βΌ CVE-2020-13583 βΌ
π Read
via "National Vulnerability Database".
A denial-of-service vulnerability exists in the HTTP Server functionality of Micrium uC-HTTP 3.01.00. A specially crafted HTTP request can lead to denial of service. An attacker can send an HTTP request to trigger this vulnerability.π Read
via "National Vulnerability Database".
βΌ CVE-2021-25251 βΌ
π Read
via "National Vulnerability Database".
The Trend Micro Security 2020 and 2021 families of consumer products are vulnerable to a code injection vulnerability which could allow an attacker to disable the programΓ’β¬β’s password protection and disable protection. An attacker must already have administrator privileges on the machine to exploit this vulnerability.π Read
via "National Vulnerability Database".
βΌ CVE-2020-13571 βΌ
π Read
via "National Vulnerability Database".
An out-of-bounds write vulnerability exists in the SGI RLE decompression functionality of Accusoft ImageGear 19.8. A specially crafted malformed file can lead to code execution. An attacker can provide a malicious file to trigger this vulnerability.π Read
via "National Vulnerability Database".
βΌ CVE-2020-8355 βΌ
π Read
via "National Vulnerability Database".
An internal product security audit of Lenovo XClarity Administrator (LXCA) prior to version 3.1.0 discovered the Windows OS credentials provided by the LXCA user to perform driver updates of managed systems may be captured in the First Failure Data Capture (FFDC) service log if the service log is generated while managed endpoints are updating. The service log is only generated when requested by a privileged LXCA user and it is only accessible to the privileged LXCA user that requested the file and is then deleted.π Read
via "National Vulnerability Database".
βΌ CVE-2021-27185 βΌ
π Read
via "National Vulnerability Database".
The samba-client package before 4.0.0 for Node.js allows command injection because of the use of process.exec.π Read
via "National Vulnerability Database".
βΌ CVE-2020-24842 βΌ
π Read
via "National Vulnerability Database".
PNPSCADA 2.200816204020 allows cross-site scripting (XSS), which can execute arbitrary JavaScript in the victim's browser.π Read
via "National Vulnerability Database".
βΌ CVE-2020-13561 βΌ
π Read
via "National Vulnerability Database".
An out-of-bounds write vulnerability exists in the TIFF parser of Accusoft ImageGear 19.8. A specially crafted malformed file can lead to code execution. An attacker can provide a malicious file to trigger this vulnerability.π Read
via "National Vulnerability Database".
βΌ CVE-2021-27186 βΌ
π Read
via "National Vulnerability Database".
Fluent Bit 1.6.10 has a NULL pointer dereference when an flb_malloc return value is not validated by flb_avro.c or http_server/api/v1/metrics.c.π Read
via "National Vulnerability Database".
βΌ CVE-2020-28595 βΌ
π Read
via "National Vulnerability Database".
An out-of-bounds write vulnerability exists in the Obj.cpp load_obj() functionality of Prusa Research PrusaSlicer 2.2.0 and Master (commit 4b040b856). A specially crafted obj file can lead to code execution. An attacker can provide a malicious file to trigger this vulnerability.π Read
via "National Vulnerability Database".
βΌ CVE-2020-13581 βΌ
π Read
via "National Vulnerability Database".
In SoftMaker Software GmbH SoftMaker Office PlanMaker 2021 (Revision 1014), a specially crafted document can cause the document parser to copy data from a particular record type into a buffer that is smaller than the size used for the copy which will cause a heap-based buffer overflow. An attacker can entice the victim to open a document to trigger this vulnerability.π Read
via "National Vulnerability Database".
βΌ CVE-2020-13585 βΌ
π Read
via "National Vulnerability Database".
An out-of-bounds write vulnerability exists in the PSD Header processing functionality of Accusoft ImageGear 19.8. A specially crafted malformed file can lead to code execution. An attacker can provide a malicious file to trigger this vulnerability.π Read
via "National Vulnerability Database".
βΌ CVE-2020-27250 βΌ
π Read
via "National Vulnerability Database".
