βΌ CVE-2021-24389 βΌ
π Read
via "National Vulnerability Database".
The WP Foodbakery WordPress plugin before 2.2, used in the FoodBakery WordPress theme before 2.2 did not properly sanitize the foodbakery_radius parameter before outputting it back in the response, leading to an unauthenticated Reflected Cross-Site Scripting (XSS) vulnerability.π Read
via "National Vulnerability Database".
βΌ CVE-2021-24386 βΌ
π Read
via "National Vulnerability Database".
The WP SVG images WordPress plugin before 3.4 did not sanitise the SVG files uploaded, which could allow low privilege users such as author+ to upload a malicious SVG and then perform XSS attacks by inducing another user to access the file directly. In v3.4, the plugin restricted such upload to editors and admin, with an option to also allow author to do so. The description of the plugin has also been updated with a security warning as upload of such content is intended.π Read
via "National Vulnerability Database".
βΌ CVE-2021-24407 βΌ
π Read
via "National Vulnerability Database".
The Jannah WordPress theme before 5.4.5 did not properly sanitize the 'query' POST parameter in its tie_ajax_search AJAX action, leading to a Reflected Cross-site Scripting (XSS) vulnerability.π Read
via "National Vulnerability Database".
π¦Ώ Critical flaws in Windows Print spooler service could allow for remote attacks π¦Ώ
π Read
via "Tech Republic".
Administrators are urged to apply the latest patches from Microsoft and disable the Windows Print spooler service in domain controllers and systems not used for printing.π Read
via "Tech Republic".
TechRepublic
Critical flaws in Windows Print spooler service could allow for remote attacks
Administrators are urged to apply the latest patches from Microsoft and disable the Windows Print spooler service in domain controllers and systems not used for printing.
π΄ 8 Ways to Preserve Legal Privilege After a Cybersecurity Incident π΄
π Read
via "Dark Reading".
Knowing your legal distinctions can make defense easier should you end up in court after a breach, attack, or data loss.π Read
via "Dark Reading".
βΌ CVE-2021-27930 βΌ
π Read
via "National Vulnerability Database".
Multiple stored cross-site scripting (XSS) vulnerabilities in IRIS IrisNext 9.5.16 allow remote authenticated users to inject arbitrary web script or HTML via a document or folder name that is mishandled when rendering the contact form or search form.π Read
via "National Vulnerability Database".
βΌ CVE-2021-32559 βΌ
π Read
via "National Vulnerability Database".
An integer overflow exists in pywin32 prior to version b301 when adding an access control entry (ACE) to an access control list (ACL) that would cause the size to be greater than 65535 bytes. An attacker who successfully exploited this vulnerability could crash the vulnerable process.π Read
via "National Vulnerability Database".
π΄ Cyberattack on Kaseya Nets More Than 1,000 Victims, $70M Ransom Demand π΄
π Read
via "Dark Reading".
The provider of remote monitoring and management services warns customers to not run its software until a patch is available and manually installed.π Read
via "Dark Reading".
Dark Reading
Cyberattacks & Data Breaches recent news | Dark Reading
Explore the latest news and expert commentary on Cyberattacks & Data Breaches, brought to you by the editors of Dark Reading
π¦Ώ Kaseya supply chain attack impacts more than 1,000 companies π¦Ώ
π Read
via "Tech Republic".
The REvil group is claiming that over 1 million devices have been infected and is demanding $70 million for a universal decryption key.π Read
via "Tech Republic".
TechRepublic
Kaseya supply chain attack impacts more than 1,000 companies
The REvil group is claiming that over 1 million devices have been infected and is demanding $70 million for a universal decryption key.
β Kaseya Patches Imminent After Zero-Day Exploits, 1,500 Impacted β
π Read
via "Threat Post".
REvil ransomware gang lowers price for universal decryptor after massive worldwide ransomware push against Kaseya security vulnerability CVE-2021-30116.π Read
via "Threat Post".
Threat Post
Kaseya Patches Imminent After Zero-Day Exploits, 1,500 Impacted
REvil ransomware gang lowers price for universal decryptor after massive worldwide ransomware push against Kaseya security vulnerability CVE-2021-30116.
π¦Ώ The Audacity! How to wreck an open-source project and anger a community π¦Ώ
π Read
via "Tech Republic".
Audacity software has been acquired, and the new verbiage added to the privacy policy has the open-source community up in arms.π Read
via "Tech Republic".
