensitive project information stored by the application.π Read
via "National Vulnerability Database".
βΌ CVE-2020-28857 βΌ
π Read
via "National Vulnerability Database".
OpenAsset Digital Asset Management (DAM) through 12.0.19, does not correctly sanitize user supplied input in multiple parameters and endpoints, allowing for stored cross-site scripting attacks.π Read
via "National Vulnerability Database".
βΌ CVE-2020-25187 βΌ
π Read
via "National Vulnerability Database".
Medtronic MyCareLink Smart 25000 all versions are vulnerable when an attacker who gains auth runs a debug command, which is sent to the reader causing heap overflow in the MCL Smart Reader stack. A heap overflow allows attacker to remotely execute code on the MCL Smart Reader, could lead to control of device.π Read
via "National Vulnerability Database".
βΌ CVE-2020-8282 βΌ
π Read
via "National Vulnerability Database".
A security issue was found in EdgePower 24V/54V firmware v1.7.0 and earlier where, due to missing CSRF protections, an attacker would have been able to perform unauthorized remote code execution.π Read
via "National Vulnerability Database".
βΌ CVE-2020-29511 βΌ
π Read
via "National Vulnerability Database".
The encoding/xml package in Go (all versions) does not correctly preserve the semantics of element namespace prefixes during tokenization round-trips, which allows an attacker to craft inputs that behave in conflicting ways during different stages of processing in affected downstream applications.π Read
via "National Vulnerability Database".
βΌ CVE-2020-8177 βΌ
π Read
via "National Vulnerability Database".
curl 7.20.0 through 7.70.0 is vulnerable to improper restriction of names for files and other resources that can lead too overwriting a local file when the -J flag is used.π Read
via "National Vulnerability Database".
βΌ CVE-2020-20183 βΌ
π Read
via "National Vulnerability Database".
Insecure direct object reference vulnerability in ZyxelΓ’β¬β’s P1302-T10 v3 with firmware version 2.00(ABBX.3) and earlier allows attackers to gain privileges and access certain admin pages.π Read
via "National Vulnerability Database".
βΌ CVE-2020-29303 βΌ
π Read
via "National Vulnerability Database".
A cross-site scripting (XSS) vulnerability in the SabaiApp Directories Pro plugin 1.3.45 for WordPress allows remote attackers to inject arbitrary web script or HTML via a POST to /wp-admin/admin.php?page=drts/directories&q=%2F with _drts_form_build_id parameter containing the XSS payload and _t_ parameter set to an invalid or non-existent CSRF token.π Read
via "National Vulnerability Database".
βΌ CVE-2020-20184 βΌ
π Read
via "National Vulnerability Database".
GateOne allows remote attackers to execute arbitrary commands via shell metacharacters in the port field when attempting an SSH connection.π Read
via "National Vulnerability Database".
βΌ CVE-2020-28858 βΌ
π Read
via "National Vulnerability Database".
OpenAsset Digital Asset Management (DAM) through 12.0.19 does not correctly verify whether a request made to the application was intentionally made by the user, allowing for cross-site request forgery attacks on all user functions.π Read
via "National Vulnerability Database".
βΌ CVE-2020-28860 βΌ
π Read
via "National Vulnerability Database".
OpenAssetDigital Asset Management (DAM) through 12.0.19 does not correctly sanitize user supplied input, incorporating it into its SQL queries, allowing for authenticated blind SQL injection.π Read
via "National Vulnerability Database".
βΌ CVE-2020-28859 βΌ
π Read
via "National Vulnerability Database".
OpenAsset Digital Asset Management (DAM) through 12.0.19 does not correctly sanitize user supplied input in multiple parameters and endpoints, allowing for reflected cross-site scripting attacks.π Read
via "National Vulnerability Database".
π΄ 18,000 Organizations Possibly Compromised in Massive Supply-Chain Cyberattack π΄
π Read
via "Dark Reading".
Nation-state attackers used poisoned SolarWinds network management software updates to distribute malware; US government orders federal civilian agencies to immediately power down the technology.π Read
via "Dark Reading".
Dark Reading
18,000 Organizations Possibly Compromised in Massive Supply-Chain Cyberattack
Nation-state attackers used poisoned SolarWinds network management software updates to distribute malware; US government orders federal civilian agencies to immediately power down the technology.
π¦Ώ 5 building blocks of a well-developed security culture π¦Ώ
π Read
via "Tech Republic".
A defined security culture is helping the financial industry, though the fundamentals should apply to any business.π Read
via "Tech Republic".
TechRepublic
5 building blocks of a well-developed security culture
A defined security culture is helping the financial industry, though the fundamentals should apply to any business.
βΌ CVE-2020-25235 βΌ
π Read
via "National Vulnerability Database".
A vulnerability has been identified in LOGO! 8 BM (incl. SIPLUS variants) (All versions < V8.3). The password used for authentication for the LOGO! Website and the LOGO! Access Tool is sent in a recoverable format. An attacker with access to the network traffic could derive valid logins.π Read
via "National Vulnerability Database".
βΌ CVE-2019-19287 βΌ
π Read
via "National Vulnerability Database".
A vulnerability has been identified in XHQ (All Versions < 6.1). The web interface could allow attackers to traverse through the file system of the server based by sending specially crafted packets over the network without authentication.π Read
via "National Vulnerability Database".
βΌ CVE-2020-15796 βΌ
π Read
via "National Vulnerability Database".
A vulnerability has been identified in SIMATIC ET 200SP Open Controller (incl. SIPLUS variants) (V20.8), SIMATIC S7-1500 Software Controller (V20.8). The web server of the affected products contains a vulnerability that could allow a remote attacker to trigger a denial-of-service condition by sending a specially crafted HTTP request.π Read
via "National Vulnerability Database".
βΌ CVE-2020-14368 βΌ
π Read
via "National Vulnerability Database".
A flaw was found in Eclipse Che in versions prior to 7.14.0 that impacts CodeReady Workspaces. When configured with cookies authentication, Theia IDE doesn't properly set the SameSite value, allowing a Cross-Site Request Forgery (CSRF) and consequently allowing a cross-site WebSocket hijack on Theia IDE. This flaw allows an attacker to gain full access to the victim's workspace through the /services endpoint. To perform a successful attack, the attacker conducts a Man-in-the-middle attack (MITM) and tricks the victim into executing a request via an untrusted link, which performs the CSRF and the Socket hijack. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.π Read
via "National Vulnerability Database".