‼ CVE-2021-37540 ‼
📖 Read
via "National Vulnerability Database".
In JetBrains Hub before 2021.1.13262, a potentially insufficient CSP for the Widget deployment feature was used.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-37554 ‼
📖 Read
via "National Vulnerability Database".
In JetBrains YouTrack before 2021.3.21051, a user could see boards without having corresponding permissions.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-37549 ‼
📖 Read
via "National Vulnerability Database".
In JetBrains YouTrack before 2021.1.11111, sandboxing in workflows was insufficient.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-36708 ‼
📖 Read
via "National Vulnerability Database".
In ProLink PRC2402M V1.0.18 and older, the set_sys_init function in the login.cgi binary allows an attacker to reset the password to the administrative interface of the router.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-37544 ‼
📖 Read
via "National Vulnerability Database".
In JetBrains TeamCity before 2020.2.4, there was an insecure deserialization.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-26998 ‼
📖 Read
via "National Vulnerability Database".
NetApp Cloud Manager versions prior to 3.9.9 log sensitive information that is available only to authenticated users. Customers with auto-upgrade enabled should already be on a fixed version while customers using on-prem connectors with auto-upgrade disabled are advised to upgrade to a fixed version.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-36209 ‼
📖 Read
via "National Vulnerability Database".
In JetBrains Hub before 2021.1.13389, account takeover was possible during password reset.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-36706 ‼
📖 Read
via "National Vulnerability Database".
In ProLink PRC2402M V1.0.18 and older, the set_sys_cmd function in the adm.cgi binary, accessible with a page parameter value of sysCMD contains a trivial command injection where the value of the command parameter is passed directly to system.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-37546 ‼
📖 Read
via "National Vulnerability Database".
In JetBrains TeamCity before 2021.1, an insecure key generation mechanism for encrypted properties was used.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-37543 ‼
📖 Read
via "National Vulnerability Database".
In JetBrains RubyMine before 2021.1.1, code execution without user confirmation was possible for untrusted projects.📖 Read
via "National Vulnerability Database".
❌ Amazon Kindle Vulnerable to Malicious EBooks ❌
📖 Read
via "Threat Post".
Prior to a patch, a serious bug could have allowed attackers to take over Kindles and steal personal data.📖 Read
via "Threat Post".
Threat Post
Amazon Kindle Vulnerable to Malicious EBooks
Prior to a patch, a serious bug could have allowed attackers to take over Kindles and steal personal data.
‼ CVE-2021-35312 ‼
📖 Read
via "National Vulnerability Database".
A vulnerability was found in CIR 2000 / Gestionale Amica Prodigy v1.7. The Amica Prodigy's executable "RemoteBackup.Service.exe" has incorrect permissions, allowing a local unprivileged user to replace it with a malicious file that will be executed with "LocalSystem" privileges.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-18693 ‼
📖 Read
via "National Vulnerability Database".
Cross Site Scripting (XSS) in MineWebCMS v1.7.0 allows remote attackers to execute arbitrary code by injecting malicious code into the 'Title' field of the component '/admin/news'.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-18694 ‼
📖 Read
via "National Vulnerability Database".
Cross Site Request Forgery (CSRF) in IgnitedCMS v1.0 allows remote attackers to obtain sensitive information and gain privilege via the component "/admin/profile/save_profile".📖 Read
via "National Vulnerability Database".
❌ Golang Cryptomining Worm Offers 15% Speed Boost ❌
📖 Read
via "Threat Post".
The latest variants of the Monero-mining malware exploit known web server bugs and add efficiency to the mining process.📖 Read
via "Threat Post".
Threat Post
Golang Cryptomining Worm Offers 15% Speed Boost
The latest variants of the Monero-mining malware exploit known web server bugs and add efficiency to the mining process.
🕴 FragAttacks Foil 2 Decades of Wireless Security 🕴
📖 Read
via "Dark Reading".
Wireless security protocols have improved, but product vendors continue to make implementation errors that allow a variety of attacks.📖 Read
via "Dark Reading".
Dark Reading
FragAttacks Foil 2 Decades of Wireless Security
Wireless security protocols have improved, but product vendors continue to make implementation errors that allow a variety of attacks.
‼ CVE-2021-38155 ‼
📖 Read
via "National Vulnerability Database".
OpenStack Keystone 10.x through 16.x before 16.0.2, 17.x before 17.0.1, 18.x before 18.0.1, and 19.x before 19.0.1 allows information disclosure during account locking (related to PCI DSS features). By guessing the name of an account and failing to authenticate multiple times, any unauthenticated actor could both confirm the account exists and obtain that account's corresponding UUID, which might be leveraged for other unrelated attacks. All deployments enabling security_compliance.lockout_failure_attempts are affected.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-38157 ‼
📖 Read
via "National Vulnerability Database".
** UNSUPPORTED WHEN ASSIGNED ** LeoStream Connection Broker 9.x before 9.0.34.3 allows Unauthenticated Reflected XSS via the /index.pl user parameter. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-38160 ‼
📖 Read
via "National Vulnerability Database".
In drivers/char/virtio_console.c in the Linux kernel before 5.13.4, data corruption or loss can be triggered by an untrusted device that supplies a buf->len value exceeding the buffer size.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-38148 ‼
📖 Read
via "National Vulnerability Database".
Obsidian before 0.12.12 does not require user confirmation for non-http/https URLs.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-29923 ‼
📖 Read
via "National Vulnerability Database".
Go before 1.17 does not properly consider extraneous zero characters at the beginning of an IP address octet, which (in some situations) allows attackers to bypass access control that is based on IP addresses, because of unexpected octal interpretation. This affects net.ParseIP and net.ParseCIDR.📖 Read
via "National Vulnerability Database".