βΌ CVE-2020-8177 βΌ
π Read
via "National Vulnerability Database".
curl 7.20.0 through 7.70.0 is vulnerable to improper restriction of names for files and other resources that can lead too overwriting a local file when the -J flag is used.π Read
via "National Vulnerability Database".
βΌ CVE-2020-20183 βΌ
π Read
via "National Vulnerability Database".
Insecure direct object reference vulnerability in ZyxelΓ’β¬β’s P1302-T10 v3 with firmware version 2.00(ABBX.3) and earlier allows attackers to gain privileges and access certain admin pages.π Read
via "National Vulnerability Database".
βΌ CVE-2020-29303 βΌ
π Read
via "National Vulnerability Database".
A cross-site scripting (XSS) vulnerability in the SabaiApp Directories Pro plugin 1.3.45 for WordPress allows remote attackers to inject arbitrary web script or HTML via a POST to /wp-admin/admin.php?page=drts/directories&q=%2F with _drts_form_build_id parameter containing the XSS payload and _t_ parameter set to an invalid or non-existent CSRF token.π Read
via "National Vulnerability Database".
βΌ CVE-2020-20184 βΌ
π Read
via "National Vulnerability Database".
GateOne allows remote attackers to execute arbitrary commands via shell metacharacters in the port field when attempting an SSH connection.π Read
via "National Vulnerability Database".
βΌ CVE-2020-28858 βΌ
π Read
via "National Vulnerability Database".
OpenAsset Digital Asset Management (DAM) through 12.0.19 does not correctly verify whether a request made to the application was intentionally made by the user, allowing for cross-site request forgery attacks on all user functions.π Read
via "National Vulnerability Database".
βΌ CVE-2020-28860 βΌ
π Read
via "National Vulnerability Database".
OpenAssetDigital Asset Management (DAM) through 12.0.19 does not correctly sanitize user supplied input, incorporating it into its SQL queries, allowing for authenticated blind SQL injection.π Read
via "National Vulnerability Database".
βΌ CVE-2020-28859 βΌ
π Read
via "National Vulnerability Database".
OpenAsset Digital Asset Management (DAM) through 12.0.19 does not correctly sanitize user supplied input in multiple parameters and endpoints, allowing for reflected cross-site scripting attacks.π Read
via "National Vulnerability Database".
π΄ 18,000 Organizations Possibly Compromised in Massive Supply-Chain Cyberattack π΄
π Read
via "Dark Reading".
Nation-state attackers used poisoned SolarWinds network management software updates to distribute malware; US government orders federal civilian agencies to immediately power down the technology.π Read
via "Dark Reading".
Dark Reading
18,000 Organizations Possibly Compromised in Massive Supply-Chain Cyberattack
Nation-state attackers used poisoned SolarWinds network management software updates to distribute malware; US government orders federal civilian agencies to immediately power down the technology.
π¦Ώ 5 building blocks of a well-developed security culture π¦Ώ
π Read
via "Tech Republic".
A defined security culture is helping the financial industry, though the fundamentals should apply to any business.π Read
via "Tech Republic".
TechRepublic
5 building blocks of a well-developed security culture
A defined security culture is helping the financial industry, though the fundamentals should apply to any business.
βΌ CVE-2020-25235 βΌ
π Read
via "National Vulnerability Database".
A vulnerability has been identified in LOGO! 8 BM (incl. SIPLUS variants) (All versions < V8.3). The password used for authentication for the LOGO! Website and the LOGO! Access Tool is sent in a recoverable format. An attacker with access to the network traffic could derive valid logins.π Read
via "National Vulnerability Database".
βΌ CVE-2019-19287 βΌ
π Read
via "National Vulnerability Database".
A vulnerability has been identified in XHQ (All Versions < 6.1). The web interface could allow attackers to traverse through the file system of the server based by sending specially crafted packets over the network without authentication.π Read
via "National Vulnerability Database".
