🕴 Microsoft Concludes Internal Investigation into Solorigate Breach 🕴
📖 Read
via "Dark Reading".
The software giant found no evidence that attackers gained extensive access to services or customer data.📖 Read
via "Dark Reading".
Darkreading
Microsoft Concludes Internal Investigation into Solorigate Breach
The software giant found no evidence that attackers gained extensive access to services or customer data.
‼ CVE-2021-26747 ‼
📖 Read
via "National Vulnerability Database".
Netis WF2780 2.3.40404 and WF2411 1.1.29629 devices allow Shell Metacharacter Injection into the ping command, leading to remote code execution.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-26712 ‼
📖 Read
via "National Vulnerability Database".
Incorrect access controls in res_srtp.c in Sangoma Asterisk 13.38.1, 16.16.0, 17.9.1, and 18.2.0 and Certified Asterisk 16.8-cert5 allow a remote unauthenticated attacker to prematurely terminate secure calls by replaying SRTP packets.📖 Read
via "National Vulnerability Database".
⚠ S3 Ep20: Corporate megahacking, true love gone bad, and tax grabs [Podcast] ⚠
📖 Read
via "Naked Security".
Latest episode, listen now! (Includes special gardening safety section at no extra charge!)📖 Read
via "Naked Security".
Naked Security
S3 Ep20: Corporate megahacking, true love gone bad, and tax grabs [Podcast]
Latest episode, listen now! (Includes special gardening safety section at no extra charge!)
‼ CVE-2020-36247 ‼
📖 Read
via "National Vulnerability Database".
Open OnDemand before 1.5.7 and 1.6.x before 1.6.22 allows CSRF.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-36251 ‼
📖 Read
via "National Vulnerability Database".
ownCloud Server before 10.3.0 allows an attacker, who has received non-administrative access to a group share, to remove everyone else's access to that share.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-36249 ‼
📖 Read
via "National Vulnerability Database".
The File Firewall before 2.8.0 for ownCloud Server does not properly enforce file-type restrictions for public shares.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-24908 ‼
📖 Read
via "National Vulnerability Database".
Checkmk before 1.6.0p17 allows local users to obtain SYSTEM privileges via a Trojan horse shell script in the %PROGRAMDATA%\checkmk\agent\local directory.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-26296 ‼
📖 Read
via "National Vulnerability Database".
In the default configuration, Apache MyFaces Core versions 2.2.0 to 2.2.13, 2.3.0 to 2.3.7, 2.3-next-M1 to 2.3-next-M4, and 3.0.0-RC1 use cryptographically weak implicit and explicit cross-site request forgery (CSRF) tokens. Due to that limitation, it is possible (although difficult) for an attacker to calculate a future CSRF token value and to use that value to trick a user into executing unwanted actions on an application.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-36250 ‼
📖 Read
via "National Vulnerability Database".
In the ownCloud application before 2.15 for Android, the lock protection mechanism can be bypassed by moving the system date/time into the past.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-36248 ‼
📖 Read
via "National Vulnerability Database".
The ownCloud application before 2.15 for Android allows attackers to use adb to include a PIN preferences value in a backup archive, and consequently bypass the PIN lock feature by restoring from this archive.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-36252 ‼
📖 Read
via "National Vulnerability Database".
ownCloud Server 10.x before 10.3.1 allows an attacker, who has one outgoing share from a victim, to access any version of any file by sending a request for a predictable ID number.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-3339 ‼
📖 Read
via "National Vulnerability Database".
ModernFlow before 1.3.00.208 does not constrain web-page access to members of a security group, as demonstrated by the Search Screen and the Profile Screen.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-10254 ‼
📖 Read
via "National Vulnerability Database".
An issue was discovered in ownCloud before 10.4. An attacker can bypass authentication on a password-protected image by displaying its preview.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-10252 ‼
📖 Read
via "National Vulnerability Database".
An issue was discovered in ownCloud before 10.4. Because of an SSRF issue (via the apps/files_sharing/external remote parameter), an authenticated attacker can interact with local services blindly (aka Blind SSRF) or conduct a Denial Of Service attack.📖 Read
via "National Vulnerability Database".
🛠 Faraday 3.14.1 🛠
📖 Read
via "Packet Storm Security".
Faraday is a tool that introduces a new concept called IPE, or Integrated Penetration-Test Environment. It is a multiuser penetration test IDE designed for distribution, indexation and analysis of the generated data during the process of a security audit. The main purpose of Faraday is to re-use the available tools in the community to take advantage of them in a multiuser way.📖 Read
via "Packet Storm Security".
Packetstormsecurity
Faraday 3.14.1 ≈ Packet Storm
Information Security Services, News, Files, Tools, Exploits, Advisories and Whitepapers
❌ Microsoft: SolarWinds Attackers Downloaded Azure, Exchange Code ❌
📖 Read
via "Threat Post".
However, internal products and systems were not leveraged to attack others during the massive supply-chain incident, the tech giant said upon completion of its Solorigate investigation.📖 Read
via "Threat Post".
Threat Post
Microsoft: SolarWinds Attackers Downloaded Azure, Exchange Code
However, internal products and systems were not leveraged to attack others during the massive supply-chain incident, the tech giant said upon completion of its Solorigate investigation.
🕴 How to Fine-Tune Vendor Risk Management in a Virtual World 🕴
📖 Read
via "Dark Reading".
Without on-site audits, many organizations lack their usual visibility to assess risk factors and validate contracts and SLA with providers.📖 Read
via "Dark Reading".
Dark Reading
How to Fine-Tune Vendor Risk Management in a Virtual World
Without on-site audits, many organizations lack their usual visibility to assess risk factors and validate contracts and SLA with providers.
🔏 Friday Five 2-19 🔏
📖 Read
via "Digital Guardian".
Indictments of North Korean hackers, cybersecurity in the stimulus bill, and the growing popularity of Python - catch up on all of the week's infosec news with the Friday Five!📖 Read
via "Digital Guardian".
‼ CVE-2021-3210 ‼
📖 Read
via "National Vulnerability Database".
components/Modals/HelpTexts/GenericAll/GenericAll.jsx in Bloodhound <= 4.0.1 allows remote attackers to execute arbitrary system commands when the victim imports a malicious data file containing JavaScript in the objectId parameter.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-3204 ‼
📖 Read
via "National Vulnerability Database".
SSRF in the document conversion component of Webware Webdesktop 5.1.15 allows an attacker to read all files from the server.📖 Read
via "National Vulnerability Database".