βΌ CVE-2021-37707 βΌ
π Read
via "National Vulnerability Database".
### Impact Manipulation of product reviews via API ### Patches We recommend updating to the current version 6.4.3.1. You can get the update to 6.4.3.1 regularly via the Auto-Updater or directly via the download overview. https://www.shopware.com/en/download/#shopware-6 ### Workarounds For older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via a plugin. For the full range of functions, we recommend updating to the latest Shopware version. https://store.shopware.com/en/detail/index/sArticle/518463/number/Swag136939272659π Read
via "National Vulnerability Database".
βΌ CVE-2020-18701 βΌ
π Read
via "National Vulnerability Database".
Incorrect Access Control in Lin-CMS-Flask v0.1.1 allows remote attackers to obtain sensitive information and/or gain privileges due to the application not invalidating a user's authentication token upon logout, which allows for replaying packets.π Read
via "National Vulnerability Database".
βΌ CVE-2021-34657 βΌ
π Read
via "National Vulnerability Database".
The 2TypoFR WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the text function found in the ~/vendor/Org_Heigl/Hyphenator/index.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 0.11.π Read
via "National Vulnerability Database".
βΌ CVE-2021-22933 βΌ
π Read
via "National Vulnerability Database".
A vulnerability in Pulse Connect Secure before 9.1R12 could allow an authenticated administrator to perform an arbitrary file delete via a maliciously crafted web request.π Read
via "National Vulnerability Database".
βΌ CVE-2021-34658 βΌ
π Read
via "National Vulnerability Database".
The Simple Popup Newsletter WordPress plugin is vulnerable to Reflected Cross-Site Scripting due to the use of $_SERVER['PHP_SELF'] in the ~/simple-popup-newsletter.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 1.4.7.π Read
via "National Vulnerability Database".
βΌ CVE-2021-0114 βΌ
π Read
via "National Vulnerability Database".
Insecure default variable initialization for the Intel BSSA DFT feature may allow a privileged user to potentially enable an escalation of privilege via local access.π Read
via "National Vulnerability Database".
βΌ CVE-2021-34656 βΌ
π Read
via "National Vulnerability Database".
The 2Way VideoCalls and Random Chat - HTML5 Webcam Videochat WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the `vws_notice` function found in the ~/inc/requirements.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 5.2.7.π Read
via "National Vulnerability Database".
βΌ CVE-2021-34666 βΌ
π Read
via "National Vulnerability Database".
The Add Sidebar WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the add parameter in the ~/wp_sidebarMenu.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 2.0.0.π Read
via "National Vulnerability Database".
βΌ CVE-2021-32827 βΌ
π Read
via "National Vulnerability Database".
MockServer is open source software which enables easy mocking of any system you integrate with via HTTP or HTTPS. An attacker that can trick a victim into visiting a malicious site while running MockServer locally, will be able to run arbitrary code on the MockServer machine. With an overly broad default CORS configuration MockServer allows any site to send cross-site requests. Additionally, MockServer allows you to create dynamic expectations using Javascript or Velocity templates. Both engines may allow an attacker to execute arbitrary code on-behalf of MockServer. By combining these two issues (Overly broad CORS configuration + Script injection), an attacker could serve a malicious page so that if a developer running MockServer visits it, they will get compromised. For more details including a PoC see the referenced GHSL-2021-059.π Read
via "National Vulnerability Database".
βΌ CVE-2021-37708 βΌ
π Read
via "National Vulnerability Database".
Shopware is an open source eCommerce platform. Versions prior to 6.4.3.1 contain a command injection vulnerability in mail agent settings. Version 6.4.3.1 contains a patch. As workarounds for older versions of 6.1, 6.2, and 6.3, corresponding security measures are also available via a plugin.π Read
via "National Vulnerability Database".
βΌ CVE-2021-21859 βΌ
π Read
via "National Vulnerability Database".
An exploitable integer truncation vulnerability exists within the MPEG-4 decoding functionality of the GPAC Project on Advanced Content library v1.0.1. The stri_box_read function is used when processing atoms using the 'stri' FOURCC code. An attacker can convince a user to open a video to trigger this vulnerability.π Read
via "National Vulnerability Database".
βΌ CVE-2021-21860 βΌ
π Read
via "National Vulnerability Database".