βΌ CVE-2020-15796 βΌ
π Read
via "National Vulnerability Database".
A vulnerability has been identified in SIMATIC ET 200SP Open Controller (incl. SIPLUS variants) (V20.8), SIMATIC S7-1500 Software Controller (V20.8). The web server of the affected products contains a vulnerability that could allow a remote attacker to trigger a denial-of-service condition by sending a specially crafted HTTP request.π Read
via "National Vulnerability Database".
βΌ CVE-2020-14368 βΌ
π Read
via "National Vulnerability Database".
A flaw was found in Eclipse Che in versions prior to 7.14.0 that impacts CodeReady Workspaces. When configured with cookies authentication, Theia IDE doesn't properly set the SameSite value, allowing a Cross-Site Request Forgery (CSRF) and consequently allowing a cross-site WebSocket hijack on Theia IDE. This flaw allows an attacker to gain full access to the victim's workspace through the /services endpoint. To perform a successful attack, the attacker conducts a Man-in-the-middle attack (MITM) and tricks the victim into executing a request via an untrusted link, which performs the CSRF and the Socket hijack. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.π Read
via "National Vulnerability Database".
βΌ CVE-2019-19286 βΌ
π Read
via "National Vulnerability Database".
A vulnerability has been identified in XHQ (All Versions < 6.1). The web interface could allow SQL injection attacks if an attacker is able to modify content of particular web pages.π Read
via "National Vulnerability Database".
βΌ CVE-2020-25233 βΌ
π Read
via "National Vulnerability Database".
A vulnerability has been identified in LOGO! 8 BM (incl. SIPLUS variants) (All versions < V8.3). The firmware update of affected devices contains the private RSA key that is used as a basis for encryption of communication with the device.π Read
via "National Vulnerability Database".
βΌ CVE-2020-0099 βΌ
π Read
via "National Vulnerability Database".
In addWindow of WindowManagerService.java, there is a possible window overlay attack due to an insecure default value. This could lead to local escalation of privilege via tapjacking with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-8.0 Android-8.1 Android-9 Android-10Android ID: A-141745510π Read
via "National Vulnerability Database".
βΌ CVE-2020-28396 βΌ
π Read
via "National Vulnerability Database".
A vulnerability has been identified in SICAM A8000 CP-8000 (All versions < V16), SICAM A8000 CP-8021 (All versions < V16), SICAM A8000 CP-8022 (All versions < V16). A web server misconfiguration of the affected device can cause insecure ciphers usage by a userΓΒ΄s browser. An attacker in a privileged position could decrypt the communication and compromise confidentiality and integrity of the transmitted information.π Read
via "National Vulnerability Database".
βΌ CVE-2020-25229 βΌ
π Read
via "National Vulnerability Database".
A vulnerability has been identified in LOGO! 8 BM (incl. SIPLUS variants) (All versions < V8.3). The implemented encryption for communication with affected devices is prone to replay attacks due to the usage of a static key. An attacker could change the password or change the configuration on any affected device if using prepared messages that were generated for another device.π Read
via "National Vulnerability Database".
βΌ CVE-2019-19289 βΌ
π Read
via "National Vulnerability Database".
A vulnerability has been identified in XHQ (All Versions < 6.1). The web interface could allow a Cross-Site Request Forgery (CSRF) attack if an unsuspecting user is tricked into accessing a malicious link.π Read
via "National Vulnerability Database".
βΌ CVE-2019-19285 βΌ
π Read
via "National Vulnerability Database".
A vulnerability has been identified in XHQ (All Versions < 6.1). The web interface could allow injections that could lead to XSS attacks if unsuspecting users are tricked into accessing a malicious link.π Read
via "National Vulnerability Database".
βΌ CVE-2020-0466 βΌ
π Read
via "National Vulnerability Database".
In do_epoll_ctl and ep_loop_check_proc of eventpoll.c, there is a possible use after free due to a logic error. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-147802478References: Upstream kernelπ Read
via "National Vulnerability Database".