βΌ CVE-2020-35191 βΌ
π Read
via "National Vulnerability Database".
The official drupal docker images before 8.5.10-fpm-alpine (Alpine specific) contain a blank password for a root user. System using the drupal docker container deployed by affected versions of the docker image may allow a remote attacker to achieve root access with a blank password.π Read
via "National Vulnerability Database".
βΌ CVE-2020-35189 βΌ
π Read
via "National Vulnerability Database".
The official kong docker images before 1.0.2-alpine (Alpine specific) contain a blank password for a root user. System using the kong docker container deployed by affected versions of the docker image may allow a remote attacker to achieve root access with a blank password.π Read
via "National Vulnerability Database".
βΌ CVE-2020-35194 βΌ
π Read
via "National Vulnerability Database".
The official influxdb docker images before 1.7.3-meta-alpine (Alpine specific) contain a blank password for a root user. System using the influxdb docker container deployed by affected versions of the docker image may allow a remote attacker to achieve root access with a blank password.π Read
via "National Vulnerability Database".
βΌ CVE-2020-29652 βΌ
π Read
via "National Vulnerability Database".
A nil pointer dereference in the golang.org/x/crypto/ssh component through v0.0.0-20201203163018-be400aefbc4c for Go allows remote attackers to cause a denial of service against SSH servers.π Read
via "National Vulnerability Database".
βΌ CVE-2020-35123 βΌ
π Read
via "National Vulnerability Database".
In Zimbra Collaboration Suite Network Edition versions < 9.0.0 P10 and 8.8.15 P17, there exists an XXE vulnerability in the saml consumer store extension, which is vulnerable to XXE attacks. This has been fixed in Zimbra Collaboration Suite Network edition 9.0.0 Patch 10 and 8.8.15 Patch 17.π Read
via "National Vulnerability Database".
βΌ CVE-2020-35197 βΌ
π Read
via "National Vulnerability Database".
The official memcached docker images before 1.5.11-alpine (Alpine specific) contain a blank password for a root user. System using the memcached docker container deployed by affected versions of the docker image may allow a remote attacker to achieve root access with a blank password.π Read
via "National Vulnerability Database".
βΌ CVE-2020-35453 βΌ
π Read
via "National Vulnerability Database".
HashiCorp Vault EnterpriseΓ’β¬β’s Sentinel EGP policy feature incorrectly allowed requests to be processed in parent and sibling namespaces. Fixed in 1.5.6 and 1.6.1.π Read
via "National Vulnerability Database".
βΌ CVE-2020-35177 βΌ
π Read
via "National Vulnerability Database".
HashiCorp Vault and Vault Enterprise allowed the enumeration of users via the LDAP auth method. Fixed in 1.5.6 and 1.6.1.π Read
via "National Vulnerability Database".
βΌ CVE-2020-35196 βΌ
π Read
via "National Vulnerability Database".
The official rabbitmq docker images before 3.7.13-beta.1-management-alpine (Alpine specific) contain a blank password for a root user. System using the rabbitmq docker container deployed by affected versions of the docker image may allow a remote attacker to achieve root access with a blank password.π Read
via "National Vulnerability Database".
βΌ CVE-2020-35186 βΌ
π Read
via "National Vulnerability Database".
The official adminer docker images before 4.7.0-fastcgi contain a blank password for a root user. System using the adminer docker container deployed by affected versions of the docker image may allow a remote attacker to achieve root access with a blank password.π Read
via "National Vulnerability Database".
βΌ CVE-2020-25011 βΌ
π Read
via "National Vulnerability Database".
A sensitive information disclosure vulnerability in Kyland KPS2204 6 Port Managed Din-Rail Programmable Serial Device Servers Software Version:R0002.P05 allows remote attackers to get username and password by request /cgi-bin/webadminget.cgi script via the browser.π Read
via "National Vulnerability Database".
βΌ CVE-2020-35184 βΌ
π Read
via "National Vulnerability Database".
