‼ CVE-2020-27048 ‼
📖 Read
via "National Vulnerability Database".
In RW_SendRawFrame of rw_main.cc, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-157650117📖 Read
via "National Vulnerability Database".
‼ CVE-2020-25712 ‼
📖 Read
via "National Vulnerability Database".
A flaw was found in xorg-x11-server before 1.20.10. A heap-buffer overflow in XkbSetDeviceInfo may lead to a privilege escalation vulnerability. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-27043 ‼
📖 Read
via "National Vulnerability Database".
In nfc_enabled of nfc_main.cc, there is a possible out of bounds read due to an incorrect increment. This could lead to local information disclosure via firmware with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-155234594📖 Read
via "National Vulnerability Database".
‼ CVE-2020-27052 ‼
📖 Read
via "National Vulnerability Database".
In getLockTaskLaunchMode of ActivityRecord.java, there is a possible way for any app to start in Lock Task Mode due to a permissions bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-158833495📖 Read
via "National Vulnerability Database".
‼ CVE-2020-29482 ‼
📖 Read
via "National Vulnerability Database".
An issue was discovered in Xen through 4.14.x. A guest may access xenstore paths via absolute paths containing a full pathname, or via a relative path, which implicitly includes /local/domain/$DOMID for their own domain id. Management tools must access paths in guests' namespaces, necessarily using absolute paths. oxenstored imposes a pathname limit that is applied solely to the relative or absolute path specified by the client. Therefore, a guest can create paths in its own namespace which are too long for management tools to access. Depending on the toolstack in use, a malicious guest administrator might cause some management tools and debugging operations to fail. For example, a guest administrator can cause "xenstore-ls -r" to fail. However, a guest administrator cannot prevent the host administrator from tearing down the domain. All systems using oxenstored are vulnerable. Building and using oxenstored is the default in the upstream Xen distribution, if the Ocaml compiler is available. Systems using C xenstored are not vulnerable.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-27053 ‼
📖 Read
via "National Vulnerability Database".
In broadcastWifiCredentialChanged of ClientModeImpl.java, there is a possible location permission bypass due to a missing permission check. This could lead to local information disclosure of the WiFi network name with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-159371448📖 Read
via "National Vulnerability Database".
‼ CVE-2020-27147 ‼
📖 Read
via "National Vulnerability Database".
The REST API component of TIBCO Software Inc.'s TIBCO PartnerExpress contains a vulnerability that theoretically allows an unauthenticated attacker with network access to obtain an authenticated login URL for the affected system via a REST API. Affected releases are TIBCO Software Inc.'s TIBCO PartnerExpress: version 6.2.0.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-2088 ‼
📖 Read
via "National Vulnerability Database".
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2020. Notes: none.📖 Read
via "National Vulnerability Database".
🕴 45M Medical Imaging Files Left Accessible Online 🕴
📖 Read
via "Dark Reading".
A range of medical images, including X-rays and CT scans, were exposed on more than 2,140 unprotected servers, researchers report.📖 Read
via "Dark Reading".
Dark Reading
45M Medical Imaging Files Left Accessible Online
A range of medical images, including X-rays and CT scans, were exposed on more than 2,140 unprotected servers, researchers report.
🔏 Additional CCPA Regulations Proposed by California AG 🔏
📖 Read
via "Digital Guardian".
The potential updates to the data privacy law build off of others proposed in October.📖 Read
via "Digital Guardian".
Digital Guardian
Additional CCPA Regulations Proposed by California AG
The potential updates to the data privacy law build off of others proposed in October.
🕴 Medical Imaging Leaks Highlight Unhealthy Security Practices 🕴
📖 Read
via "Dark Reading".
More than 45 million unique images, such as X-rays and MRI scans, are accessible to anyone on the Internet, security firm says.📖 Read
via "Dark Reading".
Dark Reading
Medical Imaging Leaks Highlight Unhealthy Security Practices
More than 45 million unique images, such as X-rays and MRI scans, are accessible to anyone on the Internet, security firm says.
❌ Firefox Patches Critical Mystery Bug, Also Impacting Google Chrome ❌
📖 Read
via "Threat Post".
Mozilla Foundation releases Firefox 84 browser, fixing several flaws and delivering performance gains and Apple processor support.📖 Read
via "Threat Post".
Threat Post
Firefox Patches Critical Mystery Bug, Also Impacting Google Chrome
Mozilla Foundation releases Firefox 84 browser, fixing several flaws and delivering performance gains and Apple processor support.
❌ Gitpaste-12 Worm Widens Set of Exploits in New Attacks ❌
📖 Read
via "Threat Post".
The worm returned in recent attacks against web applications, IP cameras and routers.📖 Read
via "Threat Post".
Threat Post
Gitpaste-12 Worm Widens Set of Exploits in New Attacks
The worm returned in recent attacks against web applications, IP cameras and routers.
❌ Easy WP SMTP Security Bug Can Reveal Admin Credentials ❌
📖 Read
via "Threat Post".
A poorly configured file opens users up to site takeover.📖 Read
via "Threat Post".
Threat Post
Easy WP SMTP Security Bug Can Reveal Admin Credentials
A poorly configured file opens users up to site takeover.
‼ CVE-2020-25757 ‼
📖 Read
via "National Vulnerability Database".
A lack of input validation and access controls in Lua CGIs on D-Link DSR VPN routers may result in arbitrary input being passed to system command APIs, resulting in arbitrary command execution with root privileges. This affects DSR-150, DSR-250, DSR-500, and DSR-1000AC with firmware 3.14 and 3.17.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-25759 ‼
📖 Read
via "National Vulnerability Database".
An issue was discovered on D-Link DSR-250 3.17 devices. Certain functionality in the Unified Services Router web interface could allow an authenticated attacker to execute arbitrary commands, due to a lack of validation of inputs provided in multipart HTTP POST requests.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-10770 ‼
📖 Read
via "National Vulnerability Database".
A flaw was found in Keycloak before 13.0.0, where it is possible to force the server to call out an unverified URL using the OIDC parameter request_uri. This flaw allows an attacker to use this parameter to execute a Server-side request forgery (SSRF) attack.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-25195 ‼
📖 Read
via "National Vulnerability Database".
The length of the input fields of Host Engineering H0-ECOM100, H2-ECOM100, and H4-ECOM100 modules are verified only on the client side when receiving input from the configuration web server, which may allow an attacker to bypass the check and send input to crash the device.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-25758 ‼
📖 Read
via "National Vulnerability Database".
An issue was discovered on D-Link DSR-250 3.17 devices. Insufficient validation of configuration file checksums could allow a remote, authenticated attacker to inject arbitrary crontab entries into saved configurations before uploading. These entries are executed as root.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-14302 ‼
📖 Read
via "National Vulnerability Database".
A flaw was found in Keycloak before 13.0.0 where an external identity provider, after successful authentication, redirects to a Keycloak endpoint that accepts multiple invocations with the use of the same "state" parameter. This flaw allows a malicious user to perform replay attacks.📖 Read
via "National Vulnerability Database".
❌ Subway Sandwich Loyalty-Card Users Suffer Ham-Handed Phishing Scam ❌
📖 Read
via "Threat Post".
Subway loyalty program members in U.K. and Ireland have been sent scam emails to trick them into downloading malware.📖 Read
via "Threat Post".
Threat Post
Subway Sandwich Loyalty-Card Users Suffer Ham-Handed Phishing Scam
Subway loyalty program members in U.K. and Ireland have been sent scam emails to trick them into downloading malware.