βΌ CVE-2018-7580 βΌ
π Read
via "National Vulnerability Database".
Philips Hue is vulnerable to a Denial of Service attack. Sending a SYN flood on port tcp/80 will freeze Philips Hue's hub and it will stop responding. The "hub" will stop operating and be frozen until the flood stops. During the flood, the user won't be able to turn on/off the lights, and all of the hub's functionality will be unresponsive. The cloud service also won't work with the hub.π Read
via "National Vulnerability Database".
βΌ CVE-2020-26281 βΌ
π Read
via "National Vulnerability Database".
async-h1 is an asynchronous HTTP/1.1 parser for Rust (crates.io). There is a request smuggling vulnerability in async-h1 before version 2.3.0. This vulnerability affects any webserver that uses async-h1 behind a reverse proxy, including all such Tide applications. If the server does not read the body of a request which is longer than some buffer length, async-h1 will attempt to read a subsequent request from the body content starting at that offset into the body. One way to exploit this vulnerability would be for an adversary to craft a request such that the body contains a request that would not be noticed by a reverse proxy, allowing it to forge forwarded/x-forwarded headers. If an application trusted the authenticity of these headers, it could be misled by the smuggled request. Another potential concern with this vulnerability is that if a reverse proxy is sending multiple http clients' requests along the same keep-alive connection, it would be possible for the smuggled request to specify a long content and capture another user's request in its body. This content could be captured in a post request to an endpoint that allows the content to be subsequently retrieved by the adversary. This has been addressed in async-h1 2.3.0 and previous versions have been yanked.π Read
via "National Vulnerability Database".
βΌ CVE-2020-35151 βΌ
π Read
via "National Vulnerability Database".
The Online Marriage Registration System 1.0 post parameter "searchdata" in the user/search.php request is vulnerable to Time Based Sql Injection.π Read
via "National Vulnerability Database".
βΌ CVE-2020-26277 βΌ
π Read
via "National Vulnerability Database".
DBdeployer is a tool that deploys MySQL database servers easily. In DBdeployer before version 1.58.2, users unpacking a tarball may use a maliciously packaged tarball that contains symlinks to files external to the target. In such scenario, an attacker could induce dbdeployer to write into a system file, thus altering the computer defenses. For the attack to succeed, the following factors need to contribute: 1) The user is logged in as root. While dbdeployer is usable as root, it was designed to run as unprivileged user. 2) The user has taken a tarball from a non secure source, without testing the checksum. When the tarball is retrieved through dbdeployer, the checksum is compared before attempting to unpack. This has been fixed in version 1.58.2.π Read
via "National Vulnerability Database".
βΌ CVE-2020-29596 βΌ
π Read
via "National Vulnerability Database".
MiniWeb HTTP server 0.8.19 allows remote attackers to cause a denial of service (daemon crash) via a long name for the first parameter in a POST request.π Read
via "National Vulnerability Database".
β Patrick Wardle on Hackers Leveraging βPowerfulβ iOS Bugs in High-Level Attacks β
π Read
via "Threat Post".
Noted Apple security expert Patrick Wardle discusses how cybercriminals are stepping up their game in targeting Apple users with new techniques and cyberattacks.π Read
via "Threat Post".
Threat Post
Patrick Wardle on Hackers Leveraging βPowerfulβ iOS Bugs in High-Level Attacks
Noted Apple security expert Patrick Wardle discusses how cybercriminals are stepping up their game in targeting Apple users with new techniques and cyberattacks.
π What is NIST CSF? π
π Read
via "Digital Guardian".
The National Institute of Standards and Technology's Cybersecurity Framework is designed to help organizations manage their security risk; in this blog we'll go over its requirements, penalties for failing to comply with it, and best practices.π Read
via "Digital Guardian".
Digital Guardian
What is NIST CSF?
The National Institute of Standards and Technology's Cybersecurity Framework is designed to help organizations manage their security risk; in this blog we'll go over its requirements, penalties for failing to comply with it, and best practices.
π¦Ώ How to combat future cyberattacks following the SolarWinds breach π¦Ώ
π Read
via "Tech Republic".
How can and should governments respond to and better protect themselves from serious cyberattacks from hostile nations?π Read
via "Tech Republic".
TechRepublic
How to combat future cyberattacks following the SolarWinds breach
How can and should governments respond to and better protect themselves from serious cyberattacks from hostile nations?
π΄ Security as Code: How Repeatable Policy-Driven Deployment Improves Security π΄
π Read
via "Dark Reading".
The SaC approach lets users codify and enforce a secure state of application configuration deployment that limits risk.π Read
via "Dark Reading".
