βΌ CVE-2021-23345 βΌ
π Read
via "National Vulnerability Database".
All versions of package github.com/thecodingmachine/gotenberg are vulnerable to Server-side Request Forgery (SSRF) via the /convert/html endpoint when the src attribute of an HTML element refers to an internal system file, such as <iframe src='file:///etc/passwd'>.π Read
via "National Vulnerability Database".
βΌ CVE-2021-21273 βΌ
π Read
via "National Vulnerability Database".
Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.25.0, requests to user provided domains were not restricted to external IP addresses when calculating the key validity for third-party invite events and sending push notifications. This could cause Synapse to make requests to internal infrastructure. The type of request was not controlled by the user, although limited modification of request bodies was possible. For the most thorough protection server administrators should remove the deprecated `federation_ip_range_blacklist` from their settings after upgrading to Synapse v1.25.0 which will result in Synapse using the improved default IP address restrictions. See the new `ip_range_blacklist` and `ip_range_whitelist` settings if more specific control is necessary.π Read
via "National Vulnerability Database".
βΌ CVE-2021-21298 βΌ
π Read
via "National Vulnerability Database".
Node-Red is a low-code programming for event-driven applications built using nodejs. Node-RED 1.2.7 and earlier has a vulnerability which allows arbitrary path traversal via the Projects API. If the Projects feature is enabled, a user with `projects.read` permission is able to access any file via the Projects API. The issue has been patched in Node-RED 1.2.8. The vulnerability applies only to the Projects feature which is not enabled by default in Node-RED. The primary workaround is not give untrusted users read access to the Node-RED editor.π Read
via "National Vulnerability Database".
βΌ CVE-2021-21274 βΌ
π Read
via "National Vulnerability Database".
Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.25.0, a malicious homeserver could redirect requests to their .well-known file to a large file. This can lead to a denial of service attack where homeservers will consume significantly more resources when requesting the .well-known file of a malicious homeserver. This affects any server which accepts federation requests from untrusted servers. Issue is resolved in version 1.25.0. As a workaround the `federation_domain_whitelist` setting can be used to restrict the homeservers communicated with over federation.π Read
via "National Vulnerability Database".
π΄ The Edge Pro Tip: Fasten Your Seatbelts π΄
π Read
via "Dark Reading".
An unprecedented 2020 has shaken up security leaders' usual list of must-have technologies for 2021. Where do they plan to spend next?π Read
via "Dark Reading".
Dark Reading
The Edge
An unprecedented 2020 has shaken up security leaders' usual list of must-have technologies for 2021. Where do they plan to spend next?
β Lazarus Targets Defense Companies with ThreatNeedle Malware β
π Read
via "Threat Post".
A spear-phishing campaigned linked to a North Korean APT uses βNukeSpedβ malware in cyberespionage attacks against defense companies.π Read
via "Threat Post".
Threat Post
Lazarus Targets Defense Companies with ThreatNeedle Malware
A spear-phishing campaigned linked to a North Korean APT uses βNukeSpedβ malware in cyberespionage attacks against defense companies.
π΄ NSA Releases Guidance on Zero-Trust Architecture π΄
π Read
via "Dark Reading".
A new document provides guidance for businesses planning to implement a zero-trust system management strategy.π Read
via "Dark Reading".
Dark Reading
NSA Releases Guidance on Zero-Trust Architecture
A new document provides guidance for businesses planning to implement a zero-trust system management strategy.
βΌ CVE-2021-21308 βΌ
π Read
via "National Vulnerability Database".
PrestaShop is a fully scalable open source e-commerce solution. In PrestaShop before version 1.7.2 the soft logout system is not complete and an attacker is able to foreign request and executes customer commands. The problem is fixed in 1.7.7.2π Read
via "National Vulnerability Database".
βΌ CVE-2021-21302 βΌ
π Read
via "National Vulnerability Database".
PrestaShop is a fully scalable open source e-commerce solution. In PrestaShop before version 1.7.2 there is a CSV Injection vulnerability possible by using shop search keywords via the admin panel. The problem is fixed in 1.7.7.2π Read
via "National Vulnerability Database".
