βΌ CVE-2021-37156 βΌ
π Read
via "National Vulnerability Database".
Redmine 4.2.0 and 4.2.1 allow existing user sessions to continue upon enabling two-factor authentication for the user's account, but the intended behavior is for those sessions to be terminated.π Read
via "National Vulnerability Database".
βΌ CVE-2021-32581 βΌ
π Read
via "National Vulnerability Database".
Acronis True Image prior to 2021 Update 4 for Windows, Acronis True Image prior to 2021 Update 5 for Mac, Acronis Agent prior to build 26653, Acronis Cyber Protect prior to build 27009 did not implement SSL certificate validation.π Read
via "National Vulnerability Database".
β Black Hat: New CISA Head Woos Crowd With Public-Private Task Force β
π Read
via "Threat Post".
Day two Black Hat keynote by CISA Director Jen Easterly includes launch of private-public partnership with Amazon, Google and Microsoft to fight cybercrime.π Read
via "Threat Post".
Threat Post
Black Hat: New CISA Head Woos Crowd With Public-Private Task Force
Day two Black Hat keynote by CISA director includes launch of private-public partnership with Amazon, Google and Microsoft to fight cybercrime.
βΌ CVE-2020-22392 βΌ
π Read
via "National Vulnerability Database".
Cross Site Scripting (XSS) vulnerability exists in Subrion CMS 4.2.2 when adding a blog and then editing an image file.π Read
via "National Vulnerability Database".
π΄ CISA Launches JCDC, the Joint Cyber Defense Collaborative π΄
π Read
via "Dark Reading".
"We can't do this alone," the new CISA director told attendees in a keynote at Black Hat USA today.π Read
via "Dark Reading".
Dark Reading
CISA Launches JCDC, the Joint Cyber Defense Collaborative
"We can't do this alone," the new CISA director told attendees in a keynote at Black Hat USA on Thursday.
π¦Ώ FTC warns of phishing scams over unemployment benefits π¦Ώ
π Read
via "Tech Republic".
The scam messages try to convince you to enter your Social Security number and other personal info at a website masquerading as your state's workforce agency.π Read
via "Tech Republic".
TechRepublic
FTC warns of phishing scams over unemployment benefits
The scam messages try to convince you to enter your Social Security number and other personal info at a website masquerading as your state's workforce agency.
βΌ CVE-2021-32587 βΌ
π Read
via "National Vulnerability Database".
An improper access control vulnerability in FortiManager and FortiAnalyzer GUI interface 7.0.0, 6.4.5 and below, 6.2.8 and below, 6.0.11and below, 5.6.11and below may allow a remote and authenticated attacker with restricted user profile to retrieve the list of administrative users of other ADOMs and their related configuration.π Read
via "National Vulnerability Database".
βΌ CVE-2021-32597 βΌ
π Read
via "National Vulnerability Database".
Multiple improper neutralization of input during web page generation (CWE-79) in FortiManager and FortiAnalyzer versions 7.0.0, 6.4.5 and below, 6.2.7 and below user interface, may allow a remote authenticated attacker to perform a Stored Cross Site Scripting attack (XSS) by injecting malicious payload in GET parameters.π Read
via "National Vulnerability Database".
π Friday Five 8/6 π
π Read
via "".
An increase in supply chain attacks, RDP brute force attacks explained, and a hacked hotel room - catch up on the infosec news of the week with the Friday Five!π Read
via "".
Digital Guardian
Friday Five 8/6
An increase in supply chain attacks, RDP brute force attacks explained, and a hacked hotel room - catch up on the infosec news of the week with the Friday Five!
π΄ HTTP/2 Implementation Errors Exposing Websites to Serious Risks π΄
π Read
via "Dark Reading".
Organizations that don't implement end-to-end HTTP/2 are vulnerable to attacks that redirect users to malicious sites and other threats, security researcher reveals at Black Hat USA.π Read
via "Dark Reading".
Dark Reading
HTTP/2 Implementation Errors Exposing Websites to Serious Risks
Organizations that don't implement end-to-end HTTP/2 are vulnerable to attacks that redirect users to malicious sites and other threats, security researcher reveals at Black Hat USA.
