β Malaysia Air Downplays Frequent-Flyer Program Data Breach β
π Read
via "Threat Post".
A third-party IT provider exposed valuable airline data that experts say could be a goldmine for cybercriminals. π Read
via "Threat Post".
Threat Post
Malaysia Air Downplays Frequent-Flyer Program Data Breach
A third-party IT provider exposed valuable airline data that experts say could be a goldmine for cybercriminals.
βΌ CVE-2021-27935 βΌ
π Read
via "National Vulnerability Database".
An issue was discovered in AdGuard before 0.105.2. An attacker able to get the user's cookie is able to bruteforce their password offline, because the hash of the password is stored in the cookie.π Read
via "National Vulnerability Database".
βΌ CVE-2021-27839 βΌ
π Read
via "National Vulnerability Database".
A CSV injection vulnerability found in Online Invoicing System (OIS) 4.3 and below can be exploited by users to perform malicious actions such as redirecting admins to unknown or harmful websites, or disclosing other clients' details that the user did not have access to.π Read
via "National Vulnerability Database".
βΌ CVE-2021-21313 βΌ
π Read
via "National Vulnerability Database".
GLPI is open source software which stands for Gestionnaire Libre de Parc Informatique and it is a Free Asset and IT Management Software package. In GLPI before verison 9.5.4, there is a vulnerability in the /ajax/common.tabs.php endpoint, indeed, at least two parameters _target and id are not properly sanitized. Here are two payloads (due to two different exploitations depending on which parameter you act) to exploit the vulnerability:/ajax/common.tabs.php?_target=javascript:alert(document.cookie)&_itemtype=DisplayPreference&_glpi_tab=DisplayPreference$2&id=258&displaytype=Ticket (Payload triggered if you click on the button). /ajax/common.tabs.php?_target=/front/ticket.form.php&_itemtype=Ticket&_glpi_tab=Ticket$1&id=(){};(function%20(){alert(document.cookie);})();function%20a&#.π Read
via "National Vulnerability Database".
βΌ CVE-2021-21312 βΌ
π Read
via "National Vulnerability Database".
GLPI is open source software which stands for Gestionnaire Libre de Parc Informatique and it is a Free Asset and IT Management Software package. In GLPI before verison 9.5.4, there is a vulnerability within the document upload function (Home > Management > Documents > Add, or /front/document.form.php endpoint), indeed one of the form field: "Web Link" is not properly sanitized and a malicious user (who has document upload rights) can use it to deliver JavaScript payload. For example if you use the following payload: " accesskey="x" onclick="alert(1)" x=", the content will be saved within the database without any control. And then once you return to the summary documents page, by clicking on the "Web Link" of the newly created file it will create a new empty tab, but on the initial tab the pop-up "1" will appear.π Read
via "National Vulnerability Database".
βΌ CVE-2021-27931 βΌ
π Read
via "National Vulnerability Database".
LumisXP (aka Lumis Experience Platform) before 10.0.0 allows unauthenticated blind XXE via an API request to PageControllerXml.jsp. One can send a request crafted with an XXE payload and achieve outcomes such as reading local server files or denial of service.π Read
via "National Vulnerability Database".
βΌ CVE-2021-21314 βΌ
π Read
via "National Vulnerability Database".
GLPI is open source software which stands for Gestionnaire Libre de Parc Informatique and it is a Free Asset and IT Management Software package. In GLPI before verison 9.5.4, there is an XSS vulnerability involving a logged in user while updating a ticket.π Read
via "National Vulnerability Database".
β Unpatched Bug in WiFi Mouse App Opens PCs to Attack β
π Read
via "Threat Post".
Wireless mouse-utility lacks proper authentication and opens Windows systems to attack.π Read
via "Threat Post".
Threat Post
Unpatched Bug in WiFi Mouse App Opens PCs to Attack
Wireless mouse-utility lacks proper authentication and opens Windows systems to attack.
π΄ CISA to Federal Agencies: Immediately Patch or 'Disconnect' Microsoft Exchange Servers π΄
π Read
via "Dark Reading".
The US Department of Homeland Security agency's new emergency directive comes in the wake of major zero-day attacks on email servers revealed by Microsoft this week.π Read
via "Dark Reading".
Dark Reading
Cyber Risk recent news | Dark Reading
Explore the latest news and expert commentary on Cyber Risk, brought to you by the editors of Dark Reading
β How (NOT?!) to jailbreak your iPhone β
π Read
via "Naked Security".
We're sticking to our "patch early, peath often" mantra, although in this case it means you can't jailbreak.π Read
via "Naked Security".
Naked Security
How (NOT?!) to jailbreak your iPhone
Weβre sticking to our βpatch early, peath oftenβ mantra, although in this case it means you canβt jailbreak.
