βΌ CVE-2021-22661 βΌ
π Read
via "National Vulnerability Database".
Changing the password on the module webpage does not require the user to type in the current password first. Thus, the password could be changed by a user or external process without knowledge of the current password on the ICX35-HWC-A and ICX35-HWC-E (Versions 1.9.62 and prior).π Read
via "National Vulnerability Database".
βΌ CVE-2021-23979 βΌ
π Read
via "National Vulnerability Database".
Mozilla developers reported memory safety bugs present in Firefox 85. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 86.π Read
via "National Vulnerability Database".
βΌ CVE-2021-26904 βΌ
π Read
via "National Vulnerability Database".
LMA ISIDA Retriever 5.2 allows SQL Injection.π Read
via "National Vulnerability Database".
βΌ CVE-2021-23964 βΌ
π Read
via "National Vulnerability Database".
Mozilla developers reported memory safety bugs present in Firefox 84 and Firefox ESR 78.6. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 85, Thunderbird < 78.7, and Firefox ESR < 78.7.π Read
via "National Vulnerability Database".
βΌ CVE-2021-3010 βΌ
π Read
via "National Vulnerability Database".
There are multiple persistent cross-site scripting (XSS) vulnerabilities in the web interface of OpenText Content Server Version 20.3. The application allows a remote attacker to introduce arbitrary JavaScript by crafting malicious form values that are later not sanitized.π Read
via "National Vulnerability Database".
β S3 Ep21: Cryptomining clampdown, the 100-ton man, and ScamClub ads [Podcast] β
π Read
via "Naked Security".
Latest episode - listen now!π Read
via "Naked Security".
Naked Security
S3 Ep21: Cryptomining clampdown, the 100-ton man, and ScamClub ads [Podcast]
Latest episode β listen now!
π Friday Five 2/26 π
π Read
via "Digital Guardian".
Hackers targeting the US electric grid, M1 chip compatibile malware, and a new attack framework for inferring keystrokes - catch up on all of the week's infosec news with the Friday Five!π Read
via "Digital Guardian".
Digital Guardian
Friday Five 2/26
Hackers targeting the US electric grid, M1 chip compatibile malware, and a new attack framework for inferring keystrokes - catch up on all of the week's infosec news with the Friday Five!
β Yeezy Fans Face Sneaker-Bot Armies for Boost βSunβ Release β
π Read
via "Threat Post".
Sneaker bots ready to scoop up the new Yeezy Boost 700 βSunβ shoes to resell at a huge markup. π Read
via "Threat Post".
Threat Post
Yeezy Fans Face Sneaker-Bot Armies for Hot Kicks Releases
Sneaker bots are scooping up the new Yeezy "Ash Blue" and "Quantum" shoes to resell at a huge markup.
π΄ Attackers Turn Struggling Software Projects Into Trojan Horses π΄
π Read
via "Dark Reading".
While access to compromised systems has become an increasingly common service, some cybercriminals are going straight to the source: buying code bases and then updating the application with malicious code.π Read
via "Dark Reading".
Dark Reading
Attackers Turn Struggling Software Projects Into Trojan Horses
While access to compromised systems has become an increasingly common service, some cybercriminals are going straight to the source: buying code bases and then updating the application with malicious code.
π΄ Securing Super Bowl LV π΄
π Read
via "Dark Reading".
A peek at open XDR technology, and defense that held up better than the Kansas City Chiefs.π Read
via "Dark Reading".
Dark Reading
Securing Super Bowl LV
A peek at open XDR technology, and defense that held up better than the Kansas City Chiefs.
π¦Ώ How stalkerware can threaten your safety and privacy, and how to avoid it π¦Ώ
π Read
via "Tech Republic".
With a stalkerware app on your phone, another person can spy on your activities and view your personal information, Kaspersky says.π Read
via "Tech Republic".
TechRepublic
How stalkerware can threaten your safety and privacy, and how to avoid it
With a stalkerware app on your phone, another person can spy on your activities and view your personal information, Kaspersky says.
π¦Ώ Business travelers are still at home due to employee worries, the slow vaccine rollout and the patchwork of COVID-19 rules π¦Ώ
π Read
via "Tech Republic".
