‼ CVE-2020-35669 ‼
📖 Read
via "National Vulnerability Database".
An issue was discovered in the http package through 0.12.2 for Dart. If the attacker controls the HTTP method and the app is using Request directly, it's possible to achieve CRLF injection in an HTTP request.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-35676 ‼
📖 Read
via "National Vulnerability Database".
BigProf Online Invoicing System before 3.1 fails to correctly sanitize an XSS payload when a user registers using the self-registration functionality. As such, an attacker can input a crafted payload that will execute upon the application's administrator browsing the registered users' list. Once the arbitrary Javascript is executed in the context of the admin, this will cause the attacker to gain administrative privileges, effectively leading into an application takeover. This affects app/membership_signup.php and app/admin/pageViewMembers.php.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-35677 ‼
📖 Read
via "National Vulnerability Database".
BigProf Online Invoicing System before 4.0 fails to adequately sanitize fields for HTML characters upon an administrator using admin/pageEditGroup.php to create a new group, resulting in Stored XSS. The caveat here is that an attacker would need administrative privileges in order to create the payload. One might think this completely mitigates the privilege-escalation impact as there is only one high-privileged role. However, it was discovered that the endpoint responsible for creating the group lacks CSRF protection.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-2503 ‼
📖 Read
via "National Vulnerability Database".
If exploited, this stored cross-site scripting vulnerability could allow remote attackers to inject malicious code in File Station. QNAP has already fixed these issues in QES 2.1.1 Build 20201006 and later.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-2504 ‼
📖 Read
via "National Vulnerability Database".
If exploited, this absolute path traversal vulnerability could allow attackers to traverse files in File Station. QNAP has already fixed these issues in QES 2.1.1 Build 20201006 and later.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-5681 ‼
📖 Read
via "National Vulnerability Database".
Untrusted search path vulnerability in self-extracting files created by EpsonNet SetupManager versions 2.2.14 and earlier, and Offirio SynergyWare PrintDirector versions 1.6x/1.6y and earlier allows an attacker to gain privileges via a Trojan horse DLL in an unspecified directory.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-2505 ‼
📖 Read
via "National Vulnerability Database".
If exploited, this vulnerability could allow attackers to gain sensitive information via generation of error messages. QNAP has already fixed these issues in QES 2.1.1 Build 20201006 and later.📖 Read
via "National Vulnerability Database".
⚠ S3 Ep12: A chat with social engineering hacker Rachel Tobac [Podcast] ⚠
📖 Read
via "Naked Security".
Lastest episode - listen now! (And please leave us a review if you like what you hear.)📖 Read
via "Naked Security".
Naked Security
S3 Ep12: A chat with social engineering hacker Rachel Tobac [Podcast]
Lastest episode – listen now! (And please leave us a review if you like what you hear.)
🕴 Delivering Santa from Third-Party Risk 🕴
📖 Read
via "Dark Reading".
2020 has made even St. Nick susceptible to the risks associated with the coronavirus pandemic. Fortunately, cybersecurity experts are ready to help the merry old elf with advice on reducing risks to his global operations.📖 Read
via "Dark Reading".
Dark Reading
Delivering Santa from Third-Party Risk
2020 has made even St. Nick susceptible to the risks associated with the coronavirus pandemic. Fortunately, cybersecurity experts are ready to help the merry old elf with advice on reducing risks to his global operations.
🕴 HelpSystems Acquires Data Security Firm Vera 🕴
📖 Read
via "Dark Reading".
The purchase is intended to increase London-based HelpSystems' file collaboration security capabilities.📖 Read
via "Dark Reading".
Dark Reading
HelpSystems Acquires Data Security Firm Vera
The purchase is intended to increase London-based HelpSystems' file collaboration security capabilities.
🕴 Quarterbacking Vulnerability Remediation 🕴
📖 Read
via "Dark Reading".
It's time that security got out of the armchair and out on the field.📖 Read
via "Dark Reading".
Dark Reading
Quarterbacking Vulnerability Remediation
It's time that security got out of the armchair and out on the field.
❌ Windows Zero-Day Still Circulating After Faulty Fix ❌
📖 Read
via "Threat Post".
The LPE bug could allow an attacker to install programs; view, change, or delete data; or create new accounts with full user rights.📖 Read
via "Threat Post".
Threat Post
Windows Zero-Day Still Circulating After Faulty Fix
The LPE bug could allow an attacker to install programs; view, change, or delete data; or create new accounts with full user rights.
‼ CVE-2020-9200 ‼
📖 Read
via "National Vulnerability Database".
There has a CSV injection vulnerability in iManager NetEco 6000 versions V600R021C00. An attacker with common privilege may exploit this vulnerability through some operations to inject the CSV files. Due to insufficient input validation of some parameters, the attacker can exploit this vulnerability to inject CSV files to the target device.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-28169 ‼
📖 Read
via "National Vulnerability Database".
The td-agent-builder plugin before 2020-12-18 for Fluentd allows attackers to gain privileges because the bin directory is writable by a user account, but a file in bin is executed as NT AUTHORITY\SYSTEM.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-9119 ‼
📖 Read
via "National Vulnerability Database".
There is a privilege escalation vulnerability on some Huawei smart phones due to design defects. The attacker needs to physically contact the mobile phone and obtain higher privileges, and execute relevant commands, resulting in the user's privilege promotion.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-27726 ‼
📖 Read
via "National Vulnerability Database".
In versions 16.0.0-16.0.0.1, 15.1.0-15.1.0.5, 14.1.0-14.1.3, 13.1.0-13.1.3.4, and 12.1.0-12.1.5.2, a reflected cross-site scripting (XSS) vulnerability exists in the resource information page for authenticated users when a full webtop is configured on the BIG-IP APM system.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-27724 ‼
📖 Read
via "National Vulnerability Database".
In BIG-IP APM versions 16.0.0-16.0.0.1, 15.1.0-15.1.0.4, 15.0.0-15.0.1.3, 14.1.0-14.1.3, 13.1.0-13.1.3.4, 12.1.0-12.1.5.2, and 11.6.1-11.6.5.2, on systems running more than one TMM instance, authenticated VPN users may consume excessive resources by sending specially-crafted malicious traffic over the tunnel.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-35659 ‼
📖 Read
via "National Vulnerability Database".
The DNS query log in Pi-hole before 5.2.2 is vulnerable to stored XSS. An attacker with the ability to directly or indirectly query DNS with a malicious hostname can cause arbitrary JavaScript to execute when the Pi-hole administrator visits the Query Log or Long-term data Query Log page.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-9137 ‼
📖 Read
via "National Vulnerability Database".
There is a privilege escalation vulnerability in some versions of CloudEngine 12800,CloudEngine 5800,CloudEngine 6800 and CloudEngine 7800. Due to insufficient input validation, a local attacker with high privilege may execute some specially crafted scripts in the affected products. Successful exploit will cause privilege escalation.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-28184 ‼
📖 Read
via "National Vulnerability Database".
Cross-site scripting (XSS) vulnerability in TerraMaster TOS <= 4.2.06 allows remote authenticated users to inject arbitrary web script or HTML via the mod parameter to /module/index.php.📖 Read
via "National Vulnerability Database".