‼ CVE-2021-38138 ‼
📖 Read
via "National Vulnerability Database".
OneNav beta 0.9.12 allows XSS via the Add Link feature. NOTE: the vendor's position is that there intentionally is not any XSS protection at present, because the attack risk is largely limited to a compromised account; however, XSS protection is planned for a future release.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-37605 ‼
📖 Read
via "National Vulnerability Database".
In the Microchip MiWi v6.5 software stack, there is a possibility of frame counters being being validated / updated prior to message authentication.📖 Read
via "National Vulnerability Database".
🔏 Enterprise Security Migration Done Right: Tips from Our CISO 🔏
📖 Read
via "".
Is your company planning on migrating to a new security solution? Do it the right way and avoid these pitfalls.📖 Read
via "".
Digital Guardian
Enterprise Security Migration Done Right: Tips from Our CISO
Is your company planning on migrating to a new security solution? Do it the right way and avoid these pitfalls.
‼ CVE-2021-37625 ‼
📖 Read
via "National Vulnerability Database".
Skytable is an open source NoSQL database. In versions prior to 0.6.4 an incorrect check of return value of the accept function in the run-loop for a TCP socket/TLS socket/TCP+TLS multi-socket causes an early exit from the run loop that should continue infinitely unless terminated by a local user, effectively causing the whole database server to shut down. This has severe impact and can be used to easily cause DoS attacks without the need to use much bandwidth. The attack vectors include using an incomplete TLS connection for example by not providing the certificate for the connection and using a specially crafted TCP packet that triggers the application layer backoff algorithm.📖 Read
via "National Vulnerability Database".
🦿 The most secure browser for transmitting sensitive data is definitely not Chrome 🦿
📖 Read
via "Tech Republic".
Jack Wallen addresses the challenging question of which browser is best to use for transmitting encrypted data.📖 Read
via "Tech Republic".
TechRepublic
The most secure browser for transmitting sensitive data is definitely not Chrome
Jack Wallen addresses the challenging question of which browser is best to use for transmitting encrypted data.
🦿 Where to find the best-paying cybersecurity jobs 🦿
📖 Read
via "Tech Republic".
New analysis includes salary data, cost of living and how easy it is to find a job and identifies cities with the best pay and the most open positions.📖 Read
via "Tech Republic".
TechRepublic
Where to find the best-paying cybersecurity jobs
New analysis includes salary data, cost of living and how easy it is to find a job and identifies cities with the best pay and the most open positions.
❌ Auditors: Feds’ Cybersecurity Gets the Dunce Cap ❌
📖 Read
via "Threat Post".
Out of eight agencies, four were given D grades in a report for the Senate, while the Feds overall got a C-. 📖 Read
via "Threat Post".
Threat Post
Auditors: Feds’ Cybersecurity Gets the Dunce Cap
Out of eight agencies, four were given D grades in a report for the Senate, while the Feds overall got a C-.
🕴 Incident Responders Explore Microsoft 365 Attacks in the Wild 🕴
📖 Read
via "Dark Reading".
Mandiant experts discuss the novel techniques used to evade detection, automate data theft, and achieve persistent access.📖 Read
via "Dark Reading".
Dark Reading
Incident Responders Explore Microsoft 365 Attacks in the Wild
Mandiant experts discuss the novel techniques used to evade detection, automate data theft, and achieve persistent access.
‼ CVE-2021-29971 ‼
📖 Read
via "National Vulnerability Database".
If a user had granted a permission to a webpage and saved that grant, any webpage running on the same host - irrespective of scheme or port - would be granted that permission. *This bug only affects Firefox for Android. Other operating systems are unaffected.*. This vulnerability affects Firefox < 90.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-34638 ‼
📖 Read
via "National Vulnerability Database".
Authenticated Directory Traversal in WordPress Download Manager <= 3.1.24 allows authenticated (Contributor+) users to obtain sensitive configuration file information, as well as allowing Author+ users to perform XSS attacks, by setting Download template to a file containing configuration information or an uploaded JavaScript with an image extension This issue affects: WordPress Download Manager version 3.1.24 and prior versions.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-34631 ‼
📖 Read
via "National Vulnerability Database".
The NewsPlugin WordPress plugin is vulnerable to Cross-Site Request Forgery via the handle_save_style function found in the ~/news-plugin.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 1.0.18.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-29972 ‼
📖 Read
via "National Vulnerability Database".
A use-after-free vulnerability was found via testing, and traced to an out-of-date Cairo library. Updating the library resolved the issue, and may have remediated other, unknown security vulnerabilities as well. This vulnerability affects Firefox < 90.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-3566 ‼
📖 Read
via "National Vulnerability Database".
Prior to ffmpeg version 4.3, the tty demuxer did not have a 'read_probe' function assigned to it. By crafting a legitimate "ffconcat" file that references an image, followed by a file the triggers the tty demuxer, the contents of the second file will be copied into the output file verbatim (as long as the `-vcodec copy` option is passed to ffmpeg).📖 Read
via "National Vulnerability Database".
‼ CVE-2021-3591 ‼
📖 Read
via "National Vulnerability Database".
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-3580 ‼
📖 Read
via "National Vulnerability Database".
A flaw was found in the way nettle's RSA decryption functions handled specially crafted ciphertext. An attacker could use this flaw to provide a manipulated ciphertext leading to application crash and denial of service.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-3679 ‼
📖 Read
via "National Vulnerability Database".
A lack of CPU resource in the Linux kernel tracing module functionality in versions prior to 5.14-rc3 was found in the way user uses trace ring buffer in a specific way. Only privileged local users (with CAP_SYS_ADMIN capability) could use this flaw to starve the resources causing denial of service.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-29976 ‼
📖 Read
via "National Vulnerability Database".
Mozilla developers reported memory safety bugs present in code shared between Firefox and Thunderbird. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Thunderbird < 78.12, Firefox ESR < 78.12, and Firefox < 90.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-3642 ‼
📖 Read
via "National Vulnerability Database".
A flaw was found in Wildfly Elytron where ScramServer may be susceptible to Timing Attack if enabled. The highest threat of this vulnerability is confidentiality. This flaw affectes Wildfly Elytron versions prior to 1.10.14.Final, prior to 1.15.5.Final and prior to 1.16.1.Final.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-29970 ‼
📖 Read
via "National Vulnerability Database".
A malicious webpage could have triggered a use-after-free, memory corruption, and a potentially exploitable crash. *This bug could only be triggered when accessibility was enabled.*. This vulnerability affects Thunderbird < 78.12, Firefox ESR < 78.12, and Firefox < 90.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-35307 ‼
📖 Read
via "National Vulnerability Database".
An issue was discovered in Bento4 through v1.6.0-636. A NULL pointer dereference exists in the AP4_DescriptorFinder::Test component located in /Core/Ap4Descriptor.h. It allows an attacker to cause a denial of service (DOS).📖 Read
via "National Vulnerability Database".
‼ CVE-2021-35325 ‼
📖 Read
via "National Vulnerability Database".
A stack overflow in the checkLoginUser function of TOTOLINK A720R A720R_Firmware v4.1.5cu.470_B20200911 allows attackers to cause a denial of service (DOS).📖 Read
via "National Vulnerability Database".