โ Bug in Millions of Flawed IoT Devices Lets Attackers Eavesdrop โ
๐ Read
via "Threat Post".
A remote attacker could exploit a critical vulnerability to eavesdrop on live audio & video or take control. The bug is in ThroughTekโs Kalay network, used in 83m devices.๐ Read
via "Threat Post".
Threat Post
Bug in Millions of Flawed IoT Devices Lets Attackers Eavesdrop
A remote attacker could exploit a critical vulnerability to eavesdrop on live audio & video or take control. The bug is in ThroughTekโs Kalay network, used in 83m devices.
โ Copyright scammers turn to phone numbers instead of web links โ
๐ Read
via "Naked Security".
Forewarned is forearmed. Here's our advice on dealing with "copyright infringement" scammers.๐ Read
via "Naked Security".
Naked Security
Copyright scammers turn to phone numbers instead of web links
Forewarned is forearmed. Hereโs our advice on dealing with โcopyright infringementโ scammers.
โ Video surveillance network hacked by researchers to hijack footage โ
๐ Read
via "Naked Security".
Home automation. Internet of Things. Cloud management. And a security bug that could let other people watch you online...๐ Read
via "Naked Security".
Naked Security
Video surveillance network hacked by researchers to hijack footage
Home automation. Internet of Things. Cloud management. And a security bug that could let other people watch you onlineโฆ
โ LockBit 2.0 Ransomware Proliferates Globally โ
๐ Read
via "Threat Post".
Fresh attacks target companies' employees, promising millions of dollars in exchange for valid account credentials for initial access.๐ Read
via "Threat Post".
Threat Post
LockBit 2.0 Ransomware Proliferates Globally
Fresh attacks target companies' employees, promising millions of dollars in exchange for valid account credentials for initial access.
โผ CVE-2021-3459 โผ
๐ Read
via "National Vulnerability Database".
A privilege escalation vulnerability was reported in the MM1000 device configuration web server, which could allow privileged shell access and/or arbitrary privileged commands to be executed on the adapter.๐ Read
via "National Vulnerability Database".
โผ CVE-2021-3633 โผ
๐ Read
via "National Vulnerability Database".
A DLL preloading vulnerability was reported in Lenovo Driver Management prior to version 2.9.0719.1104 that could allow privilege escalation.๐ Read
via "National Vulnerability Database".
โผ CVE-2021-3615 โผ
๐ Read
via "National Vulnerability Database".
A vulnerability was reported in Lenovo Smart Camera X3, X5, and C2E that could allow code execution if a specific file exists on the attached SD card. This vulnerability is the same as CNVD-2021-45262.๐ Read
via "National Vulnerability Database".
โผ CVE-2021-3616 โผ
๐ Read
via "National Vulnerability Database".
A vulnerability was reported in Lenovo Smart Camera X3, X5, and C2E that could allow an unauthorized user to view device information, alter firmware content and device configuration. This vulnerability is the same as CNVD-2020-68651.๐ Read
via "National Vulnerability Database".
โผ CVE-2021-32829 โผ
๐ Read
via "National Vulnerability Database".
ZStack is open source IaaS(infrastructure as a service) software aiming to automate datacenters, managing resources of compute, storage, and networking all by APIs. Affected versions of ZStack REST API are vulnerable to post-authentication Remote Code Execution (RCE) via bypass of the Groovy shell sandbox. The REST API exposes the GET zstack/v1/batch-queries?script endpoint which is backed up by the BatchQueryAction class. Messages are represented by the APIBatchQueryMsg, dispatched to the QueryFacadeImpl facade and handled by the BatchQuery class. The HTTP request parameter script is mapped to the APIBatchQueryMsg.script property and evaluated as a Groovy script in BatchQuery.query the evaluation of the user-controlled Groovy script is sandboxed by SandboxTransformer which will apply the restrictions defined in the registered (sandbox.register()) GroovyInterceptor. Even though the sandbox heavily restricts the receiver types to a small set of allowed types, the sandbox is non effective at controlling any code placed in Java annotations and therefore vulnerable to meta-programming escapes. This issue leads to post-authenticated remote code execution. For more details see the referenced GHSL-2021-065. This issue is patched in versions 3.8.21, 3.10.8, and 4.1.0.๐ Read
via "National Vulnerability Database".
