βΌ CVE-2021-23342 βΌ
π Read
via "National Vulnerability Database".
This affects the package docsify before 4.12.0. It is possible to bypass the remediation done by CVE-2020-7680 and execute malicious JavaScript through the following methods 1) When parsing HTML from remote URLs, the HTML code on the main page is sanitized, but this sanitization is not taking place in the sidebar. 2) The isURL external check can be bypassed by inserting more Γ’β¬œ////Γ’β¬οΏ½ charactersπ Read
via "National Vulnerability Database".
π¦Ώ Kia outage may be the result of ransomware π¦Ώ
π Read
via "Tech Republic".
A week-long outage for Kia is reportedly connected to a ransomware attack from the DoppelPaymer gang, says BleepingComputer.π Read
via "Tech Republic".
TechRepublic
Kia outage may be the result of ransomware
A week-long outage for Kia is reportedly connected to a ransomware attack from the DoppelPaymer gang, says BleepingComputer.
β Malformed URL Prefix Phishing Attacks Spike 6,000% β
π Read
via "Threat Post".
Sneaky attackers are flipping backslashes in phishing email URLs to evade protections, researchers said.π Read
via "Threat Post".
Threat Post
Malformed URL Prefix Phishing Attacks Spike 6,000%
Sneaky attackers are flipping backslashes in phishing email URLs to evade protections, researchers said.
βΌ CVE-2021-27351 βΌ
π Read
via "National Vulnerability Database".
The Terminate Session feature in the Telegram application through 7.2.1 for Android, and through 2.4.7 for Windows and UNIX, fails to invalidate a recently active session.π Read
via "National Vulnerability Database".
βΌ CVE-2020-35499 βΌ
π Read
via "National Vulnerability Database".
A NULL pointer dereference flaw in kernel versions prior to 5.11 may be seen if sco_sock_getsockopt function in net/bluetooth/sco.c do not have a sanity check for a socket connection, when using BT_SNDMTU/BT_RCVMTU for SCO sockets. This could allow a local attacker with a special user privilege to crash the system (DOS) or leak kernel internal information.π Read
via "National Vulnerability Database".
βΌ CVE-2021-20588 βΌ
π Read
via "National Vulnerability Database".
Improper handling of length parameter inconsistency vulnerability in Mitsubishi Electric FA Engineering Software(C Controller module setting and monitoring tool all versions, CPU Module Logging Configuration Tool all versions, CW Configurator all versions, Data Transfer all versions, EZSocket all versions, FR Configurator all versions, FR Configurator SW3 all versions, FR Configurator2 all versions, GT Designer3 Version1(GOT1000) all versions, GT Designer3 Version1(GOT2000) all versions, GT SoftGOT1000 Version3 all versions, GT SoftGOT2000 Version1 all versions, GX Configurator-DP versions 7.14Q and prior, GX Configurator-QP all versions, GX Developer all versions, GX Explorer all versions, GX IEC Developer all versions, GX LogViewer all versions, GX RemoteService-I all versions, GX Works2 versions 1.597X and prior, GX Works3 versions 1.070Y and prior, M_CommDTM-HART all versions, M_CommDTM-IO-Link all versions, MELFA-Works all versions, MELSEC WinCPU Setting Utility all versions, MELSOFT EM Software Development Kit (EM Configurator) all versions, MELSOFT Navigator all versions, MH11 SettingTool Version2 all versions, MI Configurator all versions, MT Works2 all versions, MX Component all versions, Network Interface Board CC IE Control utility all versions, Network Interface Board CC IE Field Utility all versions, Network Interface Board CC-Link Ver.2 Utility all versions, Network Interface Board MNETH utility all versions, PX Developer all versions, RT ToolBox2 all versions, RT ToolBox3 all versions, Setting/monitoring tools for the C Controller module all versions, SLMP Data Collector all versions) allows a remote unauthenticated attacker to cause a DoS condition of the software products, and possibly to execute a malicious program on the personal computer running the software products although it has not been reproduced, by spoofing MELSEC, GOT or FREQROL and returning crafted reply packets.π Read
via "National Vulnerability Database".
βΌ CVE-2021-27328 βΌ
π Read
via "National Vulnerability Database".
Yeastar NeoGate TG400 91.3.0.3 devices are affected by Directory Traversal. An authenticated user can decrypt firmware and can read sensitive information, such as a password or decryption key.π Read
via "National Vulnerability Database".
βΌ CVE-2021-26713 βΌ
π Read
via "National Vulnerability Database".
A stack-based buffer overflow in res_rtp_asterisk.c in Sangoma Asterisk before 16.16.1, 17.x before 17.9.2, and 18.x before 18.2.1 and Certified Asterisk before 16.8-cert6 allows an authenticated WebRTC client to cause an Asterisk crash by sending multiple hold/unhold requests in quick succession. This is caused by a signedness comparison mismatch.π Read
via "National Vulnerability Database".
βΌ CVE-2021-27214 βΌ
π Read
via "National Vulnerability Database".
A Server-side request forgery (SSRF) vulnerability in the ProductConfig servlet in Zoho ManageEngine ADSelfService Plus through 6013 allows a remote unauthenticated attacker to perform blind HTTP requests or perform a Cross-site scripting (XSS) attack against the administrative interface via an HTTP request, a different vulnerability than CVE-2019-3905.π Read
via "National Vulnerability Database".
