βΌ CVE-2021-26296 βΌ
π Read
via "National Vulnerability Database".
In the default configuration, Apache MyFaces Core versions 2.2.0 to 2.2.13, 2.3.0 to 2.3.7, 2.3-next-M1 to 2.3-next-M4, and 3.0.0-RC1 use cryptographically weak implicit and explicit cross-site request forgery (CSRF) tokens. Due to that limitation, it is possible (although difficult) for an attacker to calculate a future CSRF token value and to use that value to trick a user into executing unwanted actions on an application.π Read
via "National Vulnerability Database".
βΌ CVE-2020-36250 βΌ
π Read
via "National Vulnerability Database".
In the ownCloud application before 2.15 for Android, the lock protection mechanism can be bypassed by moving the system date/time into the past.π Read
via "National Vulnerability Database".
βΌ CVE-2020-36248 βΌ
π Read
via "National Vulnerability Database".
The ownCloud application before 2.15 for Android allows attackers to use adb to include a PIN preferences value in a backup archive, and consequently bypass the PIN lock feature by restoring from this archive.π Read
via "National Vulnerability Database".
βΌ CVE-2020-36252 βΌ
π Read
via "National Vulnerability Database".
ownCloud Server 10.x before 10.3.1 allows an attacker, who has one outgoing share from a victim, to access any version of any file by sending a request for a predictable ID number.π Read
via "National Vulnerability Database".
βΌ CVE-2021-3339 βΌ
π Read
via "National Vulnerability Database".
ModernFlow before 1.3.00.208 does not constrain web-page access to members of a security group, as demonstrated by the Search Screen and the Profile Screen.π Read
via "National Vulnerability Database".
βΌ CVE-2020-10254 βΌ
π Read
via "National Vulnerability Database".
An issue was discovered in ownCloud before 10.4. An attacker can bypass authentication on a password-protected image by displaying its preview.π Read
via "National Vulnerability Database".
βΌ CVE-2020-10252 βΌ
π Read
via "National Vulnerability Database".
An issue was discovered in ownCloud before 10.4. Because of an SSRF issue (via the apps/files_sharing/external remote parameter), an authenticated attacker can interact with local services blindly (aka Blind SSRF) or conduct a Denial Of Service attack.π Read
via "National Vulnerability Database".
π Faraday 3.14.1 π
π Read
via "Packet Storm Security".
Faraday is a tool that introduces a new concept called IPE, or Integrated Penetration-Test Environment. It is a multiuser penetration test IDE designed for distribution, indexation and analysis of the generated data during the process of a security audit. The main purpose of Faraday is to re-use the available tools in the community to take advantage of them in a multiuser way.π Read
via "Packet Storm Security".
Packetstormsecurity
Faraday 3.14.1 β Packet Storm
Information Security Services, News, Files, Tools, Exploits, Advisories and Whitepapers
β Microsoft: SolarWinds Attackers Downloaded Azure, Exchange Code β
π Read
via "Threat Post".
However, internal products and systems were not leveraged to attack others during the massive supply-chain incident, the tech giant said upon completion of its Solorigate investigation.π Read
via "Threat Post".
Threat Post
Microsoft: SolarWinds Attackers Downloaded Azure, Exchange Code
However, internal products and systems were not leveraged to attack others during the massive supply-chain incident, the tech giant said upon completion of its Solorigate investigation.
π΄ How to Fine-Tune Vendor Risk Management in a Virtual World π΄
π Read
via "Dark Reading".
Without on-site audits, many organizations lack their usual visibility to assess risk factors and validate contracts and SLA with providers.π Read
via "Dark Reading".
Dark Reading
How to Fine-Tune Vendor Risk Management in a Virtual World
Without on-site audits, many organizations lack their usual visibility to assess risk factors and validate contracts and SLA with providers.
π Friday Five 2-19 π
π Read
via "Digital Guardian".
