‼ CVE-2021-21387 ‼
📖 Read
via "National Vulnerability Database".
Wrongthink peer-to-peer, end-to-end encrypted messenger with PeerJS and Axolotl ratchet. In wrongthink from version 2.0.0 and before 2.3.0 there was a set of vulnerabilities causing inadequate encryption strength. Part of the secret identity key was disclosed by the fingerprint used for connection. Additionally, the safety number was improperly calculated. It was computed using part of one of the public identity keys instead of being derived from both public identity keys. This caused issues in computing safety numbers which would potentially be exploitable in the real world. Additionally there was inadequate encryption strength due to use of 1024-bit DSA keys. These issues are all fixed in version 2.3.0.📖 Read
via "National Vulnerability Database".
❌ Office 365 Phishing Attack Targets Financial Execs ❌
📖 Read
via "Threat Post".
Attackers move on new CEOs, using transition confusion to harvest Microsoft credentials.📖 Read
via "Threat Post".
Threat Post
Office 365 Phishing Attack Targets Financial Execs
Attackers move on new CEOs, using transition confusion to harvest Microsoft credentials.
🕴 Verkada Attacker Charged with Wire Fraud, Conspiracy in US 🕴
📖 Read
via "Dark Reading".
Swiss national Till Kottmann and co-conspirators are accused of breaking into dozens of US companies and government entities.📖 Read
via "Dark Reading".
Dark Reading
Verkada Attacker Charged with Wire Fraud, Conspiracy in US
Swiss national Till Kottmann and co-conspirators are accused of breaking into dozens of US companies and government entities.
‼ CVE-2021-20077 ‼
📖 Read
via "National Vulnerability Database".
Nessus Agent versions 7.2.0 through 8.2.2 were found to inadvertently capture the IAM role security token on the local host during initial linking of the Nessus Agent when installed on an Amazon EC2 instance. This could allow a privileged attacker to obtain the token.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-27520 ‼
📖 Read
via "National Vulnerability Database".
A cross-site scripting (XSS) issue in FUDForum 3.1.0 allows remote attackers to inject JavaScript via index.php in the "author" parameter.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-27519 ‼
📖 Read
via "National Vulnerability Database".
A cross-site scripting (XSS) issue in FUDForum 3.1.0 allows remote attackers to inject JavaScript via index.php in the "srch" parameter.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-26990 ‼
📖 Read
via "National Vulnerability Database".
Cloud Manager versions prior to 3.9.4 are susceptible to a vulnerability that could allow a remote attacker to overwrite arbitrary system files.📖 Read
via "National Vulnerability Database".
‼ CVE-2019-10127 ‼
📖 Read
via "National Vulnerability Database".
A vulnerability was found in postgresql versions 11.x prior to 11.3. The Windows installer for BigSQL-supplied PostgreSQL does not lock down the ACL of the binary installation directory or the ACL of the data directory; it keeps the inherited ACL. In the default configuration, an attacker having both an unprivileged Windows account and an unprivileged PostgreSQL account can cause the PostgreSQL service account to execute arbitrary code. An attacker having only the unprivileged Windows account can read arbitrary data directory files, essentially bypassing database-imposed read access limitations. An attacker having only the unprivileged Windows account can also delete certain data directory files.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-26991 ‼
📖 Read
via "National Vulnerability Database".
Cloud Manager versions prior to 3.9.4 contain an insecure Cross-Origin Resource Sharing (CORS) policy which could allow a remote attacker to interact with Cloud Manager.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-26992 ‼
📖 Read
via "National Vulnerability Database".
Cloud Manager versions prior to 3.9.4 are susceptible to a vulnerability which could allow a remote attacker to cause a Denial of Service (DoS).📖 Read
via "National Vulnerability Database".
❌ Critical F5 BIG-IP Flaw Now Under Active Attack ❌
📖 Read
via "Threat Post".
Researchers are reporting mass scanning for – and in-the-wild exploitation of – a critical-severity flaw in the F5 BIG-IP and BIG-IQ enterprise networking infrastructure.📖 Read
via "Threat Post".
Threat Post
Critical F5 BIG-IP Flaw Now Under Active Attack
Researchers are reporting mass scanning for – and in-the-wild exploitation of – a critical-severity flaw in the F5 BIG-IP and BIG-IQ enterprise networking infrastructure.
🕴 New Malware Hidden in Apple IDE Targets macOS Developers 🕴
📖 Read
via "Dark Reading".
