βΌ CVE-2021-3014 βΌ
π Read
via "National Vulnerability Database".
In MikroTik RouterOS through 2021-01-04, the hotspot login page is vulnerable to reflected XSS via the target parameter.π Read
via "National Vulnerability Database".
βΌ CVE-2020-26293 βΌ
π Read
via "National Vulnerability Database".
HtmlSanitizer is a .NET library for cleaning HTML fragments and documents from constructs that can lead to XSS attacks. In HtmlSanitizer before version 5.0.372, there is a possible XSS bypass if style tag is allowed. If you have explicitly allowed the `<style>` tag, an attacker could craft HTML that includes script after passing through the sanitizer. The default settings disallow the `<style>` tag so there is no risk if you have not explicitly allowed the `<style>` tag. The problem has been fixed in version 5.0.372.π Read
via "National Vulnerability Database".
βΌ CVE-2020-26294 βΌ
π Read
via "National Vulnerability Database".
Vela is a Pipeline Automation (CI/CD) framework built on Linux container technology written in Golang. In Vela compiler before version 0.6.1 there is a vulnerability which allows exposure of server configuration. It impacts all users of Vela. An attacker can use Sprig's `env` function to retrieve configuration information, see referenced GHSA for an example. This has been fixed in version 0.6.1. In addition to upgrading, it is recommended to rotate all secrets.π Read
via "National Vulnerability Database".
βΌ CVE-2020-26297 βΌ
π Read
via "National Vulnerability Database".
mdBook is a utility to create modern online books from Markdown files and is written in Rust. In mdBook before version 0.4.5, there is a vulnerability affecting the search feature of mdBook, which could allow an attacker to execute arbitrary JavaScript code on the page. The search feature of mdBook (introduced in version 0.1.4) was affected by a cross site scripting vulnerability that allowed an attacker to execute arbitrary JavaScript code on an user's browser by tricking the user into typing a malicious search query, or tricking the user into clicking a link to the search page with the malicious search query prefilled. mdBook 0.4.5 fixes the vulnerability by properly escaping the search query. Owners of websites built with mdBook have to upgrade to mdBook 0.4.5 or greater and rebuild their website contents with it.π Read
via "National Vulnerability Database".
β Researcher Breaks reCAPTCHA With Googleβs Speech-to-Text API β
π Read
via "Threat Post".
Researcher uses an old unCAPTCHA trick against latest the audio version of reCAPTCHA, with a 97 percent success rate.π Read
via "Threat Post".
Threat Post
Researcher Breaks reCAPTCHA With Googleβs Speech-to-Text API
Researcher uses an old unCAPTCHA trick against latest the audio version of reCAPTCHA, with a 97 percent success rate.
βΌ CVE-2020-5361 βΌ
π Read
via "National Vulnerability Database".
Select Dell Client Commercial and Consumer platforms support a BIOS password reset capability that is designed to assist authorized customers who forget their passwords. Dell is aware of unauthorized password generation tools that can generate BIOS recovery passwords. The tools, which are not authorized by Dell, can be used by a physically present attacker to reset BIOS passwords and BIOS-managed Hard Disk Drive (HDD) passwords. An unauthenticated attacker with physical access to the system could potentially exploit this vulnerability to bypass security restrictions for BIOS Setup configuration, HDD access and BIOS pre-boot authentication.π Read
via "National Vulnerability Database".
βΌ CVE-2020-29498 βΌ
π Read
via "National Vulnerability Database".
Dell Wyse Management Suite versions prior to 3.1 contain an open redirect vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability to redirect application users to arbitrary web URLs by tricking the victim users to click on maliciously crafted links. The vulnerability could be used to conduct phishing attacks that cause users to unknowingly visit malicious sites.π Read
via "National Vulnerability Database".
βΌ CVE-2020-29497 βΌ
π Read
via "National Vulnerability Database".
Dell Wyse Management Suite versions prior to 3.1 contain a stored cross-site scripting vulnerability. A remote authenticated malicious user with low privileges could exploit this vulnerability to store malicious HTML or JavaScript code under the device tag. When victim users access the submitted data through their browsers, the malicious code gets executed by the web browser in the context of the vulnerable application.π Read
via "National Vulnerability Database".
βΌ CVE-2020-29496 βΌ
π Read
via "National Vulnerability Database".
Dell Wyse Management Suite versions prior to 3.1 contain a stored cross-site scripting vulnerability. A remote authenticated malicious user with high privileges could exploit this vulnerability to store malicious HTML or JavaScript code while creating the Enduser. When victim users access the submitted data through their browsers, the malicious code gets executed by the web browser in the context of the vulnerable application.π Read
via "National Vulnerability Database".
βΌ CVE-2020-29492 βΌ
π Read
via "National Vulnerability Database".
