βΌ CVE-2021-32067 βΌ
π Read
via "National Vulnerability Database".
The MiCollab Client Service component in Mitel MiCollab before 9.3 could allow an attacker to view sensitive system information through an HTTP response due to insufficient output sanitization.π Read
via "National Vulnerability Database".
β Exchange Servers Under Active Attack via ProxyShell Bugs β
π Read
via "Threat Post".
Thereβs an entirely new attack surface in Exchange, a researcher revealed at Black Hat, and threat actors are now exploiting servers vulnerable to the RCE bugs.π Read
via "Threat Post".
Threat Post
Exchange Servers Under Active Attack via ProxyShell Bugs
Thereβs an entirely new attack surface in Exchange, a researcher revealed at Black Hat, and threat actors are now exploiting servers vulnerable to the RCE bugs.
βΌ CVE-2021-21829 βΌ
π Read
via "National Vulnerability Database".
A heap-based buffer overflow vulnerability exists in the XML Decompression EnumerationUncompressor::UncompressItem functionality of AT&T LabsΓ’β¬β’ Xmill 0.7. A specially crafted XMI file can lead to remote code execution. An attacker can provide a malicious file to trigger this vulnerability.π Read
via "National Vulnerability Database".
βΌ CVE-2021-21830 βΌ
π Read
via "National Vulnerability Database".
A heap-based buffer overflow vulnerability exists in the XML Decompression LabelDict::Load functionality of AT&T LabsΓ’β¬β’ Xmill 0.7. A specially crafted XMI file can lead to remote code execution. An attacker can provide a malicious file to trigger this vulnerability.π Read
via "National Vulnerability Database".
β SolarWinds 2.0 Could Ignite Financial Crisis β Podcast β
π Read
via "Threat Post".
Thatβs what NY State suggests could happen, given the utter lack of cybersec protection at many private equity & hedge fund firms. Can AI help avert it?π Read
via "Threat Post".
Threat Post
SolarWinds 2.0 Could Ignite Financial Crisis β Podcast
Thatβs what NY State suggests could happen, given the utter lack of cybersec protection at many private equity & hedge fund firms. Can AI help avert it?
β Cyberattackers Embrace CAPTCHAs to Hide Phishing, Malware β
π Read
via "Threat Post".
CAPTCHA-protected malicious URLs are snowballing lately, researchers said.π Read
via "Threat Post".
Threat Post
Cyberattackers Embrace CAPTCHAs to Hide Phishing, Malware
CAPTCHA-protected malicious URLs are snowballing lately, researchers said.
β Amazonβs Plan to Track Worker Keystrokes: A Sign of Controls to Come? β
π Read
via "Threat Post".
Data theft, insider threats and imposters accessing sensitive customer data have apparently gotten so bad inside Amazon, the company is considering rolling out keyboard-stroke monitoring for its customer-service reps. A confidential memo from inside Amazon explained that customer service credential abuse and data theft was on the rise, according to Motherboard which reviewed the document. [β¦]π Read
via "Threat Post".
Threat Post
Amazonβs Plan to Track Worker Keystrokes: A Sign of Controls to Come?
Amazon is considering rolling out keyboard-stroke monitoring for its customer-service reps.
βΌ CVE-2020-21066 βΌ
π Read
via "National Vulnerability Database".
An issue was discovered in Bento4 v1.5.1.0. There is a heap-buffer-overflow in AP4_Dec3Atom::AP4_Dec3Atom at Ap4Dec3Atom.cpp, leading to a denial of service (program crash), as demonstrated by mp42aac.π Read
via "National Vulnerability Database".
βΌ CVE-2020-21064 βΌ
π Read
via "National Vulnerability Database".
A buffer-overflow vulnerability in the AP4_RtpAtom::AP4_RtpAtom function in Ap4RtpAtom.cpp of Bento4 1.5.1.0 allows attackers to cause a denial of service.π Read
via "National Vulnerability Database".
βΌ CVE-2021-37705 βΌ
π Read
via "National Vulnerability Database".