In SoftMaker Software GmbH SoftMaker Office PlanMaker 2021 (Revision 1014), a specially crafted document can cause the document parser to copy data from a particular record type into a static-sized buffer within an object that is smaller than the size used for the copy, which will cause a heap-based buffer overflow at Version/Instance 0x0005 and 0x0016. An attacker can entice the victim to open a document to trigger this vulnerability.π Read
via "National Vulnerability Database".
π΄ High-Severity Vulnerabilities Discovered in Multiple Embedded TCP/IP Stacks π΄
π Read
via "Dark Reading".
Flaw leaves millions of IT, OT, and IoT devices vulnerable to attack.π Read
via "Dark Reading".
Dark Reading
High-Severity Vulnerabilities Discovered in Multiple Embedded TCP/IP Stacks
Flaw leaves millions of IT, OT, and IoT devices vulnerable to attack.
βΌ CVE-2020-27871 βΌ
π Read
via "National Vulnerability Database".
This vulnerability allows remote attackers to create arbitrary files on affected installations of SolarWinds Orion Platform 2020.2.1. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within VulnerabilitySettings.aspx. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute arbitrary code in the context of SYSTEM. Was ZDI-CAN-11902.π Read
via "National Vulnerability Database".
βΌ CVE-2020-27874 βΌ
π Read
via "National Vulnerability Database".
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Tencent WeChat 7.0.18. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the WXAM Decoder. The issue results from the lack of proper validation of user-supplied data, which can result in a memory access past the end of an allocated object. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-11580.π Read
via "National Vulnerability Database".
βΌ CVE-2020-27870 βΌ
π Read
via "National Vulnerability Database".
This vulnerability allows remote attackers to disclose sensitive information on affected installations of SolarWinds Orion Platform 2020.2.1. Authentication is required to exploit this vulnerability. The specific flaw exists within ExportToPDF.aspx. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to disclose information in the context of SYSTEM. Was ZDI-CAN-11917.π Read
via "National Vulnerability Database".
π1
βΌ CVE-2021-20335 βΌ
π Read
via "National Vulnerability Database".
For MongoDB Ops Manager 4.2.X with multiple OM application servers, that have SSL turned on for their MongoDB processes, the upgrade to MongoDB Ops Manager 4.4.X triggers a bug where Automation thinks SSL is being turned off, and can disable SSL temporarily for members of the cluster. This issue is temporary and eventually corrects itself after MongoDB Ops Manager instances have finished upgrading to MongoDB Ops Manager 4.4. In addition, customers must be running with clientCertificateMode=OPTIONAL / allowConnectionsWithoutCertificates=true to be impacted.π Read
via "National Vulnerability Database".
β Military, Nuclear Entities Under Target By Novel Android Malware β
π Read
via "Threat Post".
The two malware families have sophisticated capabilities to exfiltrate SMS messages, WhatsApp messaging content and geolocation.π Read
via "Threat Post".
Threat Post
Military, Nuclear Entities Under Target By Novel Android Malware
The two malware families have sophisticated capabilities to exfiltrate SMS messages, WhatsApp messaging content and geolocation.
β S3 Ep19: Chrome zero-day, coffee hacking and Perl.com stolen [Podcast] β
π Read
via "Naked Security".
Latest episode (includes 111,848 "free" cups of coffee) - listen now!π Read
via "Naked Security".
Sophos News
Naked Security β Sophos News
βΌ CVE-2021-23335 βΌ
π Read
via "National Vulnerability Database".
All versions of package is-user-valid are vulnerable to LDAP Injection which can lead to either authentication bypass or information exposure.π Read
via "National Vulnerability Database".
βΌ CVE-2021-23334 βΌ
π Read
via "National Vulnerability Database".
All versions of package static-eval are vulnerable to Arbitrary Code Execution using FunctionExpressions and TemplateLiterals. PoC: var evaluate = require('static-eval'); var parse = require('esprima').parse; var src="(function (x) { return ${eval("console.log(global.process.mainModule.constructor._load('child_process').execSync('ls').toString())")} })()" var ast = parse(src).body[0].expression; evaluate(ast)π Read
via "National Vulnerability Database".