βΌ CVE-2021-20587 βΌ
π Read
via "National Vulnerability Database".
Heap-based buffer overflow vulnerability in Mitsubishi Electric FA Engineering Software (C Controller module setting and monitoring tool all versions, CPU Module Logging Configuration Tool all versions, CW Configurator all versions, Data Transfer all versions, EZSocket all versions, FR Configurator all versions, FR Configurator SW3 all versions, FR Configurator2 all versions, GT Designer3 Version1(GOT1000) all versions, GT Designer3 Version1(GOT2000) all versions, GT SoftGOT1000 Version3 all versions, GT SoftGOT2000 Version1 all versions, GX Configurator-DP version 7.14Q and prior, GX Configurator-QP all versions, GX Developer all versions, GX Explorer all versions, GX IEC Developer all versions, GX LogViewer all versions, GX RemoteService-I all versions, GX Works2 version 1.597X and prior, GX Works3 version 1.070Y and prior, M_CommDTM-HART all versions, M_CommDTM-IO-Link all versions, MELFA-Works all versions, MELSEC WinCPU Setting Utility all versions, MELSOFT EM Software Development Kit (EM Configurator) all versions, MELSOFT Navigator all versions, MH11 SettingTool Version2 all versions, MI Configurator all versions, MT Works2 all versions, MX Component all versions, Network Interface Board CC IE Control utility all versions, Network Interface Board CC IE Field Utility all versions, Network Interface Board CC-Link Ver.2 Utility all versions, Network Interface Board MNETH utility all versions, PX Developer all versions, RT ToolBox2 all versions, RT ToolBox3 all versions, Setting/monitoring tools for the C Controller module all versions and SLMP Data Collector all versions) allows a remote unauthenticated attacker to cause a DoS condition of the software products, and possibly to execute a malicious program on the personal computer running the software products although it has not been reproduced, by spoofing MELSEC, GOT or FREQROL and returning crafted reply packets.π Read
via "National Vulnerability Database".
π΄ Kia Denies Ransomware Attack as IT Outage Continues π΄
π Read
via "Dark Reading".
Kia Motors America states there is no evidence its recent systems outage was caused by a ransomware attack.π Read
via "Dark Reading".
Dark Reading
Kia Denies Ransomware Attack as IT Outage Continues
Kia Motors America states there is no evidence its recent systems outage was caused by a ransomware attack.
βΌ CVE-2020-27785 βΌ
π Read
via "National Vulnerability Database".
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2020-29074. Reason: This candidate is a reservation duplicate of CVE-2020-29074. Notes: All CVE users should reference CVE-2020-29074 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.π Read
via "National Vulnerability Database".
βΌ CVE-2021-26544 βΌ
π Read
via "National Vulnerability Database".
Livy server version 0.7.0-incubating (only) is vulnerable to a cross site scripting issue in the session name. A malicious user could use this flaw to access logs and results of other users' sessions and run jobs with their privileges. This issue is fixed in Livy 0.7.1-incubating.π Read
via "National Vulnerability Database".
βΌ CVE-2021-26716 βΌ
π Read
via "National Vulnerability Database".
Modules/input/Views/schedule.php in Emoncms through 10.2.7 allows XSS via the node parameter.π Read
via "National Vulnerability Database".
β Nvidia announces official βanti-cryptominingβ software drivers β
π Read
via "Naked Security".
"It's a DoS, Jim, but not as we know it."π Read
via "Naked Security".
Sophos News
Naked Security β Sophos News
βΌ CVE-2021-27515 βΌ
π Read
via "National Vulnerability Database".
url-parse before 1.5.0 mishandles certain uses of backslash such as http:\/ and interprets the URI as a relative path.π Read
via "National Vulnerability Database".
βΌ CVE-2021-27513 βΌ
π Read
via "National Vulnerability Database".
The module admin_ITSM in EyesOfNetwork 5.3-10 allows remote authenticated users to upload arbitrary .xml.php files because it relies on "le filtre userside."π Read
via "National Vulnerability Database".
βΌ CVE-2021-27514 βΌ
π Read
via "National Vulnerability Database".
EyesOfNetwork 5.3-10 uses an integer of between 8 and 10 digits for the session ID, which might be leveraged for brute-force authentication bypass (such as in CVE-2021-27513 exploitation).π Read
via "National Vulnerability Database".
βΌ CVE-2021-27516 βΌ
π Read
via "National Vulnerability Database".
URI.js (aka urijs) before 1.19.6 mishandles certain uses of backslash such as http:\/ and interprets the URI as a relative path.π Read
via "National Vulnerability Database".
βΌ CVE-2020-11177 βΌ
π Read
via "National Vulnerability Database".
User can overwrite Security Code NV item without knowing current SPC due to improper validation of SPC code setting and device lock in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearablesπ Read
via "National Vulnerability Database".
βΌ CVE-2020-11170 βΌ
π Read
via "National Vulnerability Database".
Out of bound memory access while playing music playbacks with crafted vorbis content due to improper checks in header extraction in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables, Snapdragon Wired Infrastructure and Networkingπ Read
via "National Vulnerability Database".