βΌ CVE-2021-3309 βΌ
π Read
via "National Vulnerability Database".
packages/wekan-ldap/server/ldap.js in Wekan before 4.87 can process connections even though they are not authorized by the Certification Authority trust store,π Read
via "National Vulnerability Database".
βΌ CVE-2021-26271 βΌ
π Read
via "National Vulnerability Database".
It was possible to execute a ReDoS-type attack inside CKEditor 4 before 4.16 by persuading a victim to paste crafted text into the Styles input of specific dialogs (in the Advanced Tab for Dialogs plugin).π Read
via "National Vulnerability Database".
βΌ CVE-2021-21271 βΌ
π Read
via "National Vulnerability Database".
Tendermint Core is an open source Byzantine Fault Tolerant (BFT) middleware that takes a state transition machine - written in any programming language - and securely replicates it on many machines. Tendermint Core v0.34.0 introduced a new way of handling evidence of misbehavior. As part of this, we added a new Timestamp field to Evidence structs. This timestamp would be calculated using the same algorithm that is used when a block is created and proposed. (This algorithm relies on the timestamp of the last commit from this specific block.) In Tendermint Core v0.34.0-v0.34.2, the consensus reactor is responsible for forming DuplicateVoteEvidence whenever double signs are observed. However, the current block is still Γ’β¬œin flightΓ’β¬οΏ½ when it is being formed by the consensus reactor. It hasnΓ’β¬β’t been finalized through network consensus yet. This means that different nodes in the network may observe different Γ’β¬œlast commitsΓ’β¬οΏ½ when assigning a timestamp to DuplicateVoteEvidence. In turn, different nodes could form DuplicateVoteEvidence objects at the same height but with different timestamps. One DuplicateVoteEvidence object (with one timestamp) will then eventually get finalized in the block, but this means that any DuplicateVoteEvidence with a different timestamp is considered invalid. Any node that formed invalid DuplicateVoteEvidence will continue to propose invalid evidence; its peers may see this, and choose to disconnect from this node. This bug means that double signs are DoS vectors in Tendermint Core v0.34.0-v0.34.2. Tendermint Core v0.34.3 is a security release which fixes this bug. As of v0.34.3, DuplicateVoteEvidence is no longer formed by the consensus reactor; rather, the consensus reactor passes the Votes themselves into the EvidencePool, which is now responsible for forming DuplicateVoteEvidence. The EvidencePool has timestamp info that should be consistent across the network, which means that DuplicateVoteEvidence formed in this reactor should have consistent timestamps. This release changes the API between the consensus and evidence reactors.π Read
via "National Vulnerability Database".
βΌ CVE-2021-3156 βΌ
π Read
via "National Vulnerability Database".
Sudo before 1.9.5p2 has a Heap-based Buffer Overflow, allowing privilege escalation to root via "sudoedit -s" and a command-line argument that ends with a single backslash character:π Read
via "National Vulnerability Database".
βΌ CVE-2013-2512 βΌ
π Read
via "National Vulnerability Database".
The ftpd gem 0.2.1 for Ruby allows remote attackers to execute arbitrary OS commands via shell metacharacters in a LIST or NLST command argument within FTP protocol traffic.π Read
via "National Vulnerability Database".
βΌ CVE-2021-3317 βΌ
π Read
via "National Vulnerability Database".
KLog Server through 2.4.1 allows authenticated command injection. async.php calls shell_exec() on the original value of the source parameter.π Read
via "National Vulnerability Database".
βΌ CVE-2021-3165 βΌ
π Read
via "National Vulnerability Database".
SmartAgent 3.1.0 allows a ViewOnly attacker to create a SuperUser account via the /#/CampaignManager/users URI.π Read
via "National Vulnerability Database".
βΌ CVE-2021-3272 βΌ
π Read
via "National Vulnerability Database".
jp2_decode in jp2/jp2_dec.c in libjasper in JasPer 2.0.24 has a heap-based buffer over-read when there is an invalid relationship between the number of channels and the number of image components.π Read
via "National Vulnerability Database".