Dark Reading
Security as Code: How Repeatable Policy-Driven Deployment Improves Security
The SaC approach lets users codify and enforce a secure state of application configuration deployment that limits risk.
βΌ CVE-2020-28460 βΌ
π Read
via "National Vulnerability Database".
This affects the package multi-ini before 2.1.2. It is possible to pollute an object's prototype by specifying the constructor.proto object as part of an array. This is a bypass of CVE-2020-28448.π Read
via "National Vulnerability Database".
βΌ CVE-2020-28448 βΌ
π Read
via "National Vulnerability Database".
This affects the package multi-ini before 2.1.1. It is possible to pollute an object's prototype by specifying the proto object as part of an array.π Read
via "National Vulnerability Database".
β Jokerβs Stash Carding Site Taken Down, for Now β
π Read
via "Threat Post".
The underground payment-card data broker saw its blockchain DNS sites taken offline after an apparent law-enforcement effort.π Read
via "Threat Post".
Threat Post
Jokerβs Stash Carding Site Taken Down
The underground payment-card data broker saw its blockchain DNS sites taken offline after an apparent law-enforcement effort - and now Tor sites are down.
β Tech Giants Lend WhatsApp Support in Spyware Case Against NSO Group β
π Read
via "Threat Post".
Google, Microsoft, Cisco Systems and others want appeals court to deny immunity to Israeli company for its alleged distribution of spyware and illegal cyber-surveillance activities.π Read
via "Threat Post".
Threat Post
Tech Giants Lend WhatsApp Support in Spyware Case Against NSO Group
Google, Microsoft, Cisco Systems and others want appeals court to deny immunity to Israeli company for its alleged distribution of spyware and illegal cyber-surveillance activities.
π΄ Law Enforcement Disrupts VPN Services Enabling Cybercrime π΄
π Read
via "Dark Reading".
The United States and international partners shut down three bulletproof hosting services used to facilitate criminal activity.π Read
via "Dark Reading".
Dark Reading
Law Enforcement Disrupts VPN Services Enabling Cybercrime
The United States and international partners shut down three bulletproof hosting services used to facilitate criminal activity.
π Sifter 11.2 π
π Read
via "Packet Storm Security".
Sifter is a osint, recon, and vulnerability scanner. It combines a plethora of tools within different module sets in order to quickly perform recon tasks, check network firewalling, enumerate remote and local hosts, and scan for the blue vulnerabilities within Microsoft systems and if unpatched, exploits them.π Read
via "Packet Storm Security".
Packetstormsecurity
Sifter 11.2 β Packet Storm
Information Security Services, News, Files, Tools, Exploits, Advisories and Whitepapers
β Does a friend βneed money urgentlyβ? Check your facts before paying outβ¦ β
π Read
via "Naked Security".
Don't get scammed by fake online requests to help a friend online. Check your facts first - here's why.π Read
via "Naked Security".
π¦Ώ UK lawmakers propose law banning retail bots after PS5 fiasco π¦Ώ
π Read
via "Tech Republic".
The legislation would both ban the resale of goods acquired using bots and the resale of tech products above the manufacturers' price.π Read
via "Tech Republic".
TechRepublic
UK lawmakers propose law banning retail bots after PS5 fiasco
The legislation would both ban the resale of goods acquired using bots and the resale of tech products above the manufacturers' price.
βΌ CVE-2019-11782 βΌ
π Read
via "National Vulnerability Database".
Improper access control in Odoo Community 14.0 and earlier and Odoo Enterprise 14.0 and earlier, allows remote authenticated users with access to contact management to modify user accounts, leading to privilege escalation.π Read
via "National Vulnerability Database".
βΌ CVE-2018-15645 βΌ
π Read
via "National Vulnerability Database".
Improper access control in message routing in Odoo Community 12.0 and earlier and Odoo Enterprise 12.0 and earlier allows remote authenticated users to create arbitrary records via crafted payloads, which may allow privilege escalation.π Read
via "National Vulnerability Database".
βΌ CVE-2018-15633 βΌ
π Read
via "National Vulnerability Database".
Cross-site scripting (XSS) issue in "document" module in Odoo Community 11.0 and earlier and Odoo Enterprise 11.0 and earlier, allows remote attackers to inject arbitrary web script in the browser of a victim via crafted attachment filenames.π Read
via "National Vulnerability Database".
βΌ CVE-2019-11784 βΌ
π Read
via "National Vulnerability Database".
Improper access control in mail module (notifications) in Odoo Community 14.0 and earlier and Odoo Enterprise 14.0 and earlier, allows remote authenticated users to obtain access to arbitrary messages in conversations they were not a party to.π Read
via "National Vulnerability Database".