βΌ CVE-2021-38554 βΌ
π Read
via "National Vulnerability Database".
HashiCorp Vault and Vault EnterpriseΓ’β¬β’s UI erroneously cached and exposed user-viewed secrets between sessions in a single shared browser. Fixed in 1.8.0 and pending 1.7.4 / 1.6.6 releases.π Read
via "National Vulnerability Database".
βΌ CVE-2020-18759 βΌ
π Read
via "National Vulnerability Database".
An information disclosure vulnerability exists in the EPA protocol of Dut Computer Control Engineering Co.'s PLC MAC1100.π Read
via "National Vulnerability Database".
βΌ CVE-2021-32069 βΌ
π Read
via "National Vulnerability Database".
The AWV component of Mitel MiCollab before 9.3 could allow an attacker to perform a Man-In-the-Middle attack due to improper TLS negotiation. A successful exploit could allow an attacker to view and modify data.π Read
via "National Vulnerability Database".
βΌ CVE-2020-18757 βΌ
π Read
via "National Vulnerability Database".
An issue in Dut Computer Control Engineering Co.'s PLC MAC1100 allows attackers to cause persistent denial of service (DOS) via a crafted packet.π Read
via "National Vulnerability Database".
βΌ CVE-2021-36790 βΌ
π Read
via "National Vulnerability Database".
The dated_news (aka Dated News) extension through 5.1.1 for TYPO3 allows XSS.π Read
via "National Vulnerability Database".
βΌ CVE-2021-36788 βΌ
π Read
via "National Vulnerability Database".
The yoast_seo (aka Yoast SEO) extension before 7.2.3 for TYPO3 allows XSS.π Read
via "National Vulnerability Database".
βΌ CVE-2021-36791 βΌ
π Read
via "National Vulnerability Database".
The dated_news (aka Dated News) extension through 5.1.1 for TYPO3 allows Information Disclosure of application registration data.π Read
via "National Vulnerability Database".
βΌ CVE-2021-37586 βΌ
π Read
via "National Vulnerability Database".
The PowerPlay Web component of Mitel Interaction Recording Multitenancy systems before 6.7 could allow a user (with Administrator rights) to replay a previously recorded conversation of another tenant due to insufficient validation.π Read
via "National Vulnerability Database".
βΌ CVE-2020-18753 βΌ
π Read
via "National Vulnerability Database".
An issue in Dut Computer Control Engineering Co.'s PLC MAC1100 allows attackers to gain access to the system and escalate privileges via a crafted packet.π Read
via "National Vulnerability Database".
βΌ CVE-2021-32067 βΌ
π Read
via "National Vulnerability Database".
The MiCollab Client Service component in Mitel MiCollab before 9.3 could allow an attacker to view sensitive system information through an HTTP response due to insufficient output sanitization.π Read
via "National Vulnerability Database".
β Exchange Servers Under Active Attack via ProxyShell Bugs β
π Read
via "Threat Post".
Thereβs an entirely new attack surface in Exchange, a researcher revealed at Black Hat, and threat actors are now exploiting servers vulnerable to the RCE bugs.π Read
via "Threat Post".
Threat Post
Exchange Servers Under Active Attack via ProxyShell Bugs
Thereβs an entirely new attack surface in Exchange, a researcher revealed at Black Hat, and threat actors are now exploiting servers vulnerable to the RCE bugs.
βΌ CVE-2021-21829 βΌ
π Read
via "National Vulnerability Database".
A heap-based buffer overflow vulnerability exists in the XML Decompression EnumerationUncompressor::UncompressItem functionality of AT&T LabsΓ’β¬β’ Xmill 0.7. A specially crafted XMI file can lead to remote code execution. An attacker can provide a malicious file to trigger this vulnerability.π Read
via "National Vulnerability Database".
βΌ CVE-2021-21830 βΌ
π Read
via "National Vulnerability Database".
A heap-based buffer overflow vulnerability exists in the XML Decompression LabelDict::Load functionality of AT&T LabsΓ’β¬β’ Xmill 0.7. A specially crafted XMI file can lead to remote code execution. An attacker can provide a malicious file to trigger this vulnerability.π Read
via "National Vulnerability Database".
