‼ CVE-2021-23330 ‼
📖 Read
via "National Vulnerability Database".
All versions of package launchpad are vulnerable to Command Injection via stop.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-25594 ‼
📖 Read
via "National Vulnerability Database".
HashiCorp Vault and Vault Enterprise allowed for enumeration of Secrets Engine mount paths via unauthenticated HTTP requests. Fixed in 1.6.2 & 1.5.7.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-21276 ‼
📖 Read
via "National Vulnerability Database".
Polr is an open source URL shortener. in Polr before version 2.3.0, a vulnerability in the setup process allows attackers to gain admin access to site instances, even if they do not possess an existing account. This vulnerability exists regardless of users' settings. If an attacker crafts a request with specific cookie headers to the /setup/finish endpoint, they may be able to obtain admin privileges on the instance. This is caused by a loose comparison (==) in SetupController that is susceptible to attack. The project has been patched to ensure that a strict comparison (===) is used to verify the setup key, and that /setup/finish verifies that no users table exists before performing any migrations or provisioning any new accounts. This is fixed in version 2.3.0. Users can patch this vulnerability without upgrading by adding abort(404) to the very first line of finishSetup in SetupController.php.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-3024 ‼
📖 Read
via "National Vulnerability Database".
HashiCorp Vault and Vault Enterprise disclosed the internal IP address of the Vault node when responding to some invalid, unauthenticated HTTP requests. Fixed in 1.6.2 & 1.5.7.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-13564 ‼
📖 Read
via "National Vulnerability Database".
A cross-site scripting vulnerability exists in the template functionality of phpGACL 3.3.7. A specially crafted HTTP request can lead to arbitrary JavaScript execution. An attacker can provide a crafted URL to trigger this vulnerability in the phpGACL template acl_id parameter.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-13562 ‼
📖 Read
via "National Vulnerability Database".
A cross-site scripting vulnerability exists in the template functionality of phpGACL 3.3.7. A specially crafted HTTP request can lead to arbitrary JavaScript execution. An attacker can provide a crafted URL to trigger this vulnaerability in the phpGACL template action parameter.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-3283 ‼
📖 Read
via "National Vulnerability Database".
HashiCorp Nomad and Nomad Enterprise up to 0.12.9 exec and java task drivers can access processes associated with other tasks on the same node. Fixed in 0.12.10, and 1.0.3.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-13563 ‼
📖 Read
via "National Vulnerability Database".
A cross-site scripting vulnerability exists in the template functionality of phpGACL 3.3.7. A specially crafted HTTP request can lead to arbitrary JavaScript execution. An attacker can provide a crafted URL to trigger this vulnerability in the phpGACL template group_id parameter.📖 Read
via "National Vulnerability Database".
âš Naked Security Live – What if my password manager gets hacked? âš
📖 Read
via "Naked Security".
Our latest Naked Security Live talk - watch now!📖 Read
via "Naked Security".
Naked Security
Naked Security Live – What if my password manager gets hacked?
Our latest Naked Security Live talk – watch now!
🦿 Cybersecurity pros should switch from Indicators of Compromise to Indicators of Behavior 🦿
📖 Read
via "Tech Republic".
Security experts suggest using IOBs to move from reacting to a cyberattack to preventing the incident.📖 Read
via "Tech Republic".
TechRepublic
Cybersecurity pros should switch from Indicators of Compromise to Indicators of Behavior
Security experts suggest using IOBs to move from reacting to a cyberattack to preventing the incident.
🕴 US Needs Comprehensive Policy to Combat China on IP Theft 🕴
📖 Read
via "Dark Reading".
The United States cannot lose sight of Chinese cyber operations that target intellectual property, a panel of experts says.📖 Read
via "Dark Reading".
Dark Reading
US Needs Comprehensive Policy to Combat China on IP Theft
The United States cannot lose sight of Chinese cyber operations that target intellectual property, a panel of experts says.
🕴 Name That Edge Toon: Be Careful Who You Trust 🕴
📖 Read
via "Dark Reading".
Feeling creative? Submit your caption in the comments, and our panel of experts will reward the winner with a $25 Amazon gift card.📖 Read
via "Dark Reading".
Dark Reading
The Edge
Feeling creative? Submit your caption in the comments, and our panel of experts will reward the winner with a $25 Amazon gift card.
🕴 Edge Poll: Hook, Line, and Sinker 🕴
📖 Read
via "Dark Reading".
How confident are you in your security team's ability to protect your organization from phishing?📖 Read
via "Dark Reading".
Dark Reading
The Edge
How confident are you in your security team's ability to protect your organization from phishing?
‼ CVE-2020-20296 ‼
📖 Read
via "National Vulnerability Database".
An issue was found in CMSWing project version 1.3.8, Because the rechargeAction function does not check the balance parameter, malicious parameters can execute arbitrary SQL commands.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-20289 ‼
📖 Read
via "National Vulnerability Database".
Sql injection vulnerability in the yccms 3.3 project. The no_top function's improper judgment of the request parameters, triggers a sql injection vulnerability.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-21179 ‼
📖 Read
via "National Vulnerability Database".
Sql injection vulnerability in koa2-blog 1.0.0 allows remote attackers to Injecting a malicious SQL statement via the name parameter to the signin page.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-20290 ‼
📖 Read
via "National Vulnerability Database".
Directory traversal vulnerability in the yccms 3.3 project. The delete, deletesite, and deleteAll functions' improper judgment of the request parameters, triggers a directory traversal vulnerability.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-20287 ‼
📖 Read
via "National Vulnerability Database".
Unrestricted file upload vulnerability in the yccms 3.3 project. The xhUp function's improper judgment of the request parameters, triggers remote code execution.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-21180 ‼
📖 Read
via "National Vulnerability Database".
Sql injection vulnerability in koa2-blog 1.0.0 allows remote attackers to Injecting a malicious SQL statement via the name parameter to the signup page.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-20295 ‼
📖 Read
via "National Vulnerability Database".
An issue was found in CMSWing project version 1.3.8. Because the updateAction function does not check the detail parameter, malicious parameters can execute arbitrary SQL commands.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-21287 ‼
📖 Read
via "National Vulnerability Database".
MinIO is a High Performance Object Storage released under Apache License v2.0. In MinIO before version RELEASE.2021-01-30T00-20-58Z there is a server-side request forgery vulnerability. The target application may have functionality for importing data from a URL, publishing data to a URL, or otherwise reading data from a URL that can be tampered with. The attacker modifies the calls to this functionality by supplying a completely different URL or by manipulating how URLs are built (path traversal etc.). In a Server-Side Request Forgery (SSRF) attack, the attacker can abuse functionality on the server to read or update internal resources. The attacker can supply or modify a URL which the code running on the server will read or submit data, and by carefully selecting the URLs, the attacker may be able to read server configuration such as AWS metadata, connect to internal services like HTTP enabled databases, or perform post requests towards internal services which are not intended to be exposed. This is fixed in version RELEASE.2021-01-30T00-20-58Z, all users are advised to upgrade. As a workaround you can disable the browser front-end with "MINIO_BROWSER=off" environment variable.📖 Read
via "National Vulnerability Database".