‼ CVE-2021-37546 ‼
📖 Read
via "National Vulnerability Database".
In JetBrains TeamCity before 2021.1, an insecure key generation mechanism for encrypted properties was used.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-37543 ‼
📖 Read
via "National Vulnerability Database".
In JetBrains RubyMine before 2021.1.1, code execution without user confirmation was possible for untrusted projects.📖 Read
via "National Vulnerability Database".
❌ Amazon Kindle Vulnerable to Malicious EBooks ❌
📖 Read
via "Threat Post".
Prior to a patch, a serious bug could have allowed attackers to take over Kindles and steal personal data.📖 Read
via "Threat Post".
Threat Post
Amazon Kindle Vulnerable to Malicious EBooks
Prior to a patch, a serious bug could have allowed attackers to take over Kindles and steal personal data.
‼ CVE-2021-35312 ‼
📖 Read
via "National Vulnerability Database".
A vulnerability was found in CIR 2000 / Gestionale Amica Prodigy v1.7. The Amica Prodigy's executable "RemoteBackup.Service.exe" has incorrect permissions, allowing a local unprivileged user to replace it with a malicious file that will be executed with "LocalSystem" privileges.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-18693 ‼
📖 Read
via "National Vulnerability Database".
Cross Site Scripting (XSS) in MineWebCMS v1.7.0 allows remote attackers to execute arbitrary code by injecting malicious code into the 'Title' field of the component '/admin/news'.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-18694 ‼
📖 Read
via "National Vulnerability Database".
Cross Site Request Forgery (CSRF) in IgnitedCMS v1.0 allows remote attackers to obtain sensitive information and gain privilege via the component "/admin/profile/save_profile".📖 Read
via "National Vulnerability Database".
❌ Golang Cryptomining Worm Offers 15% Speed Boost ❌
📖 Read
via "Threat Post".
The latest variants of the Monero-mining malware exploit known web server bugs and add efficiency to the mining process.📖 Read
via "Threat Post".
Threat Post
Golang Cryptomining Worm Offers 15% Speed Boost
The latest variants of the Monero-mining malware exploit known web server bugs and add efficiency to the mining process.
🕴 FragAttacks Foil 2 Decades of Wireless Security 🕴
📖 Read
via "Dark Reading".
Wireless security protocols have improved, but product vendors continue to make implementation errors that allow a variety of attacks.📖 Read
via "Dark Reading".
Dark Reading
FragAttacks Foil 2 Decades of Wireless Security
Wireless security protocols have improved, but product vendors continue to make implementation errors that allow a variety of attacks.
‼ CVE-2021-38155 ‼
📖 Read
via "National Vulnerability Database".
OpenStack Keystone 10.x through 16.x before 16.0.2, 17.x before 17.0.1, 18.x before 18.0.1, and 19.x before 19.0.1 allows information disclosure during account locking (related to PCI DSS features). By guessing the name of an account and failing to authenticate multiple times, any unauthenticated actor could both confirm the account exists and obtain that account's corresponding UUID, which might be leveraged for other unrelated attacks. All deployments enabling security_compliance.lockout_failure_attempts are affected.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-38157 ‼
📖 Read
via "National Vulnerability Database".
** UNSUPPORTED WHEN ASSIGNED ** LeoStream Connection Broker 9.x before 9.0.34.3 allows Unauthenticated Reflected XSS via the /index.pl user parameter. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-38160 ‼
📖 Read
via "National Vulnerability Database".
In drivers/char/virtio_console.c in the Linux kernel before 5.13.4, data corruption or loss can be triggered by an untrusted device that supplies a buf->len value exceeding the buffer size.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-38148 ‼
📖 Read
via "National Vulnerability Database".
Obsidian before 0.12.12 does not require user confirmation for non-http/https URLs.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-29923 ‼
📖 Read
via "National Vulnerability Database".
Go before 1.17 does not properly consider extraneous zero characters at the beginning of an IP address octet, which (in some situations) allows attackers to bypass access control that is based on IP addresses, because of unexpected octal interpretation. This affects net.ParseIP and net.ParseCIDR.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-38159 ‼
📖 Read
via "National Vulnerability Database".
In certain Progress MOVEit Transfer versions before 2021.0.4 (aka 13.0.4), SQL injection in the MOVEit Transfer web application could allow an unauthenticated remote attacker to gain access to the database. Depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker may be able to infer information about the structure and contents of the database, or execute SQL statements that alter or delete database elements, via crafted strings sent to unique MOVEit Transfer transaction types. The fixed versions are 2019.0.8 (11.0.8), 2019.1.7 (11.1.7), 2019.2.4 (11.2.4), 2020.0.7 (12.0.7), 2020.1.6 (12.1.6), and 2021.0.4 (13.0.4).📖 Read
via "National Vulnerability Database".
‼ CVE-2021-29922 ‼
📖 Read
via "National Vulnerability Database".
library/std/src/net/parser.rs in Rust before 1.53.0 does not properly consider extraneous zero characters at the beginning of an IP address string, which (in some situations) allows attackers to bypass access control that is based on IP addresses, because of unexpected octal interpretation.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-38185 ‼
📖 Read
via "National Vulnerability Database".
GNU cpio through 2.13 allows attackers to execute arbitrary code via a crafted pattern file, because of a dstring.c ds_fgetstr integer overflow that triggers an out-of-bounds heap write. NOTE: it is unclear whether there are common cases where the pattern file, associated with the -E option, is untrusted data.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-36438 ‼
📖 Read
via "National Vulnerability Database".
An issue was discovered in the tiny_future crate before 0.4.0 for Rust. Future<T> does not have bounds on its Send and Sync traits.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-36449 ‼
📖 Read
via "National Vulnerability Database".
An issue was discovered in the kekbit crate before 0.3.4 for Rust. For ShmWriter<H>, Send is implemented without requiring H: Send.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-36466 ‼
📖 Read
via "National Vulnerability Database".
An issue was discovered in the cgc crate through 2020-12-10 for Rust. Ptr implements Send and Sync for all types.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-38188 ‼
📖 Read
via "National Vulnerability Database".
An issue was discovered in the iced-x86 crate through 1.10.3 for Rust. In Decoder::new(), slice.get_unchecked(slice.length()) is used unsafely.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-36470 ‼
📖 Read
via "National Vulnerability Database".
An issue was discovered in the disrustor crate through 2020-12-17 for Rust. RingBuffer doe not properly limit the number of mutable references.📖 Read
via "National Vulnerability Database".