πŸ›‘ Cybersecurity & Privacy πŸ›‘ - News
@cibsecurity
25.9K subscribers
89.2K links
πŸ—ž The finest daily news on cybersecurity and privacy.

πŸ”” Daily releases.

πŸ’» Is your online life secure?

πŸ“© lalilolalo.dev@gmail.com
Download Telegram
About
Blog
Apps
Platform
Join
πŸ›‘ Cybersecurity & Privacy πŸ›‘ - News
25.9K subscribers
πŸ›‘ Cybersecurity & Privacy πŸ›‘ - News
❌ Mac Malware Targets Apple’s In-House M1 Processor ❌

A malicious adware-distributing application specifically targets Apple's new M1 SoC, used in its newest-generation MacBook Air, MacBook Pro and Mac mini devices.

πŸ“– Read

via "Threat Post".
Threat Post
Mac Malware Targets Apple’s In-House M1 Processor
A malicious adware-distributing application specifically targets Apple's new M1 SoC, used in its newest-generation MacBook Air, MacBook Pro and Mac mini devices.
204 views
πŸ›‘ Cybersecurity & Privacy πŸ›‘ - News
πŸ•΄ How to Run a Successful Penetration Test πŸ•΄

These seven tips will help ensure a penetration test improves your organization's overall security posture.

πŸ“– Read

via "Dark Reading".
Dark Reading
How to Run a Successful Penetration Test
These seven tips will help ensure a penetration test improves your organization's overall security posture.
174 views
πŸ›‘ Cybersecurity & Privacy πŸ›‘ - News
πŸ•΄ Data security accountability in an age of regular breaches πŸ•΄

As the number of vendors impacted by supply-chain breaches grows, one constant question remains: where exactly does accountability for data security lie, and what part do end users play in their own data breach protection?

πŸ“– Read

via "Dark Reading".
Dark Reading
Data security accountability in an age of regular breaches
As the number of vendors impacted by supply-chain breaches grows, one constant question remains: where exactly does accountability for data security lie, and what part do end users play in their own data breach protection?
161 views
πŸ›‘ Cybersecurity & Privacy πŸ›‘ - News
⚠ US names three North Koreans in laundry list of cybercrime charges ⚠

Trio alleged to have been at it for more than a decade, and to have made off with well over a billion dollars.

πŸ“– Read

via "Naked Security".
Naked Security
US names three North Koreans in laundry list of cybercrime charges
Trio alleged to have been at it for more than a decade, and to have made off with well over a billion dollars.
141 views
πŸ›‘ Cybersecurity & Privacy πŸ›‘ - News
β€Ό CVE-2020-28496 β€Ό

This affects the package three before 0.125.0. This can happen when handling rgb or hsl colors. PoC: var three = require('three') function build_blank (n) { var ret = "rgb(" for (var i = 0; i < n; i++) { ret += " " } return ret + ""; } var Color = three.Color var time = Date.now(); new Color(build_blank(50000)) var time_cost = Date.now() - time; console.log(time_cost+" ms")

πŸ“– Read

via "National Vulnerability Database".
130 views
πŸ›‘ Cybersecurity & Privacy πŸ›‘ - News
β€Ό CVE-2021-20444 β€Ό

IBM Maximo for Civil Infrastructure 7.6.2 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 196620.

πŸ“– Read

via "National Vulnerability Database".
123 views
πŸ›‘ Cybersecurity & Privacy πŸ›‘ - News
β€Ό CVE-2020-28499 β€Ό

All versions of package merge are vulnerable to Prototype Pollution via _recursiveMerge .

πŸ“– Read

via "National Vulnerability Database".
114 views
πŸ›‘ Cybersecurity & Privacy πŸ›‘ - News
β€Ό CVE-2021-23341 β€Ό

The package prismjs before 1.23.0 are vulnerable to Regular Expression Denial of Service (ReDoS) via the prism-asciidoc, prism-rest, prism-tap and prism-eiffel components.

πŸ“– Read

via "National Vulnerability Database".
112 views
πŸ›‘ Cybersecurity & Privacy πŸ›‘ - News
β€Ό CVE-2019-18255 β€Ό

HMI/SCADA iFIX (Versions 6.1 and prior) allows a local authenticated user to modify system-wide iFIX configurations through section objects. This may allow privilege escalation.

πŸ“– Read

via "National Vulnerability Database".
109 views
πŸ›‘ Cybersecurity & Privacy πŸ›‘ - News
β€Ό CVE-2021-20354 β€Ό

IBM WebSphere Application Server 8.0, 8.5, and 9.0 could allow a remote attacker to traverse directories. An attacker could send a specially-crafted URL request containing "dot dot" sequences (/../) to view arbitrary files on the system. IBM X-Force ID: 194883.

πŸ“– Read

via "National Vulnerability Database".
111 views
πŸ›‘ Cybersecurity & Privacy πŸ›‘ - News
β€Ό CVE-2020-4933 β€Ό

IBM Jazz Reporting Service 6.0.6.1, 7.0, 7.0.1, and 7.0.2 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 191751.

