‼ CVE-2020-21180 ‼
📖 Read
via "National Vulnerability Database".
Sql injection vulnerability in koa2-blog 1.0.0 allows remote attackers to Injecting a malicious SQL statement via the name parameter to the signup page.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-20295 ‼
📖 Read
via "National Vulnerability Database".
An issue was found in CMSWing project version 1.3.8. Because the updateAction function does not check the detail parameter, malicious parameters can execute arbitrary SQL commands.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-21287 ‼
📖 Read
via "National Vulnerability Database".
MinIO is a High Performance Object Storage released under Apache License v2.0. In MinIO before version RELEASE.2021-01-30T00-20-58Z there is a server-side request forgery vulnerability. The target application may have functionality for importing data from a URL, publishing data to a URL, or otherwise reading data from a URL that can be tampered with. The attacker modifies the calls to this functionality by supplying a completely different URL or by manipulating how URLs are built (path traversal etc.). In a Server-Side Request Forgery (SSRF) attack, the attacker can abuse functionality on the server to read or update internal resources. The attacker can supply or modify a URL which the code running on the server will read or submit data, and by carefully selecting the URLs, the attacker may be able to read server configuration such as AWS metadata, connect to internal services like HTTP enabled databases, or perform post requests towards internal services which are not intended to be exposed. This is fixed in version RELEASE.2021-01-30T00-20-58Z, all users are advised to upgrade. As a workaround you can disable the browser front-end with "MINIO_BROWSER=off" environment variable.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-21176 ‼
📖 Read
via "National Vulnerability Database".
SQL injection vulnerability in the model.increment and model.decrement function in ThinkJS 3.2.10 allows remote attackers to execute arbitrary SQL commands via the step parameter.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-20294 ‼
📖 Read
via "National Vulnerability Database".
An issue was found in CMSWing project version 1.3.8. Because the log function does not check the log parameter, malicious parameters can execute arbitrary commands.📖 Read
via "National Vulnerability Database".
🔏 New York Could Be the Next State to Adopt a Strict Data Privacy Law 🔏
📖 Read
via "Digital Guardian".
Like California before it, New York could serve as the testing grounds for the next statewide consumer data privacy law.📖 Read
via "Digital Guardian".
Digital Guardian
New York Could Be the Next State to Adopt a Strict Data Privacy Law
Like California before it, New York could serve as the testing grounds for the next statewide consumer data privacy law.
🕴 Increase in Physical Security Incidents Adds to IT Security Pressures 🕴
📖 Read
via "Dark Reading".
A new study shows that many organizations have changed their physical security strategies to address new concerns since the COVID-19 outbreak.📖 Read
via "Dark Reading".
Dark Reading
Increase in Physical Security Incidents Adds to IT Security Pressures
A new study shows that many organizations have changed their physical security strategies to address new concerns since the COVID-19 outbreak.
🦿 How an automated pentesting stick can address multiple security needs 🦿
📖 Read
via "Tech Republic".
Used for offensive and defensive purposes, a penetration testing device can be configured to perform automated checks on network security and more.📖 Read
via "Tech Republic".
TechRepublic
How an automated pentesting stick can address multiple security needs
Used for offensive and defensive purposes, a penetration testing device can be configured to perform automated checks on network security and more.
❌ SolarWinds Hack Prompts Congress to Put NSA in Encryption Hot Seat ❌
📖 Read
via "Threat Post".
Congress is demanding the National Security Agency come clean on what it knows about the 2015 supply-chain attack against Juniper Networks.📖 Read
via "Threat Post".
Threat Post
SolarWinds Hack Prompts Congress to Put NSA in Encryption Hot Seat
Congress is demanding the National Security Agency come clean on what it knows about the 2015 supply-chain attack against Juniper Networks.
❌ Hezbollah-Linked Lebanese Cedar APT Infiltrates Hundreds of Servers ❌
📖 Read
via "Threat Post".
Enhanced Explosive RAT and Caterpillar tools are at the forefront of a global espionage campaign.📖 Read
via "Threat Post".
Threat Post
Hezbollah-Linked Lebanese Cedar APT Infiltrates Hundreds of Servers
Enhanced Explosive RAT and Caterpillar tools are at the forefront of a global espionage campaign.
❌ Wind River Security Incident Affects SSNs, Passport Numbers ❌
📖 Read
via "Threat Post".