โผ CVE-2021-3617 โผ
๐ Read
via "National Vulnerability Database".
A vulnerability was reported in Lenovo Smart Camera X3, X5, and C2E that could allow command injection by setting a specially crafted network configuration. This vulnerability is the same as CNVD-2020-68652.๐ Read
via "National Vulnerability Database".
โผ CVE-2020-28846 โผ
๐ Read
via "National Vulnerability Database".
Cross Site Request Forgery (CSRF) vulnerability exists in SeaCMS 10.7 in admin_manager.php, which could let a malicious user add an admin account.๐ Read
via "National Vulnerability Database".
โผ CVE-2021-3458 โผ
๐ Read
via "National Vulnerability Database".
The Motorola MM1000 device configuration portal can be accessed without authentication, which could allow adapter settings to be modified.๐ Read
via "National Vulnerability Database".
๐ฆฟ Data privacy is a growing concern for more consumers ๐ฆฟ
๐ Read
via "Tech Republic".
People surveyed by KPMG reported feeling increasingly uneasy about the data collection practices of corporations.๐ Read
via "Tech Republic".
TechRepublic
Data privacy is a growing concern for more consumers | TechRepublic
People surveyed by KPMG reported feeling increasingly uneasy about the data collection practices of corporations.
โ The Overlooked Security Risks of The Cloud โ
๐ Read
via "Threat Post".
Nate Warfield, CTO of Prevaliion, discusses the top security concerns for those embracing virtual machines, public cloud storage and cloud strategies for remote working.๐ Read
via "Threat Post".
Threat Post
The Overlooked Security Risks of The Cloud
Nate Warfield, CTO of Prevailion, discusses the top security concerns for those embracing virtual machines, public cloud storage and cloud strategies for remote working.
๐ฆฟ Data privacy laws are constantly changing: Make sure your business is up to date ๐ฆฟ
๐ Read
via "Tech Republic".
Lawyer who specializes in data privacy discusses the importance of knowing the law no matter what size business you operate.๐ Read
via "Tech Republic".
TechRepublic
Data privacy laws are constantly changing: Make sure your business is up to date
Lawyer who specializes in data privacy discusses the importance of knowing the law no matter what size business you operate.
๐ฆฟ Lawyer discusses the evolving data privacy laws for businesses ๐ฆฟ
๐ Read
via "Tech Republic".
Every size company should know the laws regarding data privacy to avoid legal issues. Here's why it's important.๐ Read
via "Tech Republic".
TechRepublic
Lawyer discusses the evolving data privacy laws for businesses
Every size company should know the laws regarding data privacy to avoid legal issues. Here's why it's important.
โผ CVE-2021-0642 โผ
๐ Read
via "National Vulnerability Database".
In onResume of VoicemailSettingsFragment.java, there is a possible way to retrieve a trackable identifier without permissions due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-8.1 Android-9Android ID: A-185126149๐ Read
via "National Vulnerability Database".
โผ CVE-2021-39242 โผ
๐ Read
via "National Vulnerability Database".
An issue was discovered in HAProxy 2.2 before 2.2.16, 2.3 before 2.3.13, and 2.4 before 2.4.3. It can lead to a situation with an attacker-controlled HTTP Host header, because a mismatch between Host and authority is mishandled.๐ Read
via "National Vulnerability Database".
โผ CVE-2021-32830 โผ
๐ Read
via "National Vulnerability Database".
The @diez/generation npm package is a client for Diez. The locateFont method of @diez/generation has a command injection vulnerability. Clients of the @diez/generation library are unlikely to be aware of this, so they might unwittingly write code that contains a vulnerability. This issue may lead to remote code execution if a client of the library calls the vulnerable method with untrusted input. All versions of this package are vulnerable as of the writing of this CVE.๐ Read
via "National Vulnerability Database".
โผ CVE-2021-0573 โผ
