β FBI Warn Hackers are Using Hijacked Home Security Devices for βSwattingβ β
π Read
via "Threat Post".
Stolen email credentials are being used to hijack home surveillance devices, such as Ring, to call police with a fake emergency, then watch the chaos unfold.π Read
via "Threat Post".
Threat Post
FBI Warn Hackers are Using Hijacked Home Security Devices for βSwattingβ
Stolen email credentials are being used to hijack home surveillance devices, such as Ring, to call police with a fake emergency, then watch the chaos unfold.
βΌ CVE-2019-16281 βΌ
π Read
via "National Vulnerability Database".
Ptarmigan before 0.2.3 lacks API token validation, e.g., an "if (token === apiToken) {return true;} return false;" code block.π Read
via "National Vulnerability Database".
βΌ CVE-2020-11103 βΌ
π Read
via "National Vulnerability Database".
JsLink in Webswing before 2.6.12 LTS, and 2.7.x and 20.x before 20.1, allows remote code execution.π Read
via "National Vulnerability Database".
βΌ CVE-2019-16747 βΌ
π Read
via "National Vulnerability Database".
In MatrixSSL before 4.2.2 Open, the DTLS server can encounter an invalid pointer free (leading to memory corruption and a daemon crash) via a crafted incoming network message, a different vulnerability than CVE-2019-14431.π Read
via "National Vulnerability Database".
βΌ CVE-2020-28413 βΌ
π Read
via "National Vulnerability Database".
In MantisBT 2.24.3, SQL Injection can occur in the parameter "access" of the mc_project_get_users function through the API SOAP.π Read
via "National Vulnerability Database".
βΌ CVE-2019-15523 βΌ
π Read
via "National Vulnerability Database".
An issue was discovered in LINBIT csync2 through 2.0. It does not correctly check for the return value GNUTLS_E_WARNING_ALERT_RECEIVED of the gnutls_handshake() function. It neglects to call this function again, as required by the design of the API.π Read
via "National Vulnerability Database".
βΌ CVE-2020-28095 βΌ
π Read
via "National Vulnerability Database".
On Tenda AC1200 (Model AC6) 15.03.06.51_multi devices, a large HTTP POST request sent to the change password API will trigger the router to crash and enter an infinite boot loop.π Read
via "National Vulnerability Database".
βΌ CVE-2020-17363 βΌ
π Read
via "National Vulnerability Database".
USVN (aka User-friendly SVN) before 1.0.9 allows remote code execution via shell metacharacters in the number_start or number_end parameter to LastHundredRequest (aka lasthundredrequestAction) in the Timeline module. NOTE: this may overlap CVE-2020-25069.π Read
via "National Vulnerability Database".
βΌ CVE-2016-9026 βΌ
π Read
via "National Vulnerability Database".
Exponent CMS before 2.6.0 has improper input validation in fileController.php.π Read
via "National Vulnerability Database".
βΌ CVE-2018-14067 βΌ
π Read
via "National Vulnerability Database".
Green Packet WiMax DV-360 2.10.14-g1.0.6.1 devices allow Command Injection, with unauthenticated remote command execution, via a crafted payload to the HTTPS port, because lighttpd listens on all network interfaces (including the external Internet) by default. NOTE: this may overlap CVE-2017-9980.π Read
via "National Vulnerability Database".
βΌ CVE-2019-7725 βΌ
π Read
via "National Vulnerability Database".
includes/core/is_user.php in NukeViet before 4.3.04 deserializes the untrusted nvloginhash cookie (i.e., the code relies on PHP's serialization format when JSON can be used to eliminate the risk).π Read
via "National Vulnerability Database".
βΌ CVE-2020-12658 βΌ
π Read
via "National Vulnerability Database".
gssproxy (aka gss-proxy) before 0.8.3 does not unlock cond_mutex before pthread exit in gp_worker_main() in gp_workers.c.π Read
via "National Vulnerability Database".
βΌ CVE-2016-9022 βΌ
π Read
via "National Vulnerability Database".
Exponent CMS before 2.6.0 has improper input validation in usersController.php.π Read
via "National Vulnerability Database".
βΌ CVE-2020-11947 βΌ
π Read
via "National Vulnerability Database".
iscsi_aio_ioctl_cb in block/iscsi.c in QEMU 4.1.0 has a heap-based buffer over-read that may disclose unrelated information from process memory to an attacker.π Read
via "National Vulnerability Database".
βΌ CVE-2016-9021 βΌ
π Read
via "National Vulnerability Database".
Exponent CMS before 2.6.0 has improper input validation in storeController.php.π Read
via "National Vulnerability Database".
βΌ CVE-2016-9023 βΌ
π Read
via "National Vulnerability Database".
Exponent CMS before 2.6.0 has improper input validation in cron/find_help.php.π Read
via "National Vulnerability Database".
βΌ CVE-2018-16795 βΌ
π Read
via "National Vulnerability Database".
OpenEMR 5.0.1.3 allows Cross-Site Request Forgery (CSRF) via library/ajax and interface/super, as demonstrated by use of interface/super/manage_site_files.php to upload a .php file.π Read
via "National Vulnerability Database".
βΌ CVE-2020-19664 βΌ
π Read
via "National Vulnerability Database".
DrayTek Vigor2960 1.5.1 allows remote command execution via shell metacharacters in a toLogin2FA action to mainfunction.cgi.π Read
via "National Vulnerability Database".
βΌ CVE-2020-13654 βΌ
π Read
via "National Vulnerability Database".
XWiki Platform before 12.8 mishandles escaping in the property displayer.π Read
via "National Vulnerability Database".
βΌ CVE-2019-20808 βΌ
π Read
via "National Vulnerability Database".
In QEMU 4.1.0, an out-of-bounds read flaw was found in the ATI VGA implementation. It occurs in the ati_cursor_define() routine while handling MMIO write operations through the ati_mm_write() callback. A malicious guest could abuse this flaw to crash the QEMU process, resulting in a denial of service.π Read
via "National Vulnerability Database".
βΌ CVE-2019-7726 βΌ
π Read
via "National Vulnerability Database".
modules/banners/funcs/click.php in NukeViet before 4.3.04 has a SQL INSERT statement with raw header data from an HTTP request (e.g., Referer and User-Agent).π Read
via "National Vulnerability Database".