❌ Inbox Attacks: The Miserable Year (2020) That Was ❌
📖 Read
via "Threat Post".
Reflecting on 2020's record-breaking year of spam and inbox threats.📖 Read
via "Threat Post".
Threat Post
Inbox Attacks: The Miserable Year (2020) That Was
Reflecting on 2020's record-breaking year of spam and inbox threats.
‼ CVE-2020-35717 ‼
📖 Read
via "National Vulnerability Database".
zonote through 0.4.0 allows XSS via a crafted note, with resultant Remote Code Execution (because nodeIntegration in webPreferences is true).📖 Read
via "National Vulnerability Database".
‼ CVE-2020-35391 ‼
📖 Read
via "National Vulnerability Database".
Tenda N300 F3 12.01.01.48 devices allow remote attackers to obtain sensitive information (possibly including an http_passwd line) via a direct request for cgi-bin/DownloadCfg/RouterCfm.cfg, a related issue to CVE-2017-14942. NOTE: the vulnerability report may suggest that either a ? character must be placed after the RouterCfm.cfg filename, or that the HTTP request headers must be unusual, but it is not known why these are relevant to the device's HTTP response behavior.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-3002 ‼
📖 Read
via "National Vulnerability Database".
Seo Panel 4.8.0 allows reflected XSS via the seo/seopanel/login.php?sec=forgot email parameter.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-28852 ‼
📖 Read
via "National Vulnerability Database".
In x/text in Go 1.15.4, a "slice bounds out of range" panic occurs in language.ParseAcceptLanguage while processing a BCP 47 tag. (x/text/language is supposed to be able to parse an HTTP Accept-Language header.)📖 Read
via "National Vulnerability Database".
‼ CVE-2020-28851 ‼
📖 Read
via "National Vulnerability Database".
In x/text in Go 1.15.4, an "index out of range" panic occurs in language.ParseAcceptLanguage while parsing the -u- extension. (x/text/language is supposed to be able to parse an HTTP Accept-Language header.)📖 Read
via "National Vulnerability Database".
‼ CVE-2020-35952 ‼
📖 Read
via "National Vulnerability Database".
login.php in PHPFusion (aka PHP-Fusion) Andromeda 9.x before 2020-12-30 generates error messages that distinguish between incorrect username and incorrect password (i.e., not a single "Incorrect username or password" message in both cases), which might allow enumeration.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-28841 ‼
📖 Read
via "National Vulnerability Database".
MyDrivers64.sys in DriverGenius 9.61.3708.3054 allows attackers to cause a system crash via the ioctl command 0x9c402000 to \\.\MyDrivers0_0_1.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-3004 ‼
📖 Read
via "National Vulnerability Database".
The _deposit function in the smart contract implementation for Stable Yield Credit (yCREDIT), an Ethereum token, has certain incorrect calculations. An attacker can obtain more yCREDIT tokens than they should.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-3005 ‼
📖 Read
via "National Vulnerability Database".
MK-AUTH through 19.01 K4.9 allows remote attackers to obtain sensitive information (e.g., a CPF number) via a modified titulo (aka invoice number) value to the central/recibo.php URI.📖 Read
via "National Vulnerability Database".
❌ 2021 Cybersecurity Trends: Bigger Budgets, Endpoint Emphasis and Cloud ❌
📖 Read
via "Threat Post".
Insider threats are redefined in 2021, the work-from-home trend will continue define the threat landscape and mobile endpoints become the attack vector of choice, according 2021 forecasts.📖 Read
via "Threat Post".
Threat Post
2021 Cybersecurity Trends: Bigger Budgets, Endpoint Emphasis and Cloud
Insider threats are redefined in 2021, the work-from-home trend will continue define the threat landscape and mobile endpoints become the attack vector of choice, according 2021 forecasts.
‼ CVE-2020-35963 ‼
📖 Read
via "National Vulnerability Database".
flb_gzip_compress in flb_gzip.c in Fluent Bit before 1.6.4 has an out-of-bounds write because it does not use the correct calculation of the maximum gzip data-size expansion.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-35964 ‼
📖 Read
via "National Vulnerability Database".
track_header in libavformat/vividas.c in FFmpeg 4.3.1 has an out-of-bounds write because of incorrect extradata packing.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-21495 ‼
📖 Read
via "National Vulnerability Database".
MK-AUTH through 19.01 K4.9 allows CSRF for password changes via the central/executar_central.php?acao=altsenha_princ URI.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-3007 ‼
📖 Read
via "National Vulnerability Database".
Zend Framework 3.0.0 has a deserialization vulnerability that can lead to remote code execution if the content is controllable, related to the __destruct method of the Zend\Http\Response\Stream class in Stream.php. NOTE: the code may be related to Laminas Project laminas-http. Zend Framework is no longer supported by the maintainer. However, not all Zend Framework 3.0.0 vulnerabilities exist in a Laminas Project release.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-21494 ‼
📖 Read
via "National Vulnerability Database".
MK-AUTH through 19.01 K4.9 allows XSS via the admin/logs_ajax.php tipo parameter. An attacker can leverage this to read the centralmka2 (session token) cookie, which is not set to HTTPOnly.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-35965 ‼
📖 Read
via "National Vulnerability Database".
decode_frame in libavcodec/exr.c in FFmpeg 4.3.1 has an out-of-bounds write because of errors in calculations of when to perform memset zero operations.📖 Read
via "National Vulnerability Database".
🕴 CISO New Year's Resolutions for 2021 🕴
📖 Read
via "Dark Reading".
Six resolutions for forward-looking cyber-risk leaders.📖 Read
via "Dark Reading".
Dark Reading
CISO New Year's Resolutions for 2021
Six resolutions for forward-looking cyber-risk leaders.
🕴 COVID-19's Acceleration of Cloud Migration & Identity-Centric Security 🕴
📖 Read
via "Dark Reading".
Here are some tips for updating access control methods that accommodate new remote working norms without sacrificing security.📖 Read
via "Dark Reading".
Dark Reading
COVID-19's Acceleration of Cloud Migration & Identity-Centric Security
Here are some tips for updating access control methods that accommodate new remote working norms without sacrificing security.
‼ CVE-2020-4910 ‼
📖 Read
via "National Vulnerability Database".
IBM Cloud Pak System 2.3 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 191274.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-4918 ‼
📖 Read
via "National Vulnerability Database".
IBM Cloud Pak System 2.3 could allow l local privileged user to disclose sensitive information due to an insecure direct object reference in sell service console for the Platform System Manager. IBM X-Force ID: 191392.📖 Read
via "National Vulnerability Database".