‼ CVE-2020-26173 ‼
📖 Read
via "National Vulnerability Database".
An incorrect access control implementation in Tangro Business Workflow before 1.18.1 allows an attacker to download documents (PDF) by providing a valid document ID and token. No further authentication is required.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-26174 ‼
📖 Read
via "National Vulnerability Database".
tangro Business Workflow before 1.18.1 requests a list of allowed filetypes from the server and restricts uploads to the filetypes contained in this list. However, this restriction is enforced in the browser (client-side) and can be circumvented. This allows an attacker to upload any file as an attachment to a workitem.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-35478 ‼
📖 Read
via "National Vulnerability Database".
MediaWiki before 1.35.1 allows XSS via BlockLogFormatter.php. MediaWiki:blanknamespace potentially can be output as raw HTML with SCRIPT tags via LogFormatter::makePageLink(). This affects MediaWiki 1.33.0 and later.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-35480 ‼
📖 Read
via "National Vulnerability Database".
An issue was discovered in MediaWiki before 1.35.1. Missing users (accounts that don't exist) and hidden users (accounts that have been explicitly hidden due to being abusive, or similar) that the viewer cannot see are handled differently, exposing sensitive information about the hidden status to unprivileged viewers. This exists on various code paths.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-35554 ‼
📖 Read
via "National Vulnerability Database".
An issue was discovered on LG mobile devices with Android OS 8.0, 8.1, 9.0, and 10 software. There is a WebView SSL error-handler vulnerability. The LG ID is LVE-SMP-200026 (December 2020).📖 Read
via "National Vulnerability Database".
‼ CVE-2020-26175 ‼
📖 Read
via "National Vulnerability Database".
In tangro Business Workflow before 1.18.1, an attacker can manipulate the value of PERSON in requests to /api/profile in order to change profile information of other users.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-35555 ‼
📖 Read
via "National Vulnerability Database".
An issue was discovered on LG mobile devices with Android OS 10 software. When a dual-screen configuration is supported, the device does not lock upon disconnection of a call with the cover closed. The LG ID is LVE-SMP-200027 (December 2020).📖 Read
via "National Vulnerability Database".
‼ CVE-2020-35548 ‼
📖 Read
via "National Vulnerability Database".
An issue was discovered in Finder on Samsung mobile devices with Q(10.0) software. A call to a non-existent provider allows attackers to cause a denial of service. The Samsung ID is SVE-2020-18629 (December 2020).📖 Read
via "National Vulnerability Database".
‼ CVE-2020-25609 ‼
📖 Read
via "National Vulnerability Database".
The NuPoint Messenger Portal of Mitel MiCollab before 9.2 could allow an authenticated attacker to execute arbitrary scripts due to insufficient input validation, aka XSS. A successful exploit could allow an attacker to view and modify user data.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-25610 ‼
📖 Read
via "National Vulnerability Database".
The AWV component of Mitel MiCollab before 9.2 could allow an attacker to gain access to a web conference due to insufficient access control for conference codes.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-26171 ‼
📖 Read
via "National Vulnerability Database".
In tangro Business Workflow before 1.18.1, the documentId of attachment uploads to /api/document/attachments/upload can be manipulated. By doing this, users can add attachments to workitems that do not belong to them.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-27639 ‼
📖 Read
via "National Vulnerability Database".
The Bluetooth handset of Mitel MiVoice 6873i, 6930, and 6940 SIP phones with firmware before 5.1.0.SP6 could allow an unauthenticated attacker within Bluetooth range to pair a rogue Bluetooth device when a phone handset loses connection, due to an improper pairing mechanism. A successful exploit could allow an attacker to eavesdrop on conversations.📖 Read
via "National Vulnerability Database".
‼ CVE-2019-16955 ‼
📖 Read
via "National Vulnerability Database".
SolarWinds Web Help Desk 12.7.0 allows XSS via an uploaded SVG document in a request.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-25612 ‼
📖 Read
via "National Vulnerability Database".
The NuPoint Messenger of Mitel MiCollab before 9.2 could allow an attacker with escalated privilege to access user files due to insufficient access control. Successful exploit could potentially allow an attacker to gain access to sensitive information.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-26172 ‼
📖 Read
via "National Vulnerability Database".
Every login in tangro Business Workflow before 1.18.1 generates the same JWT token, which allows an attacker to reuse the token when a session is active. The JWT token does not contain an expiration timestamp.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-35475 ‼
📖 Read
via "National Vulnerability Database".
In MediaWiki before 1.35.1, the messages userrights-expiry-current and userrights-expiry-none can contain raw HTML. XSS can happen when a user visits Special:UserRights but does not have rights to change all userrights, and the table on the left side has unchangeable groups in it. (The right column with the changeable groups is not affected and is escaped correctly.)📖 Read
via "National Vulnerability Database".
‼ CVE-2020-35479 ‼
📖 Read
via "National Vulnerability Database".
MediaWiki before 1.35.1 allows XSS via BlockLogFormatter.php. Language::translateBlockExpiry itself does not escape in all code paths. For example, the return of Language::userTimeAndDate is is always unsafe for HTML in a month value. This affects MediaWiki 1.12.0 and later.📖 Read
via "National Vulnerability Database".
🕴 2021 Cybersecurity Predictions: The Intergalactic Battle Begins 🕴
📖 Read
via "Dark Reading".
There's much in store for the future of cybersecurity, and the most interesting things aren't happening on Earth.📖 Read
via "Dark Reading".
Dark Reading
2021 Cybersecurity Predictions: The Intergalactic Battle Begins
There's much in store for the future of cybersecurity, and the most interesting things aren't happening on Earth.
🕴 5 Key Takeaways from the SolarWinds Breach 🕴
📖 Read
via "Dark Reading".
New details continue to emerge each day, and there may be many more lessons to learn from what could be among the largest cyberattacks ever.📖 Read
via "Dark Reading".
Dark Reading
Slideshows - Dark Reading
Dark Reading: Connecting The Information Security Community. Explore our slideshows.
❌ Insider Threats: What Are They, Really? ❌
📖 Read
via "Threat Post".
"Insider threat" or "human error" shows up a lot as the major cause of data breaches across all types of reports out there. But often it's not defined, or it's not clearly defined, so people conjure up their own definition.📖 Read
via "Threat Post".
Threat Post
Insider Threats: What Are They, Really?
An insider threat is not necessarily a malicious actor. Often, companies define an insider threat as someone who inadvertently creates a security problem for a business. Learn more.
❌ Cyberpunk 2077 Headaches Grow: New Spyware Found in Fake Android Download ❌
📖 Read
via "Threat Post".
Threat actors impersonate Google Play store in scam as Sony pulls the game off the PlayStation store due to myriad performance issues.📖 Read
via "Threat Post".
Threat Post
Cyberpunk 2077 Headaches Grow: New Spyware Found in Fake Android Download
Threat actors impersonate Google Play store in scam as Sony pulls the game off the PlayStation store due to myriad performance issues.