XcodeSpy is latest example of growing attacks on software supply chain.📖 Read
via "Dark Reading".
Dark Reading
New Malware Hidden in Apple IDE Targets macOS Developers
XcodeSpy is latest example of growing attacks on software supply chain.
🦿 PS5 phishing scam baits gamers with promise of free console 🦿
📖 Read
via "Tech Republic".
Scammers are taking advantage of a shortage of Sony PlayStation 5 consoles to try to hoodwink people eager to snag one, says Kaspersky.📖 Read
via "Tech Republic".
TechRepublic
PS5 phishing scam baits gamers with promise of free console
Scammers are taking advantage of a shortage of Sony PlayStation 5 consoles to try to hoodwink people eager to snag one, says Kaspersky.
‼ CVE-2019-10151 ‼
📖 Read
via "National Vulnerability Database".
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2019. Notes: none.📖 Read
via "National Vulnerability Database".
‼ CVE-2019-10128 ‼
📖 Read
via "National Vulnerability Database".
A vulnerability was found in postgresql versions 11.x prior to 11.3. The Windows installer for EnterpriseDB-supplied PostgreSQL does not lock down the ACL of the binary installation directory or the ACL of the data directory; it keeps the inherited ACL. In the default configuration, this allows a local attacker to read arbitrary data directory files, essentially bypassing database-imposed read access limitations. In plausible non-default configurations, an attacker having both an unprivileged Windows account and an unprivileged PostgreSQL account can cause the PostgreSQL service account to execute arbitrary code.📖 Read
via "National Vulnerability Database".
‼ CVE-2019-10200 ‼
📖 Read
via "National Vulnerability Database".
A flaw was discovered in OpenShift Container Platform 4 where, by default, users with access to create pods also have the ability to schedule workloads on master nodes. Pods with permission to access the host network, running on master nodes, can retrieve security credentials for the master AWS IAM role, allowing management access to AWS resources. With access to the security credentials, the user then has access to the entire infrastructure. Impact to data and system availability is high.📖 Read
via "National Vulnerability Database".
‼ CVE-2019-14828 ‼
📖 Read
via "National Vulnerability Database".
A vulnerability was found in Moodle affecting 3.7 to 3.7.1, 3.6 to 3.6.5, 3.5 to 3.5.7 and earlier unsupported versions, where users with the capability to create courses were assigned as a teacher in those courses, regardless of whether they had the capability to be automatically assigned that role.📖 Read
via "National Vulnerability Database".
‼ CVE-2019-10196 ‼
📖 Read
via "National Vulnerability Database".
A flaw was found in http-proxy-agent, prior to version 2.1.0. It was discovered http-proxy-agent passes an auth option to the Buffer constructor without proper sanitization. This could result in a Denial of Service through the usage of all available CPU resources and data exposure through an uninitialized memory leak in setups where an attacker could submit typed input to the auth parameter.📖 Read
via "National Vulnerability Database".
‼ CVE-2019-14830 ‼
📖 Read
via "National Vulnerability Database".
A vulnerability was found in Moodle 3.7 to 3.7.1, 3.6 to 3.6.5, 3.5 to 3.5.7 and earlier unsupported versions, where the mobile launch endpoint contained an open redirect in some circumstances, which could result in a user's mobile access token being exposed. (Note: This does not affect sites with a forced URL scheme configured, mobile service disabled, or where the mobile app login method is "via the app").📖 Read
via "National Vulnerability Database".
‼ CVE-2019-10225 ‼
📖 Read
via "National Vulnerability Database".
A flaw was found in atomic-openshift of openshift-4.2 where the basic-user RABC role in OpenShift Container Platform doesn't sufficiently protect the GlusterFS StorageClass against leaking of the restuserkey. An attacker with basic-user permissions is able to obtain the value of restuserkey, and use it to authenticate to the GlusterFS REST service, gaining access to read, and modify files.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-21267 ‼
📖 Read
via "National Vulnerability Database".
Schema-Inspector is an open-source tool to sanitize and validate JS objects (npm package schema-inspector). In before version 2.0.0, email address validation is vulnerable to a denial-of-service attack where some input (for example `a@0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.`) will freeze the program or web browser page executing the code. This affects any current schema-inspector users using any version to validate email addresses. Users who do not do email validation, and instead do other types of validation (like string min or max length, etc), are not affected. Users should upgrade to version 2.0.0, which uses a regex expression that isn't vulnerable to ReDoS.📖 Read
via "National Vulnerability Database".