π¦Ώ How will cybersecurity change with a new U.S. president? Pros identify the biggest needs π¦Ώ
π Read
via "Tech Republic".
Every new presidential administration brings change, one way or another. Learn what President Joseph Biden is facing on the cybersecurity front, along with some tips for government and businesses.π Read
via "Tech Republic".
TechRepublic
How will cybersecurity change with a new US president? Pros identify the biggest needs
Every new presidential administration brings change, one way or another. Learn what President Joseph Biden is facing on the cybersecurity front, along with some tips for government and businesses.
β Stalkerware Volumes Remain Concerningly High, Despite Bans β
π Read
via "Threat Post".
COVID-19 impacted volumes for the year, but the U.S. moved into third place on the list of countries most infected by stalkerware.π Read
via "Threat Post".
Threat Post
Stalkerware Volumes Remain Concerningly High, Despite Bans
COVID-19 impacted volumes for the year, but the U.S. moved into third place on the list of countries most infected by stalkerware.
β Amazon Dismisses Claims Alexa βSkillsβ Can Bypass Security Vetting Process β
π Read
via "Threat Post".
Researchers found a number of privacy and security issues in Amazon's Alexa skill vetting process, which could lead to attackers stealing data or launching phishing attacks.π Read
via "Threat Post".
Threat Post
Amazon Dismisses Claims Alexa βSkillsβ Can Bypass Security Vetting Process
Researchers found a number of privacy and security issues in Amazon's Alexa skill vetting process, which could lead to attackers stealing data or launching phishing attacks.
π¦Ώ The hidden business costs of working remotely π¦Ώ
π Read
via "Tech Republic".
The benefits of working remotely are numerous, but studies are finding there are significant hidden costs that need to be factored in.π Read
via "Tech Republic".
TechRepublic
Data security: A hidden business cost of working remotely
The benefits of working remotely are numerous, but there are significant hidden costs that need to be factored in.
βΌ CVE-2021-0402 βΌ
π Read
via "National Vulnerability Database".
In jpeg, there is a possible out of bounds write due to improper input validation. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Product: Android; Versions: Android-11; Patch ID: ALPS05433311.π Read
via "National Vulnerability Database".
βΌ CVE-2021-26561 βΌ
π Read
via "National Vulnerability Database".
Stack-based buffer overflow vulnerability in synoagentregisterd in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows man-in-the-middle attackers to execute arbitrary code via syno_finder_site HTTP header.π Read
via "National Vulnerability Database".
βΌ CVE-2021-0367 βΌ
π Read
via "National Vulnerability Database".
In vpu, there is a possible memory corruption due to a race condition. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Product: Android; Versions: Android-10, Android-11; Patch ID: ALPS05371580; Issue ID: ALPS05379085.π Read
via "National Vulnerability Database".
βΌ CVE-2021-26562 βΌ
π Read
via "National Vulnerability Database".
Out-of-bounds write vulnerability in synoagentregisterd in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows man-in-the-middle attackers to execute arbitrary code via syno_finder_site HTTP header.π Read
via "National Vulnerability Database".
βΌ CVE-2021-27799 βΌ
π Read
via "National Vulnerability Database".
ean_leading_zeroes in backend/upcean.c in Zint Barcode Generator 2.19.1 has a stack-based buffer overflow that is reachable from the C API through an application that includes the Zint Barcode Generator library code.π Read
via "National Vulnerability Database".
βΌ CVE-2021-0401 βΌ
π Read
via "National Vulnerability Database".
In vow, there is a possible memory corruption due to a race condition. This could lead to local escalation of privilege with System execution privileges needed. User interaction is needed for exploitation. Product: Android; Versions: Android-10, Android-11; Patch ID: ALPS05418265.π Read
via "National Vulnerability Database".
βΌ CVE-2021-0403 βΌ
π Read
via "National Vulnerability Database".
In netdiag, there is a possible information disclosure due to a missing permission check. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation. Product: Android; Versions: Android-11; Patch ID: ALPS05475124.π Read
via "National Vulnerability Database".