Dell Wyse ThinOS 8.6 and prior versions contain an insecure default configuration vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability to access the writable file and manipulate the configuration of any target specific station.π Read
via "National Vulnerability Database".
βΌ CVE-2020-29491 βΌ
π Read
via "National Vulnerability Database".
Dell Wyse ThinOS 8.6 and prior versions contain an insecure default configuration vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability to gain access to the sensitive information on the local network, leading to the potential compromise of impacted thin clients.π Read
via "National Vulnerability Database".
π΄ Microsoft Source Code Exposed: What We Know & What It Means π΄
π Read
via "Dark Reading".
Microsoft says there is no increase in security risk; however, experts say access to source code could make some steps easier for attackers.π Read
via "Dark Reading".
Darkreading
Microsoft Source Code Exposed: What We Know & What It Means
Microsoft says there is no increase in security risk; however, experts say access to source code could make some steps easier for attackers.
β Ransomware Gang Collects Data from Blood Testing Lab β
π Read
via "Threat Post".
Apex Laboratory patient data was lifted and posted on a leak site.π Read
via "Threat Post".
Threat Post
Ransomware Gang Collects Data from Blood Testing Lab
Apex Laboratory patient data was lifted and posted on a leak site.
π΄ What You Need to Know About California's New Privacy Rules π΄
π Read
via "Dark Reading".
Proposition 24 will change Californians' rights and business's responsibilities regarding consumer data protection.π Read
via "Dark Reading".
Dark Reading
What You Need to Know About California's New Privacy Rules
Proposition 24 will change Californians' rights and business's responsibilities regarding consumer data protection.
β Chrome browser has a New Yearβs resolution: HTTPS by default β
π Read
via "Naked Security".
If snooping and falsifying web traffic is so easy when plain old HTTP is used, why do we still have HTTP at all?π Read
via "Naked Security".
Naked Security
Chrome browser has a New Yearβs resolution: HTTPS by default
If snooping and falsifying web traffic is so easy when plain old HTTP is used, why do we still have HTTP at all?
β ElectroRAT Drains Cryptocurrency Wallet Funds of Thousands β
π Read
via "Threat Post".
At least 6,500 cryptocurrency users have been infected by new, 'extremely intrusive' malware that's spread via trojanized macOS, Windows and Linux apps.π Read
via "Threat Post".
Threat Post
ElectroRAT Drains Cryptocurrency Wallet Funds of Thousands
At least 6,500 cryptocurrency users have been infected by new, 'extremely intrusive' malware that's spread via trojanized macOS, Windows and Linux apps.
β Major Gaming Companies Hit with Ransomware Linked to APT27 β
π Read
via "Threat Post".
Researchers say a recent attack targeting videogaming developers has 'strong links' to the infamous APT27 threat group.π Read
via "Threat Post".
Threat Post
Major Gaming Companies Hit with Ransomware Linked to APT27
Researchers say a recent attack targeting videogaming developers has 'strong links' to the infamous APT27 threat group.
π ZyXEL Godmode Backdoor Account Scanner π
π Read
via "Packet Storm Security".
zyHell is a perl script that scans for the ZyXEL godmode backdoor account.π Read
via "Packet Storm Security".
Packetstormsecurity
ZyXEL Godmode Backdoor Account Scanner β Packet Storm
Information Security Services, News, Files, Tools, Exploits, Advisories and Whitepapers
π URLCrazy Domain Name Typo Tool 0.7.2 π
π Read
via "Packet Storm Security".
URLCrazy is a tool that can generate and test domain typos and variations to detect and perform typo squatting, URL hijacking, phishing, and corporate espionage. It generates 15 types of domain variants, knows over 8000 common misspellings, supports multiple keyboard layouts, can check if a typo is a valid domain, tests if domain typos are in use, and estimates the popularity of a typo.π Read
via "Packet Storm Security".
Packetstormsecurity
URLCrazy Domain Name Typo Tool 0.7.2 β Packet Storm
Information Security Services, News, Files, Tools, Exploits, Advisories and Whitepapers
βΌ CVE-2020-13541 βΌ
π Read
via "National Vulnerability Database".
An exploitable local privilege elevation vulnerability exists in the file system permissions of the Mobile-911 Server V2.5 install directory. Depending on the vector chosen, an attacker can overwrite the service executable and execute arbitrary code with System privileges or replace other files within the installation folder that could lead to local privilege escalation.π Read
via "National Vulnerability Database".
βΌ CVE-2020-7202 βΌ
π Read
via "National Vulnerability Database".
A potential security vulnerability has been identified in HPE Integrated Lights-Out 5 (iLO 5) and Integrated Lights-Out 4 (iLO 4) firmware. The vulnerability could be remotely exploited to disclose the serial number and other information.π Read
via "National Vulnerability Database".