β Stalkerware Volumes Remain Concerningly High, Despite Bans β
π Read
via "Threat Post".
COVID-19 impacted volumes for the year, but the U.S. moved into third place on the list of countries most infected by stalkerware.π Read
via "Threat Post".
Threat Post
Stalkerware Volumes Remain Concerningly High, Despite Bans
COVID-19 impacted volumes for the year, but the U.S. moved into third place on the list of countries most infected by stalkerware.
β Amazon Dismisses Claims Alexa βSkillsβ Can Bypass Security Vetting Process β
π Read
via "Threat Post".
Researchers found a number of privacy and security issues in Amazon's Alexa skill vetting process, which could lead to attackers stealing data or launching phishing attacks.π Read
via "Threat Post".
Threat Post
Amazon Dismisses Claims Alexa βSkillsβ Can Bypass Security Vetting Process
Researchers found a number of privacy and security issues in Amazon's Alexa skill vetting process, which could lead to attackers stealing data or launching phishing attacks.
π¦Ώ The hidden business costs of working remotely π¦Ώ
π Read
via "Tech Republic".
The benefits of working remotely are numerous, but studies are finding there are significant hidden costs that need to be factored in.π Read
via "Tech Republic".
TechRepublic
Data security: A hidden business cost of working remotely
The benefits of working remotely are numerous, but there are significant hidden costs that need to be factored in.
βΌ CVE-2021-0402 βΌ
π Read
via "National Vulnerability Database".
In jpeg, there is a possible out of bounds write due to improper input validation. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Product: Android; Versions: Android-11; Patch ID: ALPS05433311.π Read
via "National Vulnerability Database".
βΌ CVE-2021-26561 βΌ
π Read
via "National Vulnerability Database".
Stack-based buffer overflow vulnerability in synoagentregisterd in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows man-in-the-middle attackers to execute arbitrary code via syno_finder_site HTTP header.π Read
via "National Vulnerability Database".
βΌ CVE-2021-0367 βΌ
π Read
via "National Vulnerability Database".
In vpu, there is a possible memory corruption due to a race condition. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Product: Android; Versions: Android-10, Android-11; Patch ID: ALPS05371580; Issue ID: ALPS05379085.π Read
via "National Vulnerability Database".
βΌ CVE-2021-26562 βΌ
π Read
via "National Vulnerability Database".
Out-of-bounds write vulnerability in synoagentregisterd in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows man-in-the-middle attackers to execute arbitrary code via syno_finder_site HTTP header.π Read
via "National Vulnerability Database".
βΌ CVE-2021-27799 βΌ
π Read
via "National Vulnerability Database".
ean_leading_zeroes in backend/upcean.c in Zint Barcode Generator 2.19.1 has a stack-based buffer overflow that is reachable from the C API through an application that includes the Zint Barcode Generator library code.π Read
via "National Vulnerability Database".
βΌ CVE-2021-0401 βΌ
π Read
via "National Vulnerability Database".
In vow, there is a possible memory corruption due to a race condition. This could lead to local escalation of privilege with System execution privileges needed. User interaction is needed for exploitation. Product: Android; Versions: Android-10, Android-11; Patch ID: ALPS05418265.π Read
via "National Vulnerability Database".
βΌ CVE-2021-0403 βΌ
π Read
via "National Vulnerability Database".
In netdiag, there is a possible information disclosure due to a missing permission check. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation. Product: Android; Versions: Android-11; Patch ID: ALPS05475124.π Read
via "National Vulnerability Database".
βΌ CVE-2021-0404 βΌ
π Read
via "National Vulnerability Database".
In mobile_log_d, there is a possible information disclosure due to improper input validation. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation. Product: Android; Versions: Android-11; Patch ID: ALPS05457039.π Read
via "National Vulnerability Database".
βΌ CVE-2021-26564 βΌ
π Read
via "National Vulnerability Database".
Cleartext transmission of sensitive information vulnerability in synorelayd in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows man-in-the-middle attackers to spoof servers via an HTTP session.π Read
via "National Vulnerability Database".
