βΌ CVE-2021-22132 βΌ
π Read
via "National Vulnerability Database".
Elasticsearch versions 7.7.0 to 7.10.1 contain an information disclosure flaw in the async search API. Users who execute an async search will improperly store the HTTP headers. An Elasticsearch user with the ability to read the .tasks index could obtain sensitive request headers of other users in the cluster. This issue is fixed in Elasticsearch 7.10.2π Read
via "National Vulnerability Database".
βΌ CVE-2021-21261 βΌ
π Read
via "National Vulnerability Database".
Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. A bug was discovered in the `flatpak-portal` service that can allow sandboxed applications to execute arbitrary code on the host system (a sandbox escape). This sandbox-escape bug is present in versions from 0.11.4 and before fixed versions 1.8.5 and 1.9.4. The Flatpak portal D-Bus service (`flatpak-portal`, also known by its D-Bus service name `org.freedesktop.portal.Flatpak`) allows apps in a Flatpak sandbox to launch their own subprocesses in a new sandbox instance, either with the same security settings as the caller or with more restrictive security settings. For example, this is used in Flatpak-packaged web browsers such as Chromium to launch subprocesses that will process untrusted web content, and give those subprocesses a more restrictive sandbox than the browser itself. In vulnerable versions, the Flatpak portal service passes caller-specified environment variables to non-sandboxed processes on the host system, and in particular to the `flatpak run` command that is used to launch the new sandbox instance. A malicious or compromised Flatpak app could set environment variables that are trusted by the `flatpak run` command, and use them to execute arbitrary code that is not in a sandbox. As a workaround, this vulnerability can be mitigated by preventing the `flatpak-portal` service from starting, but that mitigation will prevent many Flatpak apps from working correctly. This is fixed in versions 1.8.5 and 1.9.4.π Read
via "National Vulnerability Database".
β Facebook: Malicious Chrome Extension Developers Scraped Profile Data β
π Read
via "Threat Post".
Facebook has sued two Chrome devs for scraping user profile data - including names, user IDs and more.π Read
via "Threat Post".
Threat Post
Facebook: Malicious Chrome Extension Developers Scraped Profile Data
Facebook has sued two Chrome devs for scraping user profile data - including names, user IDs and more.
π΄ Businesses Struggle with Cloud Availability as Attackers Take Aim π΄
π Read
via "Dark Reading".
Researchers find organizations struggle with availability for cloud applications as government officials warn of cloud-focused cyberattacks.π Read
via "Dark Reading".
Dark Reading
Businesses Struggle with Cloud Availability as Attackers Take Aim
Researchers find organizations struggle with availability for cloud applications as government officials warn of cloud-focused cyberattacks.
β Europol announces bust of βworldβs biggestβ dark web marketplace β
π Read
via "Naked Security".
Dark web servers are hard to find - but not impossible.π Read
via "Naked Security".
Naked Security
Europol announces bust of βworldβs biggestβ dark web marketplace
Dark web servers are hard to find β but not impossible.
π΄ 'Chimera' Threat Group Abuses Microsoft & Google Cloud Services π΄
π Read
via "Dark Reading".
Researchers detail a new threat group targeting cloud services to achieve goals aligning with Chinese interests.π Read
via "Dark Reading".
Darkreading
'Chimera' Threat Group Abuses Microsoft & Google Cloud Services
Researchers detail a new threat group targeting cloud services to achieve goals aligning with Chinese interests.
π¦Ώ CES 2021: All of the business tech news you need to know π¦Ώ
π Read
via "Tech Republic".
Don't miss TechRepublic's CES 2021 coverage, which includes product announcements from Lenovo, Samsung, LG, and Dell about PCs, laptops, software, robots, monitors, and TVs.π Read
via "Tech Republic".
TechRepublic
CES 2021: All of the business tech news you need to know
Don't miss TechRepublic's CES 2021 coverage, which includes product announcements from Lenovo, Samsung, LG, and Dell about PCs, laptops, software, robots, monitors, and TVs.
π¦Ώ How to install Eternal Terminal for persistent SSH connections π¦Ώ
π Read
via "Tech Republic".
If you have trouble with SSH connections breaking, Jack Wallen shows you how you can enjoy a bit more persistence with the help of Eternal Terminal.π Read
via "Tech Republic".
TechRepublic
How to install Eternal Terminal for persistent SSH connections
If you have trouble with SSH connections breaking, Jack Wallen shows you how you can enjoy a bit more persistence with the help of Eternal Terminal.
βΌ CVE-2020-29494 βΌ
π Read
via "National Vulnerability Database".
Dell EMC Avamar Server, versions 19.1, 19.2, 19.3, contain a Path Traversal Vulnerability in PDM. A remote user could potentially exploit this vulnerability, to gain unauthorized write access to the arbitrary files stored on the server filesystem, causing deletion of arbitrary files.π Read
via "National Vulnerability Database".
βΌ CVE-2020-29493 βΌ
π Read
via "National Vulnerability Database".