πŸ“– Read

via "National Vulnerability Database".
112 views
πŸ›‘ Cybersecurity & Privacy πŸ›‘ - News
β€Ό CVE-2020-28491 β€Ό

This affects the package com.fasterxml.jackson.dataformat:jackson-dataformat-cbor from 0 and before 2.11.4, from 2.12.0-rc1 and before 2.12.1. Unchecked allocation of byte buffer can cause a java.lang.OutOfMemoryError exception.

πŸ“– Read

via "National Vulnerability Database".
109 views
πŸ›‘ Cybersecurity & Privacy πŸ›‘ - News
β€Ό CVE-2021-20446 β€Ό

IBM Maximo for Civil Infrastructure 7.6.2 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 196622.

πŸ“– Read

via "National Vulnerability Database".
112 views
πŸ›‘ Cybersecurity & Privacy πŸ›‘ - News
β€Ό CVE-2020-28463 β€Ό

All versions of package reportlab are vulnerable to Server-side Request Forgery (SSRF) via img tags. In order to reduce risk, use trustedSchemes & trustedHosts (see in Reportlab's documentation) Steps to reproduce by Karan Bamal: 1. Download and install the latest package of reportlab 2. Go to demos -> odyssey -> dodyssey 3. In the text file odyssey.txt that needs to be converted to pdf inject <img src="http://127.0.0.1:5000" valign="top"/> 4. Create a nc listener nc -lp 5000 5. Run python3 dodyssey.py 6. You will get a hit on your nc showing we have successfully proceded to send a server side request 7. dodyssey.py will show error since there is no img file on the url, but we are able to do SSRF

πŸ“– Read

via "National Vulnerability Database".
117 views
πŸ›‘ Cybersecurity & Privacy πŸ›‘ - News
β€Ό CVE-2020-28490 β€Ό

The package async-git before 1.13.2 are vulnerable to Command Injection via shell meta-characters (back-ticks). For example: git.reset('atouch HACKEDb')

πŸ“– Read

via "National Vulnerability Database".
114 views
πŸ›‘ Cybersecurity & Privacy πŸ›‘ - News
β€Ό CVE-2021-23340 β€Ό

This affects the package pimcore/pimcore before 6.8.8. A Local FIle Inclusion vulnerability exists in the downloadCsvAction function of the CustomReportController class (bundles/AdminBundle/Controller/Reports/CustomReportController.php). An authenticated user can reach this function with a GET request at the following endpoint: /admin/reports/custom-report/download-csv?exportFile=&91;filename]. Since exportFile variable is not sanitized, an attacker can exploit a local file inclusion vulnerability.

πŸ“– Read

via "National Vulnerability Database".
120 views
πŸ›‘ Cybersecurity & Privacy πŸ›‘ - News
β€Ό CVE-2021-20445 β€Ό

IBM Maximo for Civil Infrastructure 7.6.2 could allow a user to obtain sensitive information due to insecure storeage of authentication credentials. IBM X-Force ID: 196621.

πŸ“– Read

via "National Vulnerability Database".
127 views
πŸ›‘ Cybersecurity & Privacy πŸ›‘ - News
β€Ό CVE-2021-20443 β€Ό

IBM Maximo for Civil Infrastructure 7.6.2 includes executable functionality (such as a library) from a source that is outside of the intended control sphere. IBM X-Force ID: 196619.

πŸ“– Read

via "National Vulnerability Database".
127 views
πŸ›‘ Cybersecurity & Privacy πŸ›‘ - News
❌ Exploit Details Emerge for Unpatched Microsoft Bug ❌

A malicious website or malicious ad can trigger an exploit for the IE zero-day bug, opening the door for data theft and code execution, new analysis notes.

πŸ“– Read

via "Threat Post".
Threat Post
Exploit Details Emerge for Unpatched Microsoft Bug
A malicious website or malicious ad can trigger an exploit for the IE zero-day bug, opening the door for data theft and code execution, new analysis notes.
140 views
πŸ›‘ Cybersecurity & Privacy πŸ›‘ - News
πŸ•΄ Hiding in Plain Sight: What the SolarWinds Attack Revealed About Efficacy πŸ•΄

Multilayered infiltration involved custom malicious tooling, backdoors, and cloaked code, far beyond the skills of script kiddies.

πŸ“– Read

via "Dark Reading".
Dark Reading
Hiding in Plain Sight: What the SolarWinds Attack Revealed About Efficacy
Multilayered infiltration involved custom malicious tooling, backdoors, and cloaked code, far beyond the skills of script kiddies.
139 views
πŸ›‘ Cybersecurity & Privacy πŸ›‘ - News
🦿 Cybersecurity needs to be proactive with involvement from business leaders 🦿

In a webinar Wednesday, former US Homeland Security director Christopher Krebs also suggested organizations have COVID workforce coordinators and that cloud mail providers activate MFA by default.

πŸ“– Read

via "Tech Republic".
TechRepublic
Cybersecurity needs to be proactive with involvement from business leaders
In a webinar Wednesday, former US Homeland Security director Christopher Krebs also suggested organizations have COVID workforce coordinators and that cloud mail providers activate MFA by default.
149 views