TechRepublic
The Audacity! How to wreck an open-source project and anger a community
Audacity software has been acquired, and the new verbiage added to the privacy policy has the open-source community up in arms.
βΌ CVE-2021-31771 βΌ
π Read
via "National Vulnerability Database".
Splinterware System Scheduler Professional version 5.30 is subject to insecure folders permissions issue impacting where the service 'WindowsScheduler' calls its executable. This allow a non-privileged user to execute arbitrary code with elevated privileges (system level privileges as "nt authority\system") since the service runs as Local System.π Read
via "National Vulnerability Database".
βΌ CVE-2021-32740 βΌ
π Read
via "National Vulnerability Database".
Addressable is an alternative implementation to the URI implementation that is part of Ruby's standard library. An uncontrolled resource consumption vulnerability exists after version 2.3.0 through version 2.7.0. Within the URI template implementation in Addressable, a maliciously crafted template may result in uncontrolled resource consumption, leading to denial of service when matched against a URI. In typical usage, templates would not normally be read from untrusted user input, but nonetheless, no previous security advisory for Addressable has cautioned against doing this. Users of the parsing capabilities in Addressable but not the URI template capabilities are unaffected. The vulnerability is patched in version 2.8.0. As a workaround, only create Template objects from trusted sources that have been validated not to produce catastrophic backtracking.π Read
via "National Vulnerability Database".
π΄ It's High Time for a Security Scoring System for Applications and Open Source Libraries π΄
π Read
via "Dark Reading".
A benchmarking system would help buyers choose more secure software products and, more importantly, light a fire underneath software producers to make products secure.π Read
via "Dark Reading".
π What is GLBA Compliance? Understanding the Data Protection Requirements of the Gramm-Leach-Bliley Act in 2021 π
π Read
via "".
Learn about what GLBA means for data protection and how to achieve GLBA compliance in Data Protection 101, our series on the fundamentals of information security.π Read
via "".
Digitalguardian
What is GLBA Compliance? (Understand Requirements)
Learn about what GLBA means for data protection and how to achieve GLBA compliance in Data Protection 101, our series on the fundamentals of information security.
β Western Digital Users Face Another RCE β
π Read
via "Threat Post".
Say hello to one more zero-day and yet more potential remote data death for those who canβt/wonβt upgrade their My Cloud storage devices.π Read
via "Threat Post".
Threat Post
Western Digital Users Face Another RCE
Say hello to one more zero-day and yet more potential remote data death for those who canβt/wonβt upgrade their My Cloud storage devices.
π¦Ώ 1 in 4 employees say they still have access to accounts from past jobs, survey finds π¦Ώ
π Read
via "Tech Republic".
Nearly half of professionals also admit to sharing passwords and more than a third say they write them on paper, according to Beyond Identity.π Read
via "Tech Republic".
TechRepublic
1 in 4 employees say they still have access to accounts from past jobs, survey finds
Nearly half of professionals also admit to sharing passwords and more than a third say they write them on paper, according to Beyond Identity.
π΄ Workers Careless in Sharing & Reusing Corporate Secrets π΄
π Read
via "Dark Reading".
A new survey shows leaked enterprise secrets costs companies millions of dollars each year.π Read
via "Dark Reading".
π¦Ώ The mobile and desktop versions of Firefox Total Cookie Protection are now available π¦Ώ
π Read
via "Tech Republic".
Jack Wallen explains how to protect your web browsing from supercookies with Firefox's new privacy feature.π Read
via "Tech Republic".
TechRepublic
Firefox Total Cookie Protection comes to mobile and desktop versions
Jack Wallen explains what supercookies are and how to protect your web browsing against them with Firefox's new privacy feature.
β Android Apps in Google Play Harvest Facebook Credentials β
π Read
via "Threat Post".
The apps all used an unusual tactic of loading a legitimate Facebook page as part of the data theft.π Read
via "Threat Post".
Threat Post
Android Apps in Google Play Harvest Facebook Credentials
The apps all used an unusual tactic of loading a legitimate Facebook page as part of the data theft.
βΌ CVE-2021-34190 βΌ
π Read
via "National Vulnerability Database".
A stored cross site scripting (XSS) vulnerability in index.php?menu=billing_rates of Issabel PBX version 4 allows attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the "Name" or "Prefix" fields under the "Create New Rate" module.π Read
via "National Vulnerability Database".