βΌ CVE-2021-29784 βΌ
π Read
via "National Vulnerability Database".
IBM i2 Analyze 4.3.0, 4.3.1, and 4.3.2 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system. IBM X-Force ID: 203168.π Read
via "National Vulnerability Database".
βΌ CVE-2021-29767 βΌ
π Read
via "National Vulnerability Database".
IBM i2 Analyst's Notebook Premium 9.2.0, 9.2.1, and 9.2.2 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system. IBM X-Force ID: 202681.π Read
via "National Vulnerability Database".
βΌ CVE-2021-20430 βΌ
π Read
via "National Vulnerability Database".
IBM i2 Analyst's Notebook Premium (IBM i2 Analyze 4.3.0, 4.3.1, and 4.3.2) could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system. IBM X-Force ID: 196341.π Read
via "National Vulnerability Database".
βΌ CVE-2021-26824 βΌ
π Read
via "National Vulnerability Database".
DM FingerTool v1.19 in the DM PD065 Secure USB is susceptible to improper authentication by a replay attack, allowing local attackers to bypass user authentication and access all features and data on the USB.π Read
via "National Vulnerability Database".
βΌ CVE-2020-12681 βΌ
π Read
via "National Vulnerability Database".
Missing TLS certificate validation on 3xLogic Infinias eIDC32 devices through 3.4.125 allows an attacker to intercept/control the channel by which door lock policies are applied.π Read
via "National Vulnerability Database".
βΌ CVE-2020-4623 βΌ
π Read
via "National Vulnerability Database".
IBM i2 iBase 8.9.13 could allow a local authenticated attacker to execute arbitrary code on the system, caused by a DLL search order hijacking flaw. By using a specially-crafted .DLL file, an attacker could exploit this vulnerability to execute arbitrary code on the system. IBM X-Force ID: 184984.π Read
via "National Vulnerability Database".
βΌ CVE-2021-22144 βΌ
π Read
via "National Vulnerability Database".
In Elasticsearch versions before 7.13.3 and 6.8.17 an uncontrolled recursion vulnerability that could lead to a denial of service attack was identified in the Elasticsearch Grok parser. A user with the ability to submit arbitrary queries to Elasticsearch could create a malicious Grok query that will crash the Elasticsearch node.π Read
via "National Vulnerability Database".
βΌ CVE-2021-29769 βΌ
π Read
via "National Vulnerability Database".
IBM i2 Analyst's Notebook Premium (IBM i2 Analyze 4.3.0, 4.3.1, and 4.3.2) does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure link and the attacker can then obtain the cookie value by snooping the traffic. IBM X-Force ID: 202769.π Read
via "National Vulnerability Database".
βΌ CVE-2021-20337 βΌ
π Read
via "National Vulnerability Database".
IBM QRadar SIEM 7.3.0 to 7.3.3 Patch 8 and 7.4.0 to 7.4.3 GA uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 194448.π Read
via "National Vulnerability Database".
β Malware Makers Using βExoticβ Programming Languages β
π Read
via "Threat Post".
Sprechen Sie Rust? Polyglot malware authors are increasingly using obscure programming languages to evade detection.π Read
via "Threat Post".
Threat Post
Malware Makers Using βExoticβ Programming Languages
Sprechen Sie Rust? Polyglot malware authors are increasingly using obscure programming languages to evade detection.
βΌ CVE-2021-33629 βΌ
π Read
via "National Vulnerability Database".
isula-build before 0.9.5-8 can cause a program crash, when building container images, some functions for processing external data do not remove spaces when processing data.π Read
via "National Vulnerability Database".
βΌ CVE-2021-37534 βΌ
π Read
via "National Vulnerability Database".
app/View/GalaxyClusters/add.ctp in MISP 2.4.146 allows Stored XSS when forking a galaxy cluster.π Read
via "National Vulnerability Database".
π¦Ώ Deepfakes: Microsoft and others in Big Tech are working to bring authenticity to videos, photos π¦Ώ
π Read
via "Tech Republic".
