‼ CVE-2020-8264 ‼
📖 Read
via "National Vulnerability Database".
In actionpack gem >= 6.0.0, a possible XSS vulnerability exists when an application is running in development mode allowing an attacker to send or embed (in another page) a specially crafted URL which can allow the attacker to execute JavaScript in the context of the local application. This vulnerability is in the Actionable Exceptions middleware.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-8274 ‼
📖 Read
via "National Vulnerability Database".
Citrix Secure Mail for Android before 20.11.0 suffers from Improper Control of Generation of Code ('Code Injection') by allowing unauthenticated access to read data stored within Secure Mail. Note that a malicious app would need to be installed on the Android device or a threat actor would need to execute arbitrary code on the Android device.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-29041 ‼
📖 Read
via "National Vulnerability Database".
A misconfiguration in Web-Sesame 2020.1.1.3375 allows an unauthenticated attacker to download the source code of the application, facilitating its comprehension (code review). Specifically, JavaScript source maps were inadvertently included in the production Webpack configuration. These maps contain sources used to generate the bundle, configuration settings (e.g., API keys), and developers' comments.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-35262 ‼
📖 Read
via "National Vulnerability Database".
Cross Site Scripting (XSS) vulnerability in Digisol DG-HR3400 can be exploited via the NTP server name in Time and date module and "Keyword" in URL Filter.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-8281 ‼
📖 Read
via "National Vulnerability Database".
A missing file type check in Nextcloud Contacts 3.3.0 allows a malicious user to upload malicious SVG files to perform cross-site scripting (XSS) attacks.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-36178 ‼
📖 Read
via "National Vulnerability Database".
oal_ipt_addBridgeIsolationRules on TP-Link TL-WR840N 6_EU_0.9.1_4.16 devices allows OS command injection because a raw string entered from the web interface (an IP address field) is used directly for a call to the system library function (for iptables).📖 Read
via "National Vulnerability Database".
‼ CVE-2020-25498 ‼
📖 Read
via "National Vulnerability Database".
Cross Site Scripting (XSS) vulnerability in Beetel router 777VR1 can be exploited via the NTP server name in System Time and "Keyword" in URL Filter.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-8287 ‼
📖 Read
via "National Vulnerability Database".
Node.js versions before 10.23.1, 12.20.1, 14.15.4, 15.5.1 allow two copies of a header field in an HTTP request (for example, two Transfer-Encoding header fields). In this case, Node.js identifies the first header field and ignores the second. This can lead to HTTP Request Smuggling.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-8275 ‼
📖 Read
via "National Vulnerability Database".
Citrix Secure Mail for Android before 20.11.0 suffers from improper access control allowing unauthenticated access to read limited calendar related data stored within Secure Mail. Note that a malicious app would need to be installed on the Android device or a threat actor would need to execute arbitrary code on the Android device.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-8265 ‼
📖 Read
via "National Vulnerability Database".
Node.js versions before 10.23.1, 12.20.1, 14.15.4, 15.5.1 are vulnerable to a use-after-free bug in its TLS implementation. When writing to a TLS enabled socket, node::StreamBase::Write calls node::TLSWrap::DoWrite with a freshly allocated WriteWrap object as first argument. If the DoWrite method does not return an error, this object is passed back to the caller as part of a StreamWriteResult structure. This may be exploited to corrupt memory leading to a Denial of Service or potentially other exploits.📖 Read
via "National Vulnerability Database".
❌ Facebook’s Mandatory Data-Sharing Rules for WhatsApp Spark Ire ❌
📖 Read
via "Threat Post".
The messaging platform will update its privacy platform on Feb. 8 to integrate further with its parent company, prompting users to cry foul over privacy issues.📖 Read
via "Threat Post".
Threat Post
Facebook’s Mandatory Data-Sharing Rules for WhatsApp Spark Ire
The messaging platform will update its privacy platform on Feb. 8 to integrate further with its parent company, prompting users to cry foul over privacy issues.
⚠ S3 Ep14: Money scams, HTTPS by default, and hardcoded passwords [Podcast] ⚠
📖 Read
via "Naked Security".
Listen now!📖 Read
via "Naked Security".
Naked Security
S3 Ep14: Money scams, HTTPS by default, and hardcoded passwords [Podcast]
Listen now!
🕴 The 3 Most Common Types of BEC Attacks (And What You Can Do About Them) 🕴
📖 Read
via "Dark Reading".
Always be skeptical and double check credentials.📖 Read
via "Dark Reading".
Dark Reading
The 3 Most Common Types of BEC Attacks (And What You Can Do About Them)
Always be skeptical and double check credentials.
‼ CVE-2020-35114 ‼
📖 Read
via "National Vulnerability Database".
Mozilla developers reported memory safety bugs present in Firefox 83. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 84.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-24902 ‼
📖 Read
via "National Vulnerability Database".
Quixplorer <=2.4.1 is vulnerable to reflected cross-site scripting (XSS) caused by improper validation of user supplied input. A remote attacker could exploit this vulnerability using a specially crafted URL to execute a script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-26971 ‼
📖 Read
via "National Vulnerability Database".
Certain blit values provided by the user were not properly constrained leading to a heap buffer overflow on some video drivers. This vulnerability affects Firefox < 84, Thunderbird < 78.6, and Firefox ESR < 78.6.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-24901 ‼
📖 Read
via "National Vulnerability Database".
The default installation of Krpano Panorama Viewer version <=1.20.8 is vulnerable to Reflected XSS due to insecure remote js load in file viewer/krpano.html, parameter plugin[test].url.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-26972 ‼
📖 Read
via "National Vulnerability Database".
The lifecycle of IPC Actors allows managed actors to outlive their manager actors; and the former must ensure that they are not attempting to use a dead actor they have a reference to. Such a check was omitted in WebGL, resulting in a use-after-free and a potentially exploitable crash. This vulnerability affects Firefox < 84.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-26974 ‼
📖 Read
via "National Vulnerability Database".
When flex-basis was used on a table wrapper, a StyleGenericFlexBasis object could have been incorrectly cast to the wrong type. This resulted in a heap user-after-free, memory corruption, and a potentially exploitable crash. This vulnerability affects Firefox < 84, Thunderbird < 78.6, and Firefox ESR < 78.6.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-26977 ‼
📖 Read
via "National Vulnerability Database".
By attempting to connect a website using an unresponsive port, an attacker could have controlled the content of a tab while the URL bar displayed the original domain. *Note: This issue only affects Firefox for Android. Other operating systems are unaffected.*. This vulnerability affects Firefox < 84.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-26975 ‼
📖 Read
via "National Vulnerability Database".
When a malicious application installed on the user's device broadcast an Intent to Firefox for Android, arbitrary headers could have been specified, leading to attacks such as abusing ambient authority or session fixation. This was resolved by only allowing certain safe-listed headers. *Note: This issue only affected Firefox for Android. Other operating systems are unaffected.*. This vulnerability affects Firefox < 84.📖 Read
via "National Vulnerability Database".