An exploitable integer truncation vulnerability exists within the MPEG-4 decoding functionality of the GPAC Project on Advanced Content library v1.0.1. A specially crafted MPEG-4 input can cause an improper memory allocation resulting in a heap-based buffer overflow that causes memory corruption. The FOURCC code, 'trik', is parsed by the function within the library. An attacker can convince a user to open a video to trigger this vulnerability.π Read
via "National Vulnerability Database".
βΌ CVE-2021-38608 βΌ
π Read
via "National Vulnerability Database".
Incorrect Access Control in Tranquil WAPT Enterprise - before 1.8.2.7373 and before 2.0.0.9450 allows guest OS users to escalate privileges via WAPT Agent.π Read
via "National Vulnerability Database".
βΌ CVE-2021-32826 βΌ
π Read
via "National Vulnerability Database".
Proxyee-Down is open source proxy software. An attacker being able to provide an extension script (eg: through a MiTM attack or by hosting a malicious extension) may be able to run arbitrary commands on the system running Proxyee-Down. For more details including a PoC see the referenced GHSL-2021-053. As of the writing of this CVE there is currently no patched version.π Read
via "National Vulnerability Database".
βΌ CVE-2021-21861 βΌ
π Read
via "National Vulnerability Database".
An exploitable integer truncation vulnerability exists within the MPEG-4 decoding functionality of the GPAC Project on Advanced Content library v1.0.1. When processing the 'hdlr' FOURCC code, a specially crafted MPEG-4 input can cause an improper memory allocation resulting in a heap-based buffer overflow that causes memory corruption. An attacker can convince a user to open a video to trigger this vulnerability.π Read
via "National Vulnerability Database".
β How to Reduce Exchange Server Downtime in Case of a Disaster? β
π Read
via "Threat Post".
Exchange downtime can have serious implications on businesses. Thus, itβs important to maintain backups and implement best practices for Exchange servers that can help restore the Exchange server when a disaster strikes with minimal impact and downtime.π Read
via "Threat Post".
Threat Post
How to Reduce Exchange Server Downtime in Case of a Disaster?
Exchange downtime can have serious implications on businesses. Thus, itβs important to maintain backups and implement best practices for Exchange servers that can help restore the Exchange server when a disaster strikes with minimal impact and downtime.
β Apple: CSAM Image-Detection Backdoor βNarrowβ in Scope β
π Read
via "Threat Post".
Computing giant tries to reassure users that the tool wonβt be used for mass surveillance.π Read
via "Threat Post".
Threat Post
Apple: CSAM Image-Detection Backdoor βNarrowβ in Scope
Computing giant tries to reassure users that the tool wonβt be used for mass surveillance.
β Terrorist Watchlist Exposed Online with Nearly 1.9M Records β
π Read
via "Threat Post".
A researcher discovered a data cache from the FBIβs Terrorist Screening Center left online without a password or authentication requirement.π Read
via "Threat Post".
Threat Post
Terrorist Watchlist Exposed Online with Nearly 1.9M Records
A researcher discovered a data cache from the FBIβs Terrorist Screening Center left online without a password or authentication requirement.
π TOR Virtual Network Tunneling Tool 0.4.6.7 π
π Read
via "Packet Storm Security".
Tor is a network of virtual tunnels that allows people and groups to improve their privacy and security on the Internet. It also enables software developers to create new communication tools with built-in privacy features. It provides the foundation for a range of applications that allow organizations and individuals to share information over public networks without compromising their privacy. Individuals can use it to keep remote Websites from tracking them and their family members. They can also use it to connect to resources such as news sites or instant messaging services that are blocked by their local Internet service providers (ISPs). This is the source code release.π Read
via "Packet Storm Security".
Packetstormsecurity
TOR Virtual Network Tunneling Tool 0.4.6.7 β Packet Storm
Information Security Services, News, Files, Tools, Exploits, Advisories and Whitepapers
π¦Ώ Top 5 tech annoyances π¦Ώ
π Read
via "Tech Republic".
Tom Merritt tells us his top five annoyances in tech and why they are frustrating.π Read
via "Tech Republic".
TechRepublic
Top 5 tech annoyances and why they are frustrating
Tom Merritt tells us his top five annoyances in tech and why they are frustrating.
π¦Ώ The 5 most annoying things in technology π¦Ώ
π Read
via "Tech Republic".
These five things are driving us crazy, says Tom Merritt. There's hope for some to get better.π Read
via "Tech Republic".
TechRepublic
The 5 most annoying things in technology
These five things are driving us crazy, says Tom Merritt. There's hope for some to get better.