The official composer docker images before 1.8.3 contain a blank password for a root user. System using the composer docker container deployed by affected versions of the docker image may allow a remote attacker to achieve root access with a blank password.π Read
via "National Vulnerability Database".
βΌ CVE-2020-27199 βΌ
π Read
via "National Vulnerability Database".
The Magic Home Pro application 1.5.1 for Android allows Authentication Bypass. The security control that the application currently has in place is a simple Username and Password authentication function. Using enumeration, an attacker is able to forge a User specific token without the need for correct password to gain access to the mobile application as that victim user.π Read
via "National Vulnerability Database".
βΌ CVE-2020-25095 βΌ
π Read
via "National Vulnerability Database".
LogRhythm Platform Manager (PM) 7.4.9 allows CSRF. The Web interface is vulnerable to Cross-site WebSocket Hijacking (CSWH). If a logged-in PM user visits a malicious site in the same browser session, that site can perform a CSRF attack to create a WebSocket from the victim client to the vulnerable PM server. Once the socket is created, the malicious site can interact with the vulnerable web server in the context of the logged-in user. This can include WebSocket payloads that result in command execution.π Read
via "National Vulnerability Database".
βΌ CVE-2020-29436 βΌ
π Read
via "National Vulnerability Database".
Sonatype Nexus Repository Manager 3.x before 3.29.0 allows a user with admin privileges to configure the system to gain access to content outside of NXRM via an XXE vulnerability. Fixed in version 3.29.0.π Read
via "National Vulnerability Database".
βΌ CVE-2020-35195 βΌ
π Read
via "National Vulnerability Database".
The official haproxy docker images before 1.8.18-alpine (Alpine specific) contain a blank password for a root user. System using the haproxy docker container deployed by affected versions of the docker image may allow a remote attacker to achieve root access with a blank password.π Read
via "National Vulnerability Database".
βΌ CVE-2020-25094 βΌ
π Read
via "National Vulnerability Database".
LogRhythm Platform Manager 7.4.9 allows Command Injection. To exploit this, an attacker can inject arbitrary program names and arguments into a WebSocket. These are forwarded to any remote server with a LogRhythm Smart Response agent installed. By default, the commands are run with LocalSystem privileges.π Read
via "National Vulnerability Database".
βΌ CVE-2020-25010 βΌ
π Read
via "National Vulnerability Database".
An arbitrary code execution vulnerability in Kyland KPS2204 6 Port Managed Din-Rail Programmable Serial Device Servers Software Version:R0002.P05 allows remote attackers to upload a malicious script file by constructing a POST type request and writing a payload in the request parameters as an instruction to write a file.π Read
via "National Vulnerability Database".
βΌ CVE-2020-35188 βΌ
π Read
via "National Vulnerability Database".
The official chronograf docker images before 1.7.7-alpine (Alpine specific) contain a blank password for a root user. System using the chronograf docker container deployed by affected versions of the docker image may allow a remote attacker to achieve root access with a blank password.π Read
via "National Vulnerability Database".
βΌ CVE-2020-25096 βΌ
π Read
via "National Vulnerability Database".
LogRhythm Platform Manager (PM) 7.4.9 has Incorrect Access Control. Users within LogRhythm can be delegated different roles and privileges, intended to limit what data and services they can interact with. However, no access control is enforced for WebSocket-based communication to the PM application server, which will forward requests to any configured back-end server, regardless of whether the user's access rights should permit this. As a result, even the most low-privileged user can interact with any back-end component that has a LogRhythm agent installed.π Read
via "National Vulnerability Database".
π¦Ώ Phone scammers were able to get 270% more personal information in 2020 than in 2019 π¦Ώ
π Read
via "Tech Republic".
The COVID-19 crisis enabled scammers to take advantage of the guileless, as bad actors were able to extract personal information from targets, according to a new report from First Orion.π Read
via "Tech Republic".
TechRepublic
Phone scammers were able to get 270% more personal information in 2020 than in 2019
The COVID-19 crisis enabled scammers to take advantage of the guileless, as bad actors were able to extract personal information from targets, according to a new report from First Orion.