❌ Telegram Bots at Heart of Classiscam Scam-as-a-Service ❌
📖 Read
via "Threat Post".
The cybercriminal service has scammed victims out of $6.5 million and continues to spread on Telegram.📖 Read
via "Threat Post".
Threat Post
Telegram Bots at Heart of Classiscam Scam-as-a-Service
The cybercriminal service has scammed victims out of $6.5 million and continues to spread on Telegram.
‼ CVE-2020-29587 ‼
📖 Read
via "National Vulnerability Database".
SimplCommerce 1.0.0-rc uses the Bootbox.js library, which allows creation of programmatic dialog boxes using Bootstrap modals. The Bootbox.js library intentionally does not perform any sanitization of user input, which results in a DOM XSS, because it uses the jQuery .html() function to directly append the payload to a dialog.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-6776 ‼
📖 Read
via "National Vulnerability Database".
A vulnerability in the web-based management interface of Bosch PRAESIDEO until and including version 4.41 and Bosch PRAESENSA until and including version 1.10 allows an unauthenticated remote attacker to trigger actions on an affected system on behalf of another user (Cross-Site Request Forgery). This requires the victim to be tricked into clicking a malicious link or submitting a malicious form. A successful exploit allows the attacker to perform arbitrary actions with the privileges of the victim, e.g. creating and modifying user accounts, changing system configuration settings and cause DoS conditions. Note: For Bosch PRAESIDEO 4.31 and newer and Bosch PRAESENSA in all versions, the confidentiality impact is considered low because user credentials are not shown in the web interface.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-29019 ‼
📖 Read
via "National Vulnerability Database".
A stack-based buffer overflow vulnerability in FortiWeb 6.3.0 through 6.3.7 and version before 6.2.4 may allow a remote, unauthenticated attacker to crash the httpd daemon thread by sending a request with a crafted cookie header.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-29018 ‼
📖 Read
via "National Vulnerability Database".
A format string vulnerability in FortiWeb 6.3.0 through 6.3.5 may allow an authenticated, remote attacker to read the content of memory and retrieve sensitive data via the redir parameter.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-21722 ‼
📖 Read
via "National Vulnerability Database".
A ZTE Smart STB is impacted by an information leak vulnerability. The device did not fully verify the log, so attackers could use this vulnerability to obtain sensitive user information for further information detection and attacks. This affects: ZXV10 B860A V2.1-T_V0032.1.1.04_jiangsuTelecom.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-29015 ‼
📖 Read
via "National Vulnerability Database".
A blind SQL injection in the user interface of FortiWeb 6.3.0 through 6.3.7 and version before 6.2.4 may allow an unauthenticated, remote attacker to execute arbitrary SQL queries or commands by sending a request with a crafted Authorization header containing a malicious SQL statement.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-29017 ‼
📖 Read
via "National Vulnerability Database".
An OS command injection vulnerability in FortiDeceptor 3.1.0, 3.0.1, 3.0.0 may allow a remote authenticated attacker to execute arbitrary commands on the system by exploiting a command injection vulnerability on the Customization page.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-23926 ‼
📖 Read
via "National Vulnerability Database".
The XML parsers used by XMLBeans up to version 2.6.0 did not set the properties needed to protect the user from malicious XML input. Vulnerabilities include possibilities for XML Entity Expansion attacks. Affects XMLBeans up to and including v2.6.0.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-24122 ‼
📖 Read
via "National Vulnerability Database".
When serving resources from a network location using the NTFS file system, Apache Tomcat versions 10.0.0-M1 to 10.0.0-M9, 9.0.0.M1 to 9.0.39, 8.5.0 to 8.5.59 and 7.0.0 to 7.0.106 were susceptible to JSP source code disclosure in some configurations. The root cause was the unexpected behaviour of the JRE API File.getCanonicalPath() which in turn was caused by the inconsistent behaviour of the Windows API (FindFirstFileW) in some circumstances.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-27368 ‼
📖 Read
via "National Vulnerability Database".