Gartner research finds that only 11% of companies have resumed travel or plan to within the next six months.π Read
via "Tech Republic".
TechRepublic
Business travelers are still at home due to employee worries, the slow vaccine rollout and the patchwork of COVID-19 rules
Gartner research finds that only 11% of companies have resumed travel or plan to within the next six months.
βΌ CVE-2021-21297 βΌ
π Read
via "National Vulnerability Database".
Node-Red is a low-code programming for event-driven applications built using nodejs. Node-RED 1.2.7 and earlier contains a Prototype Pollution vulnerability in the admin API. A badly formed request can modify the prototype of the default JavaScript Object with the potential to affect the default behaviour of the Node-RED runtime. The vulnerability is patched in the 1.2.8 release. A workaround is to ensure only authorized users are able to access the editor url.π Read
via "National Vulnerability Database".
βΌ CVE-2021-23345 βΌ
π Read
via "National Vulnerability Database".
All versions of package github.com/thecodingmachine/gotenberg are vulnerable to Server-side Request Forgery (SSRF) via the /convert/html endpoint when the src attribute of an HTML element refers to an internal system file, such as <iframe src='file:///etc/passwd'>.π Read
via "National Vulnerability Database".
βΌ CVE-2021-21273 βΌ
π Read
via "National Vulnerability Database".
Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.25.0, requests to user provided domains were not restricted to external IP addresses when calculating the key validity for third-party invite events and sending push notifications. This could cause Synapse to make requests to internal infrastructure. The type of request was not controlled by the user, although limited modification of request bodies was possible. For the most thorough protection server administrators should remove the deprecated `federation_ip_range_blacklist` from their settings after upgrading to Synapse v1.25.0 which will result in Synapse using the improved default IP address restrictions. See the new `ip_range_blacklist` and `ip_range_whitelist` settings if more specific control is necessary.π Read
via "National Vulnerability Database".
βΌ CVE-2021-21298 βΌ
π Read
via "National Vulnerability Database".
Node-Red is a low-code programming for event-driven applications built using nodejs. Node-RED 1.2.7 and earlier has a vulnerability which allows arbitrary path traversal via the Projects API. If the Projects feature is enabled, a user with `projects.read` permission is able to access any file via the Projects API. The issue has been patched in Node-RED 1.2.8. The vulnerability applies only to the Projects feature which is not enabled by default in Node-RED. The primary workaround is not give untrusted users read access to the Node-RED editor.π Read
via "National Vulnerability Database".
βΌ CVE-2021-21274 βΌ
π Read
via "National Vulnerability Database".
Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.25.0, a malicious homeserver could redirect requests to their .well-known file to a large file. This can lead to a denial of service attack where homeservers will consume significantly more resources when requesting the .well-known file of a malicious homeserver. This affects any server which accepts federation requests from untrusted servers. Issue is resolved in version 1.25.0. As a workaround the `federation_domain_whitelist` setting can be used to restrict the homeservers communicated with over federation.π Read
via "National Vulnerability Database".
π΄ The Edge Pro Tip: Fasten Your Seatbelts π΄
π Read
via "Dark Reading".
An unprecedented 2020 has shaken up security leaders' usual list of must-have technologies for 2021. Where do they plan to spend next?π Read
via "Dark Reading".
Dark Reading
The Edge
An unprecedented 2020 has shaken up security leaders' usual list of must-have technologies for 2021. Where do they plan to spend next?
β Lazarus Targets Defense Companies with ThreatNeedle Malware β
π Read
via "Threat Post".
A spear-phishing campaigned linked to a North Korean APT uses βNukeSpedβ malware in cyberespionage attacks against defense companies.π Read
via "Threat Post".
Threat Post
Lazarus Targets Defense Companies with ThreatNeedle Malware
A spear-phishing campaigned linked to a North Korean APT uses βNukeSpedβ malware in cyberespionage attacks against defense companies.
π΄ NSA Releases Guidance on Zero-Trust Architecture π΄
π Read
via "Dark Reading".
A new document provides guidance for businesses planning to implement a zero-trust system management strategy.π Read
via "Dark Reading".
Dark Reading
NSA Releases Guidance on Zero-Trust Architecture
A new document provides guidance for businesses planning to implement a zero-trust system management strategy.