‼ CVE-2020-27053 ‼
📖 Read
via "National Vulnerability Database".
In broadcastWifiCredentialChanged of ClientModeImpl.java, there is a possible location permission bypass due to a missing permission check. This could lead to local information disclosure of the WiFi network name with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-159371448📖 Read
via "National Vulnerability Database".
‼ CVE-2020-27147 ‼
📖 Read
via "National Vulnerability Database".
The REST API component of TIBCO Software Inc.'s TIBCO PartnerExpress contains a vulnerability that theoretically allows an unauthenticated attacker with network access to obtain an authenticated login URL for the affected system via a REST API. Affected releases are TIBCO Software Inc.'s TIBCO PartnerExpress: version 6.2.0.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-2088 ‼
📖 Read
via "National Vulnerability Database".
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2020. Notes: none.📖 Read
via "National Vulnerability Database".
🕴 45M Medical Imaging Files Left Accessible Online 🕴
📖 Read
via "Dark Reading".
A range of medical images, including X-rays and CT scans, were exposed on more than 2,140 unprotected servers, researchers report.📖 Read
via "Dark Reading".
Dark Reading
45M Medical Imaging Files Left Accessible Online
A range of medical images, including X-rays and CT scans, were exposed on more than 2,140 unprotected servers, researchers report.
🔏 Additional CCPA Regulations Proposed by California AG 🔏
📖 Read
via "Digital Guardian".
The potential updates to the data privacy law build off of others proposed in October.📖 Read
via "Digital Guardian".
Digital Guardian
Additional CCPA Regulations Proposed by California AG
The potential updates to the data privacy law build off of others proposed in October.
🕴 Medical Imaging Leaks Highlight Unhealthy Security Practices 🕴
📖 Read
via "Dark Reading".
More than 45 million unique images, such as X-rays and MRI scans, are accessible to anyone on the Internet, security firm says.📖 Read
via "Dark Reading".
Dark Reading
Medical Imaging Leaks Highlight Unhealthy Security Practices
More than 45 million unique images, such as X-rays and MRI scans, are accessible to anyone on the Internet, security firm says.
❌ Firefox Patches Critical Mystery Bug, Also Impacting Google Chrome ❌
📖 Read
via "Threat Post".
Mozilla Foundation releases Firefox 84 browser, fixing several flaws and delivering performance gains and Apple processor support.📖 Read
via "Threat Post".
Threat Post
Firefox Patches Critical Mystery Bug, Also Impacting Google Chrome
Mozilla Foundation releases Firefox 84 browser, fixing several flaws and delivering performance gains and Apple processor support.
❌ Gitpaste-12 Worm Widens Set of Exploits in New Attacks ❌
📖 Read
via "Threat Post".
The worm returned in recent attacks against web applications, IP cameras and routers.📖 Read
via "Threat Post".
Threat Post
Gitpaste-12 Worm Widens Set of Exploits in New Attacks
The worm returned in recent attacks against web applications, IP cameras and routers.
❌ Easy WP SMTP Security Bug Can Reveal Admin Credentials ❌
📖 Read
via "Threat Post".
A poorly configured file opens users up to site takeover.📖 Read
via "Threat Post".
Threat Post
Easy WP SMTP Security Bug Can Reveal Admin Credentials
A poorly configured file opens users up to site takeover.
‼ CVE-2020-25757 ‼
📖 Read
via "National Vulnerability Database".
A lack of input validation and access controls in Lua CGIs on D-Link DSR VPN routers may result in arbitrary input being passed to system command APIs, resulting in arbitrary command execution with root privileges. This affects DSR-150, DSR-250, DSR-500, and DSR-1000AC with firmware 3.14 and 3.17.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-25759 ‼
📖 Read
via "National Vulnerability Database".
An issue was discovered on D-Link DSR-250 3.17 devices. Certain functionality in the Unified Services Router web interface could allow an authenticated attacker to execute arbitrary commands, due to a lack of validation of inputs provided in multipart HTTP POST requests.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-10770 ‼
📖 Read
via "National Vulnerability Database".
A flaw was found in Keycloak before 13.0.0, where it is possible to force the server to call out an unverified URL using the OIDC parameter request_uri. This flaw allows an attacker to use this parameter to execute a Server-side request forgery (SSRF) attack.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-25195 ‼
📖 Read
via "National Vulnerability Database".
The length of the input fields of Host Engineering H0-ECOM100, H2-ECOM100, and H4-ECOM100 modules are verified only on the client side when receiving input from the configuration web server, which may allow an attacker to bypass the check and send input to crash the device.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-25758 ‼
📖 Read
via "National Vulnerability Database".
An issue was discovered on D-Link DSR-250 3.17 devices. Insufficient validation of configuration file checksums could allow a remote, authenticated attacker to inject arbitrary crontab entries into saved configurations before uploading. These entries are executed as root.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-14302 ‼
📖 Read
via "National Vulnerability Database".
A flaw was found in Keycloak before 13.0.0 where an external identity provider, after successful authentication, redirects to a Keycloak endpoint that accepts multiple invocations with the use of the same "state" parameter. This flaw allows a malicious user to perform replay attacks.📖 Read
via "National Vulnerability Database".
❌ Subway Sandwich Loyalty-Card Users Suffer Ham-Handed Phishing Scam ❌
📖 Read
via "Threat Post".
Subway loyalty program members in U.K. and Ireland have been sent scam emails to trick them into downloading malware.📖 Read
via "Threat Post".
Threat Post
Subway Sandwich Loyalty-Card Users Suffer Ham-Handed Phishing Scam
Subway loyalty program members in U.K. and Ireland have been sent scam emails to trick them into downloading malware.
🕴 Twitter Fined in Irish GDPR Action 🕴
📖 Read
via "Dark Reading".
The $547K fine results from an issue Twitter reported in 2019.📖 Read
via "Dark Reading".
Dark Reading
Twitter Fined in Irish GDPR Action
The $547K fine results from an issue Twitter reported in 2019.
‼ CVE-2020-35381 ‼
📖 Read
via "National Vulnerability Database".
jsonparser 1.0.0 allows attackers to cause a denial of service (panic: runtime error: slice bounds out of range) via a GET call.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-35380 ‼
📖 Read
via "National Vulnerability Database".
GJSON before 1.6.4 allows attackers to cause a denial of service via crafted JSON.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-23957 ‼
📖 Read
via "National Vulnerability Database".
Pega Platform through 8.4.x is affected by Cross Site Scripting (XSS) via the ConnectionID parameter, as demonstrated by a pyActivity=Data-TRACERSettings.pzStartTracerSession request to a PRAuth URI.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-35416 ‼
📖 Read
via "National Vulnerability Database".
Multiple cross-site scripting (XSS) vulnerabilities exist in PHPJabbers Appointment Scheduler 2.3, in the index.php admin login webpage (with different request parameters), allows remote attackers to inject arbitrary web script or HTML.📖 Read
via "National Vulnerability Database".