π΄ Virginia Takes Different Tack Than California With Data Privacy Law π΄
π Read
via "Dark Reading".
Online businesses targeting Virginia consumers and have personal data of 100,000 consumers in the state must conform to the new statute.π Read
via "Dark Reading".
Dark Reading
Virginia Takes Different Tack Than California With Data Privacy Law
Online businesses targeting Virginia consumers and have personal data of 100,000 consumers in the state must conform to the new statute.
π΄ Pro Tip: Say What You Know π΄
π Read
via "Dark Reading".
During the immediate period following a breach, it's vital to move fast - but not trip over yourself.π Read
via "Dark Reading".
Dark Reading
The Edge
During the immediate period following a breach, it's vital to move fast - but not trip over yourself.
βΌ CVE-2020-35577 βΌ
π Read
via "National Vulnerability Database".
In Endalia Selection Portal before 4.205.0, an Insecure Direct Object Reference (IDOR) allows any authenticated user to download every file uploaded to the platform by changing the value of the file identifier (aka CommonDownload identification number).π Read
via "National Vulnerability Database".
βΌ CVE-2020-29664 βΌ
π Read
via "National Vulnerability Database".
A command injection issue in dji_sys in DJI Mavic 2 Remote Controller before firmware version 01.00.0510 allows for code execution via a malicious firmware upgrade packet.π Read
via "National Vulnerability Database".
β Mac Malware Targets Appleβs In-House M1 Processor β
π Read
via "Threat Post".
A malicious adware-distributing application specifically targets Apple's new M1 SoC, used in its newest-generation MacBook Air, MacBook Pro and Mac mini devices.π Read
via "Threat Post".
Threat Post
Mac Malware Targets Appleβs In-House M1 Processor
A malicious adware-distributing application specifically targets Apple's new M1 SoC, used in its newest-generation MacBook Air, MacBook Pro and Mac mini devices.
π΄ How to Run a Successful Penetration Test π΄
π Read
via "Dark Reading".
These seven tips will help ensure a penetration test improves your organization's overall security posture.π Read
via "Dark Reading".
Dark Reading
How to Run a Successful Penetration Test
These seven tips will help ensure a penetration test improves your organization's overall security posture.
π΄ Data security accountability in an age of regular breaches π΄
π Read
via "Dark Reading".
As the number of vendors impacted by supply-chain breaches grows, one constant question remains: where exactly does accountability for data security lie, and what part do end users play in their own data breach protection?π Read
via "Dark Reading".
Dark Reading
Data security accountability in an age of regular breaches
As the number of vendors impacted by supply-chain breaches grows, one constant question remains: where exactly does accountability for data security lie, and what part do end users play in their own data breach protection?
β US names three North Koreans in laundry list of cybercrime charges β
π Read
via "Naked Security".
Trio alleged to have been at it for more than a decade, and to have made off with well over a billion dollars.π Read
via "Naked Security".
Naked Security
US names three North Koreans in laundry list of cybercrime charges
Trio alleged to have been at it for more than a decade, and to have made off with well over a billion dollars.
βΌ CVE-2020-28496 βΌ
π Read
via "National Vulnerability Database".
This affects the package three before 0.125.0. This can happen when handling rgb or hsl colors. PoC: var three = require('three') function build_blank (n) { var ret = "rgb(" for (var i = 0; i < n; i++) { ret += " " } return ret + ""; } var Color = three.Color var time = Date.now(); new Color(build_blank(50000)) var time_cost = Date.now() - time; console.log(time_cost+" ms")π Read
via "National Vulnerability Database".
βΌ CVE-2021-20444 βΌ
π Read
via "National Vulnerability Database".
IBM Maximo for Civil Infrastructure 7.6.2 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 196620.π Read
via "National Vulnerability Database".
βΌ CVE-2020-28499 βΌ
π Read
via "National Vulnerability Database".