π΄ Okta to Buy Rival Auth0 π΄
π Read
via "Dark Reading".
The deal, valued at $6.5 billion, will bring together competitors in the identity management space.π Read
via "Dark Reading".
Dark Reading
Okta to Buy Rival Auth0
The deal, valued at $6.5 billion, will bring together competitors in the identity management space.
π΄ Intel: Paid Research Caught More Than 90% of Our Vulnerabilities π΄
π Read
via "Dark Reading".
Internal research and external bug-bounty programs combined to discover the vast majority of reported security issues in the company's software.π Read
via "Dark Reading".
Dark Reading
Intel: Paid Research Caught More Than 90% of Our Vulnerabilities
Internal research and external bug-bounty programs combined to discover the vast majority of reported security issues in the company's software.
π΄ More Details Emerge on the Microsoft Exchange Server Attacks π΄
π Read
via "Dark Reading".
The attacks seem more widespread than initially reported, researchers say, and a look at why the Microsoft Exchange Server zero-days patched this week are so dangerous.π Read
via "Dark Reading".
Dark Reading
Vulnerabilities & Threats recent news | Dark Reading
Explore the latest news and expert commentary on Vulnerabilities & Threats, brought to you by the editors of Dark Reading
βΌ CVE-2021-27940 βΌ
π Read
via "National Vulnerability Database".
resources/public/js/orchestrator.js in openark orchestrator before 3.2.4 allows XSS via the orchestrator-msg parameter.π Read
via "National Vulnerability Database".
βΌ CVE-2021-21331 βΌ
π Read
via "National Vulnerability Database".
The Java client for the Datadog API before version 1.0.0-beta.9 has a local information disclosure of sensitive information downloaded via the API using the API Client. The Datadog API is executed on a unix-like system with multiple users. The API is used to download a file containing sensitive information. This sensitive information is exposed locally to other users. This vulnerability exists in the API Client for version 1 and 2. The method `prepareDownloadFilecreates` creates a temporary file with the permissions bits of `-rw-r--r--` on unix-like systems. On unix-like systems, the system temporary directory is shared between users. As such, the contents of the file downloaded via the `downloadFileFromResponse` method will be visible to all other users on the local system. Analysis of the finding determined that the affected code was unused, meaning that the exploitation likelihood is low. The unused code has been removed, effectively mitigating this issue. This issue has been patched in version 1.0.0-beta.9. As a workaround one may specify `java.io.tmpdir` when starting the JVM with the flag `-Djava.io.tmpdir`, specifying a path to a directory with `drw-------` permissions owned by `dd-agent`.π Read
via "National Vulnerability Database".
β Another Chrome zero-day exploit β so get that update done! β
π Read
via "Naked Security".
It's dΓ©jΓ vu all over again! New month, new Chrome zero-day bug being exploited in the wild.π Read
via "Naked Security".
Sophos News
Naked Security β Sophos News
β Using TikTok? Check out these six security tips β
π Read
via "Naked Security".
Practical advice on how to maximize your security and privacy on TikTok.π Read
via "Naked Security".
Naked Security
Using TikTok? Check out these six security tips
Practical advice on how to maximize your security and privacy on TikTok.
βΌ CVE-2019-18629 βΌ
π Read
via "National Vulnerability Database".
Xerox AltaLink B8045/B8055/B8065/B8075/B8090 and C8030/C8035/C8045/C8055/C8070 multifunction printers with software releases before 101.00x.099.28200 allow an attacker to execute an unwanted binary during a exploited clone install. This requires creating a clone file and signing that file with a compromised private key.π Read
via "National Vulnerability Database".
βΌ CVE-2019-18628 βΌ
π Read
via "National Vulnerability Database".
Xerox AltaLink B8045/B8055/B8065/B8075/B8090 and C8030/C8035/C8045/C8055/C8070 multifunction printers with software releases before 101.00x.099.28200 allow a user with administrative privileges to turn off data encryption on the device, thus leaving it open to potential cryptographic information disclosure.π Read
via "National Vulnerability Database".
π¦Ώ How banks and banking customers can protect themselves against financial crimes π¦Ώ
π Read
via "Tech Republic".
Account takeovers and online banking fraud are two types of attacks on the rise against financial institutions and their customers, says Feedzai.π Read
via "Tech Republic".
TechRepublic
How banks and banking customers can protect themselves against financial crimes
Account takeovers and online banking fraud are two types of attacks on the rise against financial institutions and their customers, says Feedzai.
π΄ Why We Need More Blue Team Voices at the Table π΄
π Read
via "Dark Reading".
The red team draws attention, but the blue team has the expertise to keep networks secure day in and day out.π Read
via "Dark Reading".
Dark Reading
Why We Need More Blue Team Voices at the Table
The red team draws attention, but the blue team has the expertise to keep networks secure day in and day out.