β Conti ransomware affiliate goes rogue, leaks βgang dataβ β
π Read
via "Naked Security".
Once more unto the breach, dear friends, once more...π Read
via "Naked Security".
Naked Security
Conti ransomware affiliate goes rogue, leaks βgang dataβ
Once more unto the breach, dear friends, once moreβ¦
βΌ CVE-2021-38149 βΌ
π Read
via "National Vulnerability Database".
index.php/admin/add_user in Chikitsa Patient Management System 2.0.0 allows XSS.π Read
via "National Vulnerability Database".
βΌ CVE-2021-38151 βΌ
π Read
via "National Vulnerability Database".
index.php/appointment/todos in Chikitsa Patient Management System 2.0.0 allows XSS.π Read
via "National Vulnerability Database".
βΌ CVE-2021-37388 βΌ
π Read
via "National Vulnerability Database".
A buffer overflow in D-Link DIR-615 C2 3.03WW. The ping_ipaddr parameter in ping_response.cgi POST request allows an attacker to crash the webserver and might even gain remote code execution.π Read
via "National Vulnerability Database".
βΌ CVE-2021-37381 βΌ
π Read
via "National Vulnerability Database".
Southsoft GMIS 5.0 is vulnerable to CSRF attacks. Attackers can access other users' private information such as photos through CSRF. For example: any student's photo information can be accessed through /gmis/(S([1]))/student/grgl/PotoImageShow/?bh=[2]. Among them, the code in [1] is a random string generated according to the user's login related information. It can protect the user's identity, but it can not effectively prevent unauthorized access. The code in [2] is the student number of any student. The attacker can carry out CSRF attack on the system by modifying [2] without modifying [1].π Read
via "National Vulnerability Database".
βΌ CVE-2021-38152 βΌ
π Read
via "National Vulnerability Database".
index.php/appointment/insert_patient_add_appointment in Chikitsa Patient Management System 2.0.0 allows XSS.π Read
via "National Vulnerability Database".
βΌ CVE-2021-22295 βΌ
π Read
via "National Vulnerability Database".
A component of the HarmonyOS has a permission bypass vulnerability. Local attackers may exploit this vulnerability to cause the device to hang due to the page error OsVmPageFaultHandler.π Read
via "National Vulnerability Database".
π¦Ώ Phishing continues to target big businesses and exploit COVID-19 fears in Q2 2021 π¦Ώ
π Read
via "Tech Republic".
Spam as a share of global mail traffic rose, and attackers have started to adapt their scams to other languages to reach wider audiences.π Read
via "Tech Republic".
TechRepublic
Phishing continues to target big businesses and exploit COVID-19 fears in Q2 2021
Spam as a share of global mail traffic rose, and attackers have started to adapt their scams to other languages to reach wider audiences.
π¦Ώ Amazon Kindle flaws could have allowed attackers to control the device π¦Ώ
π Read
via "Tech Republic".
Now patched by Amazon, security vulnerabilities found by Check Point would have given attackers access to a Kindle device and its stored data.π Read
via "Tech Republic".
TechRepublic
Amazon Kindle flaws could have allowed attackers to control the device
Now patched by Amazon, security vulnerabilities found by Check Point would have given attackers access to a Kindle device and its stored data.
π¦Ώ The most secure browser for transmitting sensitive data is definitely not Chrome π¦Ώ
π Read
via "Tech Republic".
Jack Wallen addresses the challenging question of which browser is best to use for transmitting encrypted data.π Read
via "Tech Republic".
TechRepublic
The most secure browser for transmitting sensitive data is definitely not Chrome
Jack Wallen addresses the challenging question of which browser is best to use for transmitting encrypted data.
β Angry Affiliate Leaks Conti Ransomware Gang Playbook β
π Read
via "Threat Post".
The data includes IP addresses for Cobalt Strike C2 servers as well as an archive including numerous tools and training materials for the group, revealing how it performs attacks.π Read
via "Threat Post".
Threat Post
Angry Affiliate Leaks Conti Ransomware Gang Playbook
The data includes IP addresses for Cobalt Strike C2 servers as well as an archive including numerous tools and training materials for the group, revealing how it performs attacks.