βΌ CVE-2020-18172 βΌ
π Read
via "National Vulnerability Database".
A code injection vulnerability in the SeDebugPrivilege component of Trezor Bridge 2.0.27 allows attackers to escalate privileges.π Read
via "National Vulnerability Database".
βΌ CVE-2020-18170 βΌ
π Read
via "National Vulnerability Database".
An issue in the SeChangeNotifyPrivilege component of Abloy Key Manager Version 7.14301.0.0 allows attackers to escalate privileges via a change in permissions.π Read
via "National Vulnerability Database".
βΌ CVE-2020-18169 βΌ
π Read
via "National Vulnerability Database".
A vulnerability in the Windows installer XML (WiX) toolset of TechSmith Snagit 19.1.1.2860 allows attackers to escalate privileges.π Read
via "National Vulnerability Database".
βΌ CVE-2020-18174 βΌ
π Read
via "National Vulnerability Database".
A process injection vulnerability in setup.exe of AutoHotkey 1.1.32.00 allows attackers to escalate privileges.π Read
via "National Vulnerability Database".
βΌ CVE-2021-32795 βΌ
π Read
via "National Vulnerability Database".
ArchiSteamFarm is a C# application with primary purpose of idling Steam cards from multiple accounts simultaneously. In versions prior to 4.3.1.0 a Denial of Service (aka DoS) vulnerability which allows attacker to remotely crash running ASF instance through sending a specifically-crafted Steam chat message exists. The user sending the message does not need to be authorized within the bot or ASF process. The attacker needs to know ASF's `CommandPrefix` in advance, but majority of ASF setups run with an unchanged default value. This attack does not allow attacker to gain any potentially-sensitive information, such as logins or passwords, does not allow to execute arbitrary commands and otherwise exploit the crash further. The issue is patched in ASF V4.3.1.0. The only workaround which guarantees complete protection is running all bots with `OnlineStatus` of `0` (Offline). In this setup, ASF is able to ignore even the specifically-crafted message without attempting to interpret it.π Read
via "National Vulnerability Database".
βΌ CVE-2020-23243 βΌ
π Read
via "National Vulnerability Database".
Cross Site Scripting (XSS) vulnerability in NavigateCMS NavigateCMS 2.9 via the name="wrong_path_redirect" feature.π Read
via "National Vulnerability Database".
βΌ CVE-2020-23240 βΌ
π Read
via "National Vulnerability Database".
Cross Site Scripting (XSS) vulnerablity in CMS Made Simple 2.2.14 via the Logic field in the Content Manager feature.π Read
via "National Vulnerability Database".
βΌ CVE-2020-23241 βΌ
π Read
via "National Vulnerability Database".
Cross Site Scripting (XSS) vulnerability in CMS Made Simple 2.2.14 in "Extra" via 'News > Article" feature.π Read
via "National Vulnerability Database".
βΌ CVE-2020-23239 βΌ
π Read
via "National Vulnerability Database".
Cross Site Scripting (XSS) vulnerability in Textpattern CMS 4.8.1 via Custom fields in the Menu Preferences feature.π Read
via "National Vulnerability Database".
βΌ CVE-2020-23234 βΌ
π Read
via "National Vulnerability Database".
Cross Site Scripting (XSS) vulnerabiity exists in LavaLite CMS 5.8.0 via the Menu Blocks feature, which can be bypassed by using HTML event handlers, such as "ontoggle,".π Read
via "National Vulnerability Database".
β Podcast: IoT Piranhas Are Swarming Industrial Controls β
π Read
via "Threat Post".
Enormous botnets of IoT devices are going after decades-old legacy systems that are rife in systems that control crucial infrastructure.π Read
via "Threat Post".
βΌ CVE-2021-37576 βΌ
π Read
via "National Vulnerability Database".
arch/powerpc/kvm/book3s_rtas.c in the Linux kernel through 5.13.5 on the powerpc platform allows KVM guest OS users to cause host OS memory corruption via rtas_args.nargs, aka CID-f62f3c20647e.π Read
via "National Vulnerability Database".
βΌ CVE-2020-18428 βΌ
π Read
via "National Vulnerability Database".
tinyexr commit 0.9.5 was discovered to contain an array index error in the tinyexr::SaveEXR component, which can lead to a denial of service (DOS).π Read
via "National Vulnerability Database".
βΌ CVE-2020-18430 βΌ
π Read
via "National Vulnerability Database".
tinyexr 0.9.5 was discovered to contain an array index error in the tinyexr::DecodeEXRImage component, which can lead to a denial of service (DOS).π Read
via "National Vulnerability Database".
β Windows βPetitPotamβ network attack β how to protect against it β
π Read
via "Naked Security".
A cute name but an annoying and potentially damaging attack. Here's what to do.π Read
via "Naked Security".
Naked Security
Windows βPetitPotamβ network attack β how to protect against it
A cute name but an annoying and potentially damaging attack. Hereβs what to do.
β Apple Patches Actively Exploited Zero-Day in iOS, MacOS β
π Read
via "Threat Post".
Company urges iPhone, iPad and Mac users to install updates to fix a critical memory corruption flaw that can allow for attackers to take over a system.π Read
via "Threat Post".
Threat Post
Apple Patches Actively Exploited Zero-Day in iOS, MacOS
Company urges iPhone, iPad and Mac users to install updates to fix a critical memory corruption flaw that can allow for attackers to take over a system.
β Apple emergency zero-day fix for iPhones and Macs β get it now! β
π Read
via "Naked Security".
You're probably expecting us to say, "Patch early, patch often." And that is EXACTLY what we're saying!π Read
via "Naked Security".
Sophos News
Naked Security β Sophos News
βΌ CVE-2021-20399 βΌ
π Read
via "National Vulnerability Database".
IBM Qradar SIEM 7.3.0 to 7.3.3 Patch 8 and 7.4.0 to 7.4.3 GA is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 196073.π Read
via "National Vulnerability Database".
βΌ CVE-2021-20562 βΌ
π Read
via "National Vulnerability Database".
IBM Sterling B2B Integrator Standard Edition 5.2.0.0 through 5.2.6.5_3 and 6.1.0.0 through 6.1.0.2 vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 199232.π Read
via "National Vulnerability Database".
β Three Zero-Day Bugs Plague Kaseya Unitrends Backup Servers β
π Read
via "Threat Post".
The unpatched flaws include RCE and authenticated privilege escalation on the client-side: Just the latest woe for the ransomware-walloped MSP.π Read
via "Threat Post".
Threat Post
Three Zero-Day Bugs Plague Kaseya Unitrends Backup Servers
The unpatched flaws include RCE and authenticated privilege escalation on the client-side: Just the latest woe for the ransomware-walloped MSP.
β Zimbra Server Bugs Could Lead to Email Plundering β
π Read
via "Threat Post".
Two bugs, now patched except in older versions, could be chained to allow attackers to hijack Zimbra server by simply sending a malicious email.π Read
via "Threat Post".
Threat Post
Zimbra Server Bugs Could Lead to Email Plundering
Two bugs, now patched except in older versions, could be chained to allow attackers to hijack Zimbra server by simply sending a malicious email.