β Apple Patches Three Actively Exploited Zero-Days, Part of iOS Emergency Update β
π Read
via "Threat Post".
An anonymous researcher identified bugs in the softwareβs kernel and WebKit browser engine that are likely part of an exploit chain.π Read
via "Threat Post".
Threat Post
Apple Patches Three Actively Exploited Zero-Days, Part of iOS Emergency Update
An anonymous researcher identified bugs in the softwareβs kernel and WebKit browser engine that are likely part of an exploit chain.
β Apple critical patches fix in-the-wild iPhone exploits β update now! β
π Read
via "Naked Security".
Apple says. "Additional details available soon", which you can translate as "this one took us by surprise". So patch now!π Read
via "Naked Security".
Naked Security
Apple critical patches fix in-the-wild iPhone exploits β update now!
Apple says. βAdditional details available soonβ, which you can translate as βthis one took us by surpriseβ. So patch now!
π¦Ώ How ghost accounts could leave your organization vulnerable to ransomware π¦Ώ
π Read
via "Tech Republic".
Active accounts for people who have left your organization are ripe for exploitation, according to Sophos.π Read
via "Tech Republic".
π΄ Security's Inevitable Shift to the Edge π΄
π Read
via "Dark Reading".
As the edge becomes the place for DDoS mitigation, Web app security, and other controls, SASE is the management platform to handle them all.π Read
via "Dark Reading".
Dark Reading
Security's Inevitable Shift to the Edge
As the edge becomes the place for DDoS mitigation, Web app security, and other controls, SASE is the management platform to handle them all.
βΌ CVE-2020-4967 βΌ
π Read
via "National Vulnerability Database".
IBM Cloud Pak for Security (CP4S) 1.3.0.1 could disclose sensitive information through HTTP headers which could be used in further attacks against the system. IBM X-Force ID: 192425.π Read
via "National Vulnerability Database".
βΌ CVE-2020-4816 βΌ
π Read
via "National Vulnerability Database".
IBM Cloud Pak for Security (CP4S) 1.4.0.0 could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict Transport Security. An attacker could exploit this vulnerability to obtain sensitive information using man in the middle techniques. IBM X-Force ID: 189703.π Read
via "National Vulnerability Database".
βΌ CVE-2020-36012 βΌ
π Read
via "National Vulnerability Database".
Stored XSS vulnerability in BDTASK Multi-Store Inventory Management System 1.0 allows a local admin to inject arbitrary code via the Customer Name Field.π Read
via "National Vulnerability Database".
βΌ CVE-2020-4820 βΌ
π Read
via "National Vulnerability Database".
IBM Cloud Pak for Security (CP4S) 1.4.0.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.π Read
via "National Vulnerability Database".
βΌ CVE-2020-4628 βΌ
π Read
via "National Vulnerability Database".
IBM Cloud Pak for Security (CP4S) 1.3.0.1 and 1.4.0.0 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system. IBM X-Force ID: 185369.π Read
via "National Vulnerability Database".
βΌ CVE-2020-4815 βΌ
π Read
via "National Vulnerability Database".
IBM Cloud Pak for Security (CP4S) 1.4.0.0 could allow a remote user to obtain sensitive information from HTTP response headers that could be used in further attacks against the system.π Read
via "National Vulnerability Database".
π¦Ώ Why Ubuntu 21.04 is an important release, even without GNOME 40 π¦Ώ
π Read
via "Tech Republic".
Jack Wallen discusses why the upcoming Ubuntu 21.04 is more important than some of its features would imply.π Read
via "Tech Republic".
TechRepublic
Why Ubuntu 21.04 is an important release, even without GNOME 40
Jack Wallen discusses why the upcoming Ubuntu 21.04 is more important than some of its features would imply.
βΌ CVE-2020-16106 βΌ
π Read
via "National Vulnerability Database".
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2020. Notes: none.π Read
via "National Vulnerability Database".