DELL EMC Avamar Server, versions 19.1, 19.2, 19.3, contain a SQL Injection Vulnerability in Fitness Analyzer. A remote unauthenticated attacker could potentially exploit this vulnerability, leading to the execution of certain SQL commands on the application's backend database, causing unauthorized read and write access to application data. Exploitation may lead to leakage or deletion of sensitive backup data; hence the severity is Critical. Dell EMC recommends customers to upgrade at the earliest opportunity.π Read
via "National Vulnerability Database".
βΌ CVE-2020-6572 βΌ
π Read
via "National Vulnerability Database".
Use after free in Media in Google Chrome prior to 81.0.4044.92 allowed a remote attacker to execute arbitrary code via a crafted HTML page.π Read
via "National Vulnerability Database".
βΌ CVE-2020-16046 βΌ
π Read
via "National Vulnerability Database".
Script injection in iOSWeb in Google Chrome on iOS prior to 84.0.4147.105 allowed a remote attacker to execute arbitrary code via a crafted HTML page.π Read
via "National Vulnerability Database".
βΌ CVE-2020-29495 βΌ
π Read
via "National Vulnerability Database".
DELL EMC Avamar Server, versions 19.1, 19.2, 19.3, contain an OS Command Injection Vulnerability in Fitness Analyzer. A remote unauthenticated attacker could potentially exploit this vulnerability, leading to the execution of arbitrary OS commands on the application's underlying OS with high privileges. This vulnerability is considered critical as it can be leveraged to completely compromise the vulnerable application as well as the underlying operating system. Dell recommends customers to upgrade at the earliest opportunity.π Read
via "National Vulnerability Database".
βΌ CVE-2020-16045 βΌ
π Read
via "National Vulnerability Database".
Use after Free in Payments in Google Chrome on Android prior to 87.0.4280.66 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page.π Read
via "National Vulnerability Database".
π΄ Shifting Privacy Landscape, Disruptive Technologies Will Test Businesses π΄
π Read
via "Dark Reading".
A new machine learning tool aims to mine privacy policies on behalf of users.π Read
via "Dark Reading".
Dark Reading
Shifting Privacy Landscape, Disruptive Technologies Will Test Businesses
A new machine learning tool aims to mine privacy policies on behalf of users.
βΌ CVE-2020-27219 βΌ
π Read
via "National Vulnerability Database".
In all version of Eclipse Hawkbit prior to 0.3.0M7, the HTTP 404 (Not Found) JSON response body returned by the REST API may contain unsafe characters within the path attribute. Sending a POST request to a non existing resource will return the full path from the given URL unescaped to the client.π Read
via "National Vulnerability Database".
βΌ CVE-2020-27220 βΌ
π Read
via "National Vulnerability Database".
The Eclipse Hono AMQP and MQTT protocol adapters do not check whether an authenticated gateway device is authorized to receive command & control messages when it has subscribed only to commands for a specific device. The missing check involves verifying that the command target device is configured giving permission for the gateway device to act on its behalf. This means an authenticated device of a certain tenant, notably also a non-gateway device acting like a gateway, may receive command & control messages targeted at a different device of the same tenant without corresponding permissions getting checked.π Read
via "National Vulnerability Database".
βΌ CVE-2020-35581 βΌ
π Read
via "National Vulnerability Database".
A stored cross-site scripting (XSS) issue in Envira Gallery Lite before 1.8.3.3 allows remote attackers to inject arbitrary JavaScript/HTML code via a POST /wp-admin/admin-ajax.php request with the meta[title] parameter.π Read
via "National Vulnerability Database".
βΌ CVE-2021-23836 βΌ
π Read
via "National Vulnerability Database".
An issue was discovered in flatCore before 2.0.0 build 139. A stored XSS vulnerability was identified in the prefs_smtp_psw HTTP request body parameter for the acp interface. An admin user can inject malicious client-side script into the affected parameter without any form of input sanitization. The injected payload will be executed in the browser of a user whenever one visits the affected module page.π Read
via "National Vulnerability Database".
βΌ CVE-2021-23835 βΌ
π Read
via "National Vulnerability Database".
An issue was discovered in flatCore before 2.0.0 build 139. A local file disclosure vulnerability was identified in the docs_file HTTP request body parameter for the acp interface. This can be exploited with admin access rights. The affected parameter (which retrieves the contents of the specified file) was found to be accepting malicious user input without proper sanitization, thus leading to retrieval of backend server sensitive files, e.g., /etc/passwd, SQLite database files, PHP source code, etc.π Read
via "National Vulnerability Database".
βΌ CVE-2021-23838 βΌ
π Read
via "National Vulnerability Database".
An issue was discovered in flatCore before 2.0.0 build 139. A reflected XSS vulnerability was identified in the media_filter HTTP request body parameter for the acp interface. The affected parameter accepts malicious client-side script without proper input sanitization. For example, a malicious user can leverage this vulnerability to steal cookies from a victim user and perform a session-hijacking attack, which may then lead to unauthorized access to the site.π Read
via "National Vulnerability Database".