OneFuzz is an open source self-hosted Fuzzing-As-A-Service platform. Starting with OneFuzz 2.12.0 or greater, an incomplete authorization check allows an authenticated user from any Azure Active Directory tenant to make authorized API calls to a vulnerable OneFuzz instance. To be vulnerable, a OneFuzz deployment must be both version 2.12.0 or greater and deployed with the non-default --multi_tenant_domain option. This can result in read/write access to private data such as software vulnerability and crash information, security testing tools and proprietary code and symbols. Via authorized API calls, this also enables tampering with existing data and unauthorized code execution on Azure compute resources. This issue is resolved starting in release 2.31.0, via the addition of application-level check of the bearer token's `issuer` against an administrator-configured allowlist. As a workaround users can restrict access to the tenant of a deployed OneFuzz instance < 2.31.0 by redeploying in the default configuration, which omits the `--multi_tenant_domain` option.π Read
via "National Vulnerability Database".
βΌ CVE-2021-38709 βΌ
π Read
via "National Vulnerability Database".
In ocProducts Composr CMS before 10.0.38, an attacker can inject JavaScript via the staff_messaging messaging system for XSS.π Read
via "National Vulnerability Database".
βΌ CVE-2021-26086 βΌ
π Read
via "National Vulnerability Database".
Affected versions of Atlassian Jira Server and Data Center allow remote attackers to read particular files via a path traversal vulnerability in the /WEB-INF/web.xml endpoint. The affected versions are before version 8.5.14, from version 8.6.0 before 8.13.6, and from version 8.14.0 before 8.16.1.π Read
via "National Vulnerability Database".
βΌ CVE-2021-38711 βΌ
π Read
via "National Vulnerability Database".
In gitit before 0.15.0.0, the Export feature can be exploited to leak information from files.π Read
via "National Vulnerability Database".
βΌ CVE-2021-38713 βΌ
π Read
via "National Vulnerability Database".
imgURL 2.31 allows XSS via an X-Forwarded-For HTTP header.π Read
via "National Vulnerability Database".
βΌ CVE-2021-38712 βΌ
π Read
via "National Vulnerability Database".
OneNav 0.9.12 allows Information Disclosure of the onenav.db3 contents. NOTE: the vendor's recommended solution is to block the access via an NGINX configuration file.π Read
via "National Vulnerability Database".
βΌ CVE-2021-38708 βΌ
π Read
via "National Vulnerability Database".
In ocProducts Composr CMS before 10.0.38, an attacker can inject JavaScript via Comcode for XSS.π Read
via "National Vulnerability Database".
βΌ CVE-2021-24538 βΌ
π Read
via "National Vulnerability Database".
The Current Book WordPress plugin through 1.0.1 does not sanitize user input when an authenticated user adds Author or Book Title, then does not escape these values when outputting to the browser leading to an Authenticated Stored XSS Cross-Site Scripting issue.π Read
via "National Vulnerability Database".
βΌ CVE-2021-24527 βΌ
π Read
via "National Vulnerability Database".
The User Registration & User Profile ΓΒ’Γ’β¬Òβ¬Ε Profile Builder WordPress plugin before 3.4.9 has a bug allowing any user to reset the password of the admin of the blog, and gain unauthorised access, due to a bypass in the way the reset key is checked. Furthermore, the admin will not be notified of such change by email for example.π Read
via "National Vulnerability Database".
βΌ CVE-2021-24445 βΌ
π Read
via "National Vulnerability Database".
The My Site Audit WordPress plugin through 1.2.4 does not sanitise or escape the Audit Name field when creating an audit, allowing high privilege users to set JavaScript payloads in them, even when he unfiltered_html capability is disallowed, leading to an authenticated Stored Cross-Site Scripting issueπ Read
via "National Vulnerability Database".
βΌ CVE-2021-24540 βΌ
π Read
via "National Vulnerability Database".
The Wonder Video Embed WordPress plugin before 1.8 does not escape parameters of its wonderplugin_video shortcode, which could allow users with a role as low as Contributor to perform Stored XSS attacks.π Read
via "National Vulnerability Database".
βΌ CVE-2021-24536 βΌ
π Read
via "National Vulnerability Database".
The Custom Login Redirect WordPress plugin through 1.0.0 does not have CSRF check in place when saving its settings, and do not sanitise or escape user input before outputting them back in the page, leading to a Stored Cross-Site Scripting issueπ Read
via "National Vulnerability Database".