βΌ CVE-2021-0366 βΌ
π Read
via "National Vulnerability Database".
In vpu, there is a possible memory corruption due to a race condition. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Product: Android; Versions: Android-10, Android-11; Patch ID: ALPS05371580; Issue ID: ALPS05379093.π Read
via "National Vulnerability Database".
βΌ CVE-2021-26560 βΌ
π Read
via "National Vulnerability Database".
Cleartext transmission of sensitive information vulnerability in synoagentregisterd in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows man-in-the-middle attackers to spoof servers via an HTTP session.π Read
via "National Vulnerability Database".
βΌ CVE-2021-26567 βΌ
π Read
via "National Vulnerability Database".
Use of unmaintained third party components vulnerability in faad in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows remote authenticated users to execute arbitrary code via a crafted file path.π Read
via "National Vulnerability Database".
βΌ CVE-2021-0406 βΌ
π Read
via "National Vulnerability Database".
In cameraisp, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Product: Android; Versions: Android-10, Android-11; Patch ID: ALPS05471418.π Read
via "National Vulnerability Database".
βΌ CVE-2020-27223 βΌ
π Read
via "National Vulnerability Database".
In Eclipse Jetty 9.4.6.v20170531 to 9.4.36.v20210114 (inclusive), 10.0.0, and 11.0.0 when Jetty handles a request containing multiple Accept headers with a large number of ΓΒ’Γ’βΒ¬Γ
βqualityΓΒ’Γ’βΒ¬? (i.e. q) parameters, the server may enter a denial of service (DoS) state due to high CPU usage processing those quality values, resulting in minutes of CPU time exhausted processing those quality values.π Read
via "National Vulnerability Database".
βΌ CVE-2021-0405 βΌ
π Read
via "National Vulnerability Database".
In performance driver, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Product: Android; Versions: Android-10, Android-11; Patch ID: ALPS05466547.π Read
via "National Vulnerability Database".
βΌ CVE-2021-26563 βΌ
π Read
via "National Vulnerability Database".
Improper access control vulnerability in synoagentregisterd in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows local users to obtain sensitive information via a crafted kernel module.π Read
via "National Vulnerability Database".
βΌ CVE-2021-21309 βΌ
π Read
via "National Vulnerability Database".
Redis is an open-source, in-memory database that persists on disk. In affected versions of Redis an integer overflow bug in 32-bit Redis version 4.0 or newer could be exploited to corrupt the heap and potentially result with remote code execution. Redis 4.0 or newer uses a configurable limit for the maximum supported bulk input size. By default, it is 512MB which is a safe value for all platforms. If the limit is significantly increased, receiving a large request from a client may trigger several integer overflow scenarios, which would result with buffer overflow and heap corruption. We believe this could in certain conditions be exploited for remote code execution. By default, authenticated Redis users have access to all configuration parameters and can therefore use the Γ’β¬œCONFIG SET proto-max-bulk-lenΓ’β¬οΏ½ to change the safe default, making the system vulnerable. **This problem only affects 32-bit Redis (on a 32-bit system, or as a 32-bit executable running on a 64-bit system).** The problem is fixed in version 6.2, and the fix is back ported to 6.0.11 and 5.0.11. Make sure you use one of these versions if you are running 32-bit Redis. An additional workaround to mitigate the problem without patching the redis-server executable is to prevent clients from directly executing `CONFIG SET`: Using Redis 6.0 or newer, ACL configuration can be used to block the command. Using older versions, the `rename-command` configuration directive can be used to rename the command to a random string unknown to users, rendering it inaccessible. Please note that this workaround may have an additional impact on users or operational systems that expect `CONFIG SET` to behave in certain ways.π Read
via "National Vulnerability Database".
βΌ CVE-2021-26565 βΌ
π Read
via "National Vulnerability Database".
Cleartext transmission of sensitive information vulnerability in synorelayd in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows man-in-the-middle attackers to obtain sensitive information via an HTTP session.π Read
via "National Vulnerability Database".