Wind River Systems is warning of a 'security incident' after one or more files was downloaded from its network.📖 Read
via "Threat Post".
Threat Post
Wind River Security Incident Affects SSNs, Passport Numbers
Wind River Systems is warning of a 'security incident' after one or more files was downloaded from its network.
‼ CVE-2020-28493 ‼
📖 Read
via "National Vulnerability Database".
This affects the package jinja2 from 0.0.0 and before 2.11.3. The ReDOS vulnerability of the regex is mainly due to the sub-pattern [a-zA-Z0-9._-]+.[a-zA-Z0-9._-]+ This issue can be mitigated by Markdown to format user content instead of the urlize filter, or by implementing request timeouts and limiting process memory.📖 Read
via "National Vulnerability Database".
🕴 Data on 1.4 Million Washington State Residents Breached 🕴
📖 Read
via "Dark Reading".
Unemployment data exposed via third-party software attack.📖 Read
via "Dark Reading".
Dark Reading
Data on 1.4 Million Washington State Residents Breached
Unemployment data exposed via third-party software attack.
🦿 5G adds more concerns: CISOs should build cybersecurity from the ground up 🦿
📖 Read
via "Tech Republic".
Public 5G networks, private 5G networks, broader attack surfaces, and more complex environments add extra layers of vulnerability, expert says.📖 Read
via "Tech Republic".
TechRepublic
5G adds more concerns: CISOs should build cybersecurity from the ground up
Public 5G networks, private 5G networks, broader attack surfaces, and more complex environments add extra layers of vulnerability, expert says.
🦿 5G: More speed adds more vulnerabilities, IoT security expert says 🦿
📖 Read
via "Tech Republic".
CISOs need to be more vigilant about building cybersecurity into projects from the beginning, one CISO says.📖 Read
via "Tech Republic".
TechRepublic
5G: More speed adds more vulnerabilities, IoT security expert says
CISOs need to be more vigilant about building cybersecurity into projects from the beginning, one CISO says.
‼ CVE-2019-20468 ‼
📖 Read
via "National Vulnerability Database".
An issue was discovered in SeTracker2 for TK-Star Q90 Junior GPS horloge 3.1042.9.8656 devices. It has unnecessary permissions such as READ_EXTERNAL_STORAGE, WRITE_EXTERNAL_STORAGE, and READ_CONTACTS.📖 Read
via "National Vulnerability Database".
‼ CVE-2019-20470 ‼
📖 Read
via "National Vulnerability Database".
An issue was discovered on TK-Star Q90 Junior GPS horloge 3.1042.9.8656 devices. It performs actions based on certain SMS commands. This can be used to set up a voice communication channel from the watch to any telephone number, initiated by sending a specific SMS and using the default password, e.g., pw,<password>,call,<mobile_number> triggers an outbound call from the watch. The password is sometimes available because of CVE-2019-20471.📖 Read
via "National Vulnerability Database".
‼ CVE-2019-20473 ‼
📖 Read
via "National Vulnerability Database".
An issue was discovered on TK-Star Q90 Junior GPS horloge 3.1042.9.8656 devices. Any SIM card used with the device cannot have a PIN configured. If a PIN is configured, the device simply produces a "Remove PIN and restart!" message, and cannot be used. This makes it easier for an attacker to use the SIM card by stealing the device.📖 Read
via "National Vulnerability Database".
‼ CVE-2019-20471 ‼
📖 Read
via "National Vulnerability Database".
An issue was discovered on TK-Star Q90 Junior GPS horloge 3.1042.9.8656 devices. When using the device at initial setup, a default password is used (123456) for administrative purposes. There is no prompt to change this password. Note that this password can be used in combination with CVE-2019-20470.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-3340 ‼
📖 Read
via "National Vulnerability Database".
A cross-site scripting (XSS) vulnerability in many forms of Wikindx before 5.7.0 and 6.x through 6.4.0 allows remote attackers to inject arbitrary web script or HTML via the message parameter to index.php?action=initLogon or modules/admin/DELETEIMAGES.php.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-3378 ‼
📖 Read
via "National Vulnerability Database".
FortiLogger 4.4.2.2 is affected by Arbitrary File Upload by sending a "Content-Type: image/png" header to Config/SaveUploadedHotspotLogoFile and then visiting Assets/temp/hotspot/img/logohotspot.asp.📖 Read
via "National Vulnerability Database".