Directory Indexing in Login Portal of Login Portal of TOTOLINK-A702R-V1.0.0-B20161227.1023 allows attacker to access /icons/ directories via GET Parameter.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-6777 ‼
📖 Read
via "National Vulnerability Database".
A vulnerability in the web-based management interface of Bosch PRAESIDEO until and including version 4.41 and Bosch PRAESENSA until and including version 1.10 allows an authenticated remote attacker with admin privileges to mount a stored Cross-Site-Scripting (XSS) attack against another user. When the victim logs into the management interface, the stored script code is executed in the context of his browser. A successful exploit would allow an attacker to interact with the management interface with the privileges of the victim. However, as the attacker already needs admin privileges, there is no additional impact on the management interface itself.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-26733 ‼
📖 Read
via "National Vulnerability Database".
Cross Site Scripting (XSS) in Configuration page in SKYWORTH GN542VF Hardware Version 2.0 and Software Version 2.0.0.16 allows authenticated attacker to inject their own script into the page via DDNS Configuration Section.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-29016 ‼
📖 Read
via "National Vulnerability Database".
A stack-based buffer overflow vulnerability in FortiWeb 6.3.0 through 6.3.5 and version before 6.2.4 may allow an unauthenticated, remote attacker to overwrite the content of the stack and potentially execute arbitrary code by sending a crafted request with a large certname.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-26732 ‼
📖 Read
via "National Vulnerability Database".
Skyworth GN542VF Boa version 0.94.13 does not set the Secure flag for the session cookie in an HTTPS session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an HTTP session.📖 Read
via "National Vulnerability Database".
🦿 US government warns of cyberattacks targeting cloud services 🦿
📖 Read
via "Tech Republic".
Such attacks often occur when employees work remotely and use a mixture of personal and business devices to access cloud services.📖 Read
via "Tech Republic".
TechRepublic
US government warns of cyberattacks targeting cloud services
Such attacks often occur when employees work remotely and use a mixture of personal and business devices to access cloud services.
🦿 CES 2021: All of the business tech news you need to know 🦿
📖 Read
via "Tech Republic".
Don't miss TechRepublic's CES 2021 coverage, which includes product announcements from Lenovo, Samsung, LG, and Dell about PCs, laptops, software, robots, monitors, and TVs.📖 Read
via "Tech Republic".
TechRepublic
CES 2021: All of the business tech news you need to know
Don't miss TechRepublic's CES 2021 coverage, which includes product announcements from Lenovo, Samsung, LG, and Dell about PCs, laptops, software, robots, monitors, and TVs.
🔏 Hackers Leak Stolen COVID-19 Vaccine Data Online 🔏
📖 Read
via "Digital Guardian".
The breach has not affected the efficacy or approval of the vaccine in Europe.📖 Read
via "Digital Guardian".
Digital Guardian
Hackers Leak Stolen COVID-19 Vaccine Data Online
The breach has not affected the efficacy or approval of the vaccine in Europe.
❌ Florida Ethics Officer Charged with Cyberstalking ❌
📖 Read
via "Threat Post".
Judge bars former Tallahassee city ethics officer from internet-connected devices after her arrest for cyberstalking.📖 Read
via "Threat Post".
Threat Post
Florida Ethics Officer Charged with Cyberstalking
Judge bars former Tallahassee city ethics officer from internet-connected devices after her arrest for cyberstalking.
🕴 NSA Recommends Using Only 'Designated' DNS Resolvers 🕴
📖 Read
via "Dark Reading".
Agency provides guidelines on securely deploying DNS over HTTPS, aka DoH.📖 Read
via "Dark Reading".
Dark Reading
NSA Recommends Using Only 'Designated' DNS Resolvers
Agency provides guidelines on securely deploying DNS over HTTPS, aka DoH.
‼ CVE-2021-22132 ‼
📖 Read
via "National Vulnerability Database".
Elasticsearch versions 7.7.0 to 7.10.1 contain an information disclosure flaw in the async search API. Users who execute an async search will improperly store the HTTP headers. An Elasticsearch user with the ability to read the .tasks index could obtain sensitive request headers of other users in the cluster. This issue is fixed in Elasticsearch 7.10.2📖 Read
via "National Vulnerability Database".