β SolarWinds 2.0 Could Ignite Financial Crisis β Podcast β
π Read
via "Threat Post".
Thatβs what NY State suggests could happen, given the utter lack of cybersec protection at many private equity & hedge fund firms. Can AI help avert it?π Read
via "Threat Post".
Threat Post
SolarWinds 2.0 Could Ignite Financial Crisis β Podcast
Thatβs what NY State suggests could happen, given the utter lack of cybersec protection at many private equity & hedge fund firms. Can AI help avert it?
β Cyberattackers Embrace CAPTCHAs to Hide Phishing, Malware β
π Read
via "Threat Post".
CAPTCHA-protected malicious URLs are snowballing lately, researchers said.π Read
via "Threat Post".
Threat Post
Cyberattackers Embrace CAPTCHAs to Hide Phishing, Malware
CAPTCHA-protected malicious URLs are snowballing lately, researchers said.
β Amazonβs Plan to Track Worker Keystrokes: A Sign of Controls to Come? β
π Read
via "Threat Post".
Data theft, insider threats and imposters accessing sensitive customer data have apparently gotten so bad inside Amazon, the company is considering rolling out keyboard-stroke monitoring for its customer-service reps. A confidential memo from inside Amazon explained that customer service credential abuse and data theft was on the rise, according to Motherboard which reviewed the document. [β¦]π Read
via "Threat Post".
Threat Post
Amazonβs Plan to Track Worker Keystrokes: A Sign of Controls to Come?
Amazon is considering rolling out keyboard-stroke monitoring for its customer-service reps.
βΌ CVE-2020-21066 βΌ
π Read
via "National Vulnerability Database".
An issue was discovered in Bento4 v1.5.1.0. There is a heap-buffer-overflow in AP4_Dec3Atom::AP4_Dec3Atom at Ap4Dec3Atom.cpp, leading to a denial of service (program crash), as demonstrated by mp42aac.π Read
via "National Vulnerability Database".
βΌ CVE-2020-21064 βΌ
π Read
via "National Vulnerability Database".
A buffer-overflow vulnerability in the AP4_RtpAtom::AP4_RtpAtom function in Ap4RtpAtom.cpp of Bento4 1.5.1.0 allows attackers to cause a denial of service.π Read
via "National Vulnerability Database".
βΌ CVE-2021-37705 βΌ
π Read
via "National Vulnerability Database".
OneFuzz is an open source self-hosted Fuzzing-As-A-Service platform. Starting with OneFuzz 2.12.0 or greater, an incomplete authorization check allows an authenticated user from any Azure Active Directory tenant to make authorized API calls to a vulnerable OneFuzz instance. To be vulnerable, a OneFuzz deployment must be both version 2.12.0 or greater and deployed with the non-default --multi_tenant_domain option. This can result in read/write access to private data such as software vulnerability and crash information, security testing tools and proprietary code and symbols. Via authorized API calls, this also enables tampering with existing data and unauthorized code execution on Azure compute resources. This issue is resolved starting in release 2.31.0, via the addition of application-level check of the bearer token's `issuer` against an administrator-configured allowlist. As a workaround users can restrict access to the tenant of a deployed OneFuzz instance < 2.31.0 by redeploying in the default configuration, which omits the `--multi_tenant_domain` option.π Read
via "National Vulnerability Database".
βΌ CVE-2021-38709 βΌ
π Read
via "National Vulnerability Database".
In ocProducts Composr CMS before 10.0.38, an attacker can inject JavaScript via the staff_messaging messaging system for XSS.π Read
via "National Vulnerability Database".
βΌ CVE-2021-26086 βΌ
π Read
via "National Vulnerability Database".
Affected versions of Atlassian Jira Server and Data Center allow remote attackers to read particular files via a path traversal vulnerability in the /WEB-INF/web.xml endpoint. The affected versions are before version 8.5.14, from version 8.6.0 before 8.13.6, and from version 8.14.0 before 8.16.1.π Read
via "National Vulnerability Database".