Indictments of North Korean hackers, cybersecurity in the stimulus bill, and the growing popularity of Python - catch up on all of the week's infosec news with the Friday Five!π Read
via "Digital Guardian".
βΌ CVE-2021-3210 βΌ
π Read
via "National Vulnerability Database".
components/Modals/HelpTexts/GenericAll/GenericAll.jsx in Bloodhound <= 4.0.1 allows remote attackers to execute arbitrary system commands when the victim imports a malicious data file containing JavaScript in the objectId parameter.π Read
via "National Vulnerability Database".
βΌ CVE-2021-3204 βΌ
π Read
via "National Vulnerability Database".
SSRF in the document conversion component of Webware Webdesktop 5.1.15 allows an attacker to read all files from the server.π Read
via "National Vulnerability Database".
π¦Ώ Linux 101: How to block users from setting up their own cron jobs π¦Ώ
π Read
via "Tech Republic".
Jack Wallen shows you how to gain a bit more security on your Linux servers by blocking users from adding cron jobs.π Read
via "Tech Republic".
TechRepublic
Linux 101: How to block users from setting up their own cron jobs
Jack Wallen shows you how to gain a bit more security on your Linux servers by blocking users from adding cron jobs.
π¦Ώ Forrester report highlights Zero Trust Edge model for networking and security infrastructure π¦Ώ
π Read
via "Tech Republic".
According to Forrester, ZTE will be most helpful with securing and enabling remote workers while removing the difficult user VPNs.π Read
via "Tech Republic".
TechRepublic
Forrester report highlights Zero Trust Edge model for networking and security infrastructure
According to Forrester, ZTE will be most helpful with securing and enabling remote workers while removing the difficult user VPNs.
β The massive coronavirus pandemic IT blunder with a funny side β
π Read
via "Naked Security".
He was either the smallest person who has ever lived, by an order of magnitude, or the heaviest person ever known, by two of them.π Read
via "Naked Security".
Naked Security
The massive coronavirus IT blunder with a funny side
He was either the smallest person who has ever lived, by an order of magnitude, or the heaviest person ever known, by two of them.
π¦Ώ IRS issues urgent notice on scams aimed at tax professionals π¦Ώ
π Read
via "Tech Republic".
Scammers are impersonating the IRS with emails carrying the subject line "Verifying your EFIN before e-filing."π Read
via "Tech Republic".
TechRepublic
IRS issues urgent notice on scams aimed at tax professionals
Scammers are impersonating the IRS with emails carrying the subject line "Verifying your EFIN before e-filing."
π¦Ώ Linux 101: How to block users from setting up their own cron jobs π¦Ώ
π Read
via "Tech Republic".
Jack Wallen shows you how to gain a bit more security on your Linux servers by blocking users from adding cron jobs.π Read
via "Tech Republic".
TechRepublic
Linux 101: How to block users from setting up their own cron jobs
Jack Wallen shows you how to gain a bit more security on your Linux servers by blocking users from adding cron jobs.
βΌ CVE-2021-22701 βΌ
π Read
via "National Vulnerability Database".
A CWE-352: Cross-Site Request Forgery vulnerability exists in PowerLogic ION7400, ION7650, ION83xx/84xx/85xx/8600, ION8650, ION8800, ION9000 and PM800 (see notification for affected versions), that could cause a user to perform an unintended action on the target device when using the HTTP web interface.π Read
via "National Vulnerability Database".
βΌ CVE-2021-22702 βΌ
π Read
via "National Vulnerability Database".
A CWE-319: Cleartext transmission of sensitive information vulnerability exists in PowerLogic ION7400, ION7650, ION7700/73xx, ION83xx/84xx/85xx/8600, ION8650, ION8800, ION9000 and PM800 (see notification for affected versions), that could cause disclosure of user credentials when a malicious actor intercepts Telnet network traffic between a user and the device.π Read
via "National Vulnerability Database".