βΌ CVE-2021-24350 βΌ
π Read
via "National Vulnerability Database".
The Visitors WordPress plugin through 0.3 is affected by an Unauthenticated Stored Cross-Site Scripting (XSS) vulnerability. The plugin would display the user's user agent string without validation or encoding within the WordPress admin panel.π Read
via "National Vulnerability Database".
βΌ CVE-2021-24349 βΌ
π Read
via "National Vulnerability Database".
This Gallery from files WordPress plugin through 1.6.0 gives the functionality of uploading images to the server. But filenames are not properly sanitized before being output in an error message when they have an invalid extension, leading to a reflected Cross-Site Scripting issue. Due to the lack of CSRF check, the attack could also be performed via such vector.π Read
via "National Vulnerability Database".
βΌ CVE-2021-24355 βΌ
π Read
via "National Vulnerability Database".
In the Simple 301 Redirects by BetterLinks WordPress plugin before 2.0.4, the lack of capability checks and insufficient nonce check on the AJAX actions, simple301redirects/admin/get_wildcard and simple301redirects/admin/wildcard, made it possible for authenticated users to retrieve and update the wildcard value for redirects.π Read
via "National Vulnerability Database".
β Moobot Milks Tenda Router Bugs for Propagation β
π Read
via "Threat Post".
An analysis of the campaign revealed Cyberium, an active Mirai-variant malware hosting site.π Read
via "Threat Post".
Threat Post
Moobot Milks Tenda Router Bugs for Propagation
An analysis of the campaign revealed Cyberium, an active Mirai-variant malware hosting site.
π¦Ώ Why employees need counterespionage training π¦Ώ
π Read
via "Tech Republic".
Two experts are concerned that employees are no match for nation-state spy services tasked with obtaining a company's vital intellectual property.π Read
via "Tech Republic".
TechRepublic
Why employees need counterespionage training
Two experts are concerned that employees are no match for nation-state spy services tasked with obtaining a company's vital intellectual property.
βΌ CVE-2021-32682 βΌ
π Read
via "National Vulnerability Database".
elFinder is an open-source file manager for web, written in JavaScript using jQuery UI. Several vulnerabilities affect elFinder 2.1.58. These vulnerabilities can allow an attacker to execute arbitrary code and commands on the server hosting the elFinder PHP connector, even with minimal configuration. The issues were patched in version 2.1.59. As a workaround, ensure the connector is not exposed without authentication.π Read
via "National Vulnerability Database".
π΄ New Top 20 Secure-Coding List Positions PLCs as Plant 'Bodyguards' π΄
π Read
via "Dark Reading".
Best practices guide encompasses integrity, hardening, resilience, and monitoring of PLCs in industrial networks.π Read
via "Dark Reading".
Dark Reading
New Top 20 Secure-Coding List Positions PLCs as Plant 'Bodyguards'
Best practices guide encompasses integrity, hardening, resilience, and monitoring of PLCs in industrial networks.
π Colorado Passes State Privacy Act, Poised to Become Law π
π Read
via "".
Once it's signed into law, the bill will become the third comprehensive state privacy law in the U.S. after California and Virginia.π Read
via "".
Digital Guardian
Colorado Passes State Privacy Act, Poised to Become Law
Once it's signed into law, the bill will become the third comprehensive state privacy law in the U.S. after California and Virginia.
π΄ Google Workspace Adds Client-Side Encryption π΄
π Read
via "Dark Reading".
Users given control over encryption keys, Google says.π Read
via "Dark Reading".
Dark Reading
Google Workspace Adds Client-Side Encryption
Users given control over encryption keys, Google says.
βΌ CVE-2021-21556 βΌ
π Read
via "National Vulnerability Database".
Dell PowerEdge R640, R740, R740XD, R840, R940, R940xa, MX740c, MX840c, and T640 Server BIOS contain a stack-based buffer overflow vulnerability in systems with NVDIMM-N installed. A local malicious user with high privileges may potentially exploit this vulnerability, leading to a denial of Service, arbitrary code execution, or information disclosure in UEFI or BIOS Preboot Environment.π Read
via "National Vulnerability Database".
β Utilities βConcerninglyβ at Risk from Active Exploits β
π Read
via "Threat Post".
Utilitiesβ vulnerability to application exploits goes from bad to worse in just weeks. π Read
via "Threat Post".
