βΌ CVE-2020-35724 βΌ
π Read
via "National Vulnerability Database".
** UNSUPPORTED WHEN ASSIGNED ** Reflected XSS in Quest Policy Authority 8.1.2.200 allows remote attackers to inject malicious code into the browser via a specially crafted link to the Error.jsp file via the err parameter (or indirectly via the cpr, tcp, or abs parameter). NOTE: This vulnerability only affects products that are no longer supported by the maintainer.π Read
via "National Vulnerability Database".
βΌ CVE-2021-3116 βΌ
π Read
via "National Vulnerability Database".
before_upstream_connection in AuthPlugin in http/proxy/auth.py in proxy.py before 2.3.1 accepts incorrect Proxy-Authorization header data because of a boolean confusion (and versus or).π Read
via "National Vulnerability Database".
βΌ CVE-2020-35722 βΌ
π Read
via "National Vulnerability Database".
** UNSUPPORTED WHEN ASSIGNED ** CSRF in Web Compliance Manager in Quest Policy Authority 8.1.2.200 allows remote attackers to force user modification/creation via a specially crafted link to the submitUser.jsp file. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.π Read
via "National Vulnerability Database".
βΌ CVE-2020-35205 βΌ
π Read
via "National Vulnerability Database".
** UNSUPPORTED WHEN ASSIGNED ** Server Side Request Forgery (SSRF) in Web Compliance Manager in Quest Policy Authority version 8.1.2.200 allows attackers to scan internal ports and make outbound connections via the initFile.jsp file. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.π Read
via "National Vulnerability Database".
βΌ CVE-2020-17509 βΌ
π Read
via "National Vulnerability Database".
Apache Traffic Server negative cache option is vulnerable to a cache poisoning attack affecting versions 6.0.0 through 6.2.3, 7.0.0 through 7.1.10, and 8.0.0 through 8.0.7. If you have this option enabled, please upgrade or disable this feature.π Read
via "National Vulnerability Database".
βΌ CVE-2021-3121 βΌ
π Read
via "National Vulnerability Database".
An issue was discovered in GoGo Protobuf before 1.3.2. plugin/unmarshal/unmarshal.go lacks certain index validation, aka the "skippy peanut butter" issue.π Read
via "National Vulnerability Database".
βΌ CVE-2020-13922 βΌ
π Read
via "National Vulnerability Database".
Versions of Apache DolphinScheduler prior to 1.3.2 allowed an ordinary user under any tenant to override another users password through the API interface.π Read
via "National Vulnerability Database".
βΌ CVE-2020-17508 βΌ
π Read
via "National Vulnerability Database".
The ESI plugin in Apache Traffic Server 6.0.0 to 6.2.3, 7.0.0 to 7.1.11, and 8.0.0 to 8.1.0 has a memory disclosure vulnerability. If you are running the plugin please upgrade to 7.1.12 or 8.1.1 or later.π Read
via "National Vulnerability Database".
βΌ CVE-2021-3118 βΌ
π Read
via "National Vulnerability Database".
** UNSUPPORTED WHEN ASSIGNED ** EVOLUCARE ECSIMAGING (aka ECS Imaging) through 6.21.5 has multiple SQL Injection issues in the login form and the password-forgotten form (such as /req_password_user.php?email=). This allows an attacker to steal data in the database and obtain access to the application. (The database component runs as root.) NOTE: This vulnerability only affects products that are no longer supported by the maintainer.π Read
via "National Vulnerability Database".
βΌ CVE-2020-11995 βΌ
π Read
via "National Vulnerability Database".
A deserialization vulnerability existed in dubbo 2.7.5 and its earlier versions, which could lead to malicious code execution. Most Dubbo users use Hessian2 as the default serialization/deserialization protool, during Hessian2 deserializing the HashMap object, some functions in the classes stored in HasMap will be executed after a series of program calls, however, those special functions may cause remote command execution. For example, the hashCode() function of the EqualsBean class in rome-1.7.0.jar will cause the remotely load malicious classes and execute malicious code by constructing a malicious request. This issue was fixed in Apache Dubbo 2.6.9 and 2.7.8.π Read
via "National Vulnerability Database".
π¦Ώ CES 2021: All of the business tech news you need to know π¦Ώ
π Read
via "Tech Republic".
Don't miss TechRepublic's CES 2021 coverage, which includes product announcements from Lenovo, Samsung, LG, and Dell about PCs, laptops, software, robots, monitors, and TVs.π Read
via "Tech Republic".