If you want people to trust the photos and videos your business puts out, it might be time to start learning how to prove they haven't been tampered with.π Read
via "Tech Republic".
βΌ CVE-2021-32790 βΌ
π Read
via "National Vulnerability Database".
Woocommerce is an open source eCommerce plugin for WordPress. An SQL injection vulnerability impacts all WooCommerce sites running the WooCommerce plugin between version 3.3.0 and 3.3.6. Malicious actors (already) having admin access, or API keys to the WooCommerce site can exploit vulnerable endpoints of `/wp-json/wc/v3/webhooks`, `/wp-json/wc/v2/webhooks` and other webhook listing API. Read-only SQL queries can be executed using this exploit, while data will not be returned, by carefully crafting `search` parameter information can be disclosed using timing and related attacks. Version 3.3.6 is the earliest version of Woocommerce with a patch for this vulnerability. There are no known workarounds other than upgrading.π Read
via "National Vulnerability Database".
βΌ CVE-2021-32791 βΌ
π Read
via "National Vulnerability Database".
mod_auth_openidc is an authentication/authorization module for the Apache 2.x HTTP server that functions as an OpenID Connect Relying Party, authenticating users against an OpenID Connect Provider. In mod_auth_openidc before version 2.4.9, the AES GCM encryption in mod_auth_openidc uses a static IV and AAD. It is important to fix because this creates a static nonce and since aes-gcm is a stream cipher, this can lead to known cryptographic issues, since the same key is being reused. From 2.4.9 onwards this has been patched to use dynamic values through usage of cjose AES encryption routines.π Read
via "National Vulnerability Database".
βΌ CVE-2021-32789 βΌ
π Read
via "National Vulnerability Database".
woocommerce-gutenberg-products-block is a feature plugin for WooCommerce Gutenberg Blocks. An SQL injection vulnerability impacts all WooCommerce sites running the WooCommerce Blocks feature plugin between version 2.5.0 and prior to version 2.5.16. Via a carefully crafted URL, an exploit can be executed against the `wc/store/products/collection-data?calculate_attribute_counts[][taxonomy]` endpoint that allows the execution of a read only sql query. There are patches for many versions of this package, starting with version 2.5.16. There are no known workarounds aside from upgrading.π Read
via "National Vulnerability Database".
βΌ CVE-2021-25802 βΌ
π Read
via "National Vulnerability Database".
A buffer overflow vulnerability in the AVI_ExtractSubtitle component of VideoLAN VLC Media Player 3.0.11 allows attackers to cause an out-of-bounds read via a crafted .avi file.π Read
via "National Vulnerability Database".
βΌ CVE-2021-25803 βΌ
π Read
via "National Vulnerability Database".
A buffer overflow vulnerability in the vlc_input_attachment_New component of VideoLAN VLC Media Player 3.0.11 allows attackers to cause an out-of-bounds read via a crafted .avi file.π Read
via "National Vulnerability Database".
βΌ CVE-2021-32631 βΌ
π Read
via "National Vulnerability Database".
Common is a package of common modules that can be accessed by NIMBLE services. Common before commit number 3b96cb0293d3443b870351945f41d7d55cb34b53 did not properly verify the signature of JSON Web Tokens. This allows someone to forge a valid JWT. Being able to forge JWTs may lead to authentication bypasses. Commit number 3b96cb0293d3443b870351945f41d7d55cb34b53 contains a patch for the issue. As a workaround, one may use the parseClaimsJws method to correctly verify the signature of a JWT.π Read
via "National Vulnerability Database".
βΌ CVE-2021-31292 βΌ
π Read
via "National Vulnerability Database".
An integer overflow in CrwMap::encode0x1810 of Exiv2 0.27.3 allows attackers to trigger a heap-based buffer overflow and cause a denial of service (DOS) via crafted metadata.π Read
via "National Vulnerability Database".
βΌ CVE-2021-25804 βΌ
π Read
via "National Vulnerability Database".
A NULL-pointer dereference in "Open" in avi.c of VideoLAN VLC Media Player 3.0.11 can a denial of service (DOS) in the application.π Read
via "National Vulnerability Database".