Threat Post
Utilities βConcerninglyβ at Risk from Active Exploits
Utilitiesβ vulnerability to application exploits goes from bad to worse in just weeks.
π΄ Cyber Analytics Database Exposed 5 Billion Records Online π΄
π Read
via "Dark Reading".
In an ironic twist, Cognyte's data alerts customers to third-party data exposures.π Read
via "Dark Reading".
βΌ CVE-2021-0324 βΌ
π Read
via "National Vulnerability Database".
Product: AndroidVersions: Android SoCAndroid ID: A-175402462π Read
via "National Vulnerability Database".
βΌ CVE-2021-0467 βΌ
π Read
via "National Vulnerability Database".
In Chromecast bootROM, there is a possible out of bounds write due to an incorrect bounds check. This could lead to local escalation of privilege in the bootloader, with physical USB access, with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android SoCAndroid ID: A-174490700π Read
via "National Vulnerability Database".
π΄ VPN Attacks Surged in First Quarter π΄
π Read
via "Dark Reading".
But volume of malware, botnet, and other exploit activity declined because of the Emotet botnet takedown.π Read
via "Dark Reading".
Dark Reading
VPN Attacks Surged in First Quarter
But volume of malware, botnet, and other exploit activity declined because of the Emotet botnet takedown.
βΌ CVE-2021-34693 βΌ
π Read
via "National Vulnerability Database".
net/can/bcm.c in the Linux kernel through 5.12.10 allows local users to obtain sensitive information from kernel stack memory because parts of a data structure are uninitialized.π Read
via "National Vulnerability Database".
βΌ CVE-2021-27887 βΌ
π Read
via "National Vulnerability Database".
Cross-site Scripting (XSS) vulnerability in the main dashboard of Ellipse APM versions allows an authenticated user or integrated application to inject malicious data into the application that can then be executed in a victimΓ’β¬β’s browser. This issue affects: Hitachi ABB Power Grids Ellipse APM 5.3 version 5.3.0.1 and prior versions; 5.2 version 5.2.0.3 and prior versions; 5.1 version 5.1.0.6 and prior versions.π Read
via "National Vulnerability Database".
βΌ CVE-2021-31618 βΌ
π Read
via "National Vulnerability Database".
Apache HTTP Server protocol handler for the HTTP/2 protocol checks received request headers against the size limitations as configured for the server and used for the HTTP/1 protocol as well. On violation of these restrictions and HTTP response is sent to the client with a status code indicating why the request was rejected. This rejection response was not fully initialised in the HTTP/2 protocol handler if the offending header was the very first one received or appeared in a a footer. This led to a NULL pointer dereference on initialised memory, crashing reliably the child process. Since such a triggering HTTP/2 request is easy to craft and submit, this can be exploited to DoS the server. This issue affected mod_http2 1.15.17 and Apache HTTP Server version 2.4.47 only. Apache HTTP Server 2.4.47 was never released.π Read
via "National Vulnerability Database".
β Apple Hurries Patches for Safari Bugs Under Active Attack β
π Read
via "Threat Post".
Apple patched two bugs impacting its Safari browser WebKit engine that it said are actively being exploited.π Read
via "Threat Post".
Threat Post
Apple Hurries Patches for Safari Bugs Under Active Attack
Apple patched two bugs impacting its Safari browser WebKit engine that it said are actively being exploited.
β βFace of Anonymousβ suspect deported from Mexico to face US hacking charges β
π Read
via "Naked Security".
After nearly a decade as a US expat dubbed "The Face of Anoynmous", he's back in the US facing cybercrime charges from almost a decade ago.π Read
via "Naked Security".
Naked Security
βFace of Anonymousβ suspect deported from Mexico to face US hacking charges
After nearly a decade as a US expat dubbed βThe Face of Anoynmousβ, heβs back in the US facing cybercrime charges from almost a decade ago.
β Microsoft Gets Second Shot at Banning hiQ from Scraping LinkedIn User Data β
π Read
via "Threat Post".
Decision throws out previous ruling in favor of hiQ Labs that prevented Microsoftβs business networking platform to forbid the company from harvesting public info from user profiles.π Read
via "Threat Post".
Threat Post
Microsoft Gets Second Shot at Banning hiQ from Scraping LinkedIn User Data
Decision throws out previous ruling in favor of hiQ Labs that prevented Microsoftβs business networking platform to forbid the company from harvesting public info from user profiles.