All versions of package merge are vulnerable to Prototype Pollution via _recursiveMerge .π Read
via "National Vulnerability Database".
βΌ CVE-2021-23341 βΌ
π Read
via "National Vulnerability Database".
The package prismjs before 1.23.0 are vulnerable to Regular Expression Denial of Service (ReDoS) via the prism-asciidoc, prism-rest, prism-tap and prism-eiffel components.π Read
via "National Vulnerability Database".
βΌ CVE-2019-18255 βΌ
π Read
via "National Vulnerability Database".
HMI/SCADA iFIX (Versions 6.1 and prior) allows a local authenticated user to modify system-wide iFIX configurations through section objects. This may allow privilege escalation.π Read
via "National Vulnerability Database".
βΌ CVE-2021-20354 βΌ
π Read
via "National Vulnerability Database".
IBM WebSphere Application Server 8.0, 8.5, and 9.0 could allow a remote attacker to traverse directories. An attacker could send a specially-crafted URL request containing "dot dot" sequences (/../) to view arbitrary files on the system. IBM X-Force ID: 194883.π Read
via "National Vulnerability Database".
βΌ CVE-2020-4933 βΌ
π Read
via "National Vulnerability Database".
IBM Jazz Reporting Service 6.0.6.1, 7.0, 7.0.1, and 7.0.2 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 191751.π Read
via "National Vulnerability Database".
βΌ CVE-2020-28491 βΌ
π Read
via "National Vulnerability Database".
This affects the package com.fasterxml.jackson.dataformat:jackson-dataformat-cbor from 0 and before 2.11.4, from 2.12.0-rc1 and before 2.12.1. Unchecked allocation of byte buffer can cause a java.lang.OutOfMemoryError exception.π Read
via "National Vulnerability Database".
βΌ CVE-2021-20446 βΌ
π Read
via "National Vulnerability Database".
IBM Maximo for Civil Infrastructure 7.6.2 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 196622.π Read
via "National Vulnerability Database".
βΌ CVE-2020-28463 βΌ
π Read
via "National Vulnerability Database".
All versions of package reportlab are vulnerable to Server-side Request Forgery (SSRF) via img tags. In order to reduce risk, use trustedSchemes & trustedHosts (see in Reportlab's documentation) Steps to reproduce by Karan Bamal: 1. Download and install the latest package of reportlab 2. Go to demos -> odyssey -> dodyssey 3. In the text file odyssey.txt that needs to be converted to pdf inject <img src="http://127.0.0.1:5000" valign="top"/> 4. Create a nc listener nc -lp 5000 5. Run python3 dodyssey.py 6. You will get a hit on your nc showing we have successfully proceded to send a server side request 7. dodyssey.py will show error since there is no img file on the url, but we are able to do SSRFπ Read
via "National Vulnerability Database".
βΌ CVE-2020-28490 βΌ
π Read
via "National Vulnerability Database".
The package async-git before 1.13.2 are vulnerable to Command Injection via shell meta-characters (back-ticks). For example: git.reset('atouch HACKEDb')π Read
via "National Vulnerability Database".
βΌ CVE-2021-23340 βΌ
π Read
via "National Vulnerability Database".
This affects the package pimcore/pimcore before 6.8.8. A Local FIle Inclusion vulnerability exists in the downloadCsvAction function of the CustomReportController class (bundles/AdminBundle/Controller/Reports/CustomReportController.php). An authenticated user can reach this function with a GET request at the following endpoint: /admin/reports/custom-report/download-csv?exportFile=&91;filename]. Since exportFile variable is not sanitized, an attacker can exploit a local file inclusion vulnerability.π Read
via "National Vulnerability Database".
βΌ CVE-2021-20445 βΌ
π Read
via "National Vulnerability Database".
IBM Maximo for Civil Infrastructure 7.6.2 could allow a user to obtain sensitive information due to insecure storeage of authentication credentials. IBM X-Force ID: 196621.π Read
via "National Vulnerability Database".