TechRepublic
CES 2021: All of the business tech news you need to know
Don't miss TechRepublic's CES 2021 coverage, which includes product announcements from Lenovo, Samsung, LG, and Dell about PCs, laptops, software, robots, monitors, and TVs.
β Google Titan security keys hacked by French researchers β
π Read
via "Naked Security".
Researchers can now made software copies of Google's "unclonable" Titan security keys - but not yet undetectably.π Read
via "Naked Security".
Naked Security
Google Titan security keys hacked by French researchers
Researchers can now made software copies of Googleβs βunclonableβ Titan security keys β but not yet undetectably.
π¦Ώ CES 2021: All of the business tech news you need to know π¦Ώ
π Read
via "Tech Republic".
Don't miss TechRepublic's CES 2021 coverage, which includes product announcements from Lenovo, Samsung, LG, and Dell about PCs, laptops, software, robots, monitors, and TVs.π Read
via "Tech Republic".
TechRepublic
CES 2021: All of the business tech news you need to know
Don't miss TechRepublic's CES 2021 coverage, which includes product announcements from Lenovo, Samsung, LG, and Dell about PCs, laptops, software, robots, monitors, and TVs.
π jSQL Injection 0.83 Source Code Release π
π Read
via "Packet Storm Security".
jSQL Injection is a lightweight application used to find database information from a distant server. jSQL Injection is also part of the official penetration testing distribution Kali Linux and is included in various other distributions like Pentest Box, Parrot Security OS, ArchStrike and BlackArch Linux. This is the source code release.π Read
via "Packet Storm Security".
Packetstormsecurity
jSQL Injection 0.83 Source Code Release β Packet Storm
Information Security Services, News, Files, Tools, Exploits, Advisories and Whitepapers
π Flawfinder 2.0.14 π
π Read
via "Packet Storm Security".
Flawfinder searches through source code for potential security flaws, listing potential security flaws sorted by risk, with the most potentially dangerous flaws shown first. This risk level depends not only on the function, but on the values of the parameters of the function.π Read
via "Packet Storm Security".
Packetstormsecurity
Flawfinder 2.0.14 β Packet Storm
Information Security Services, News, Files, Tools, Exploits, Advisories and Whitepapers
π jSQL Injection 0.83 π
π Read
via "Packet Storm Security".
jSQL Injection is a lightweight application used to find database information from a distant server. jSQL Injection is also part of the official penetration testing distribution Kali Linux and is included in various other distributions like Pentest Box, Parrot Security OS, ArchStrike and BlackArch Linux. This is the pre-built jar release.π Read
via "Packet Storm Security".
Packetstormsecurity
jSQL Injection 0.83 β Packet Storm
Information Security Services, News, Files, Tools, Exploits, Advisories and Whitepapers
β SolarWinds Hack Potentially Linked to Turla APT β
π Read
via "Threat Post".
Researchers have spotted notable code overlap between the Sunburst backdoor and a known Turla weapon.π Read
via "Threat Post".
Threat Post
SolarWinds Hack Potentially Linked to Turla APT
Researchers have spotted notable code overlap between the Sunburst backdoor and a known Turla weapon.
β Naked Security Live β HTTPS: do we REALLY need it? β
π Read
via "Naked Security".
Here's the latest Naked Security Live video talk - watch now, and please share with your friends!π Read
via "Naked Security".
Naked Security
Naked Security Live β HTTPS: do we REALLY need it?
Hereβs the latest Naked Security Live video talk β watch now, and please share with your friends!
β Researcher Builds Parler Archive Amid Amazon Suspension β
π Read
via "Threat Post".
A researcher scraped and archived public Parler posts before the conservative social networking service was taken down by Amazon, Apple and Google.π Read
via "Threat Post".
Threat Post
Researcher Builds Parler Archive Amid Amazon Suspension
A researcher scraped and archived public Parler posts before the conservative social networking service was taken down by Amazon, Apple and Google.
βΌ CVE-2020-24027 βΌ
π Read
via "National Vulnerability Database".
In Live Networks, Inc., liblivemedia version 20200625, there is a potential buffer overflow bug in the server handling of a RTSP "PLAY" command, when the command specifies seeking by absolute time.π Read
via "National Vulnerability Database".
βΌ CVE-2020-24025 βΌ
π Read
via "National Vulnerability Database".
Certificate validation in node-sass 2.0.0 to 4.14.1 is disabled when requesting binaries even if the user is not specifying an alternative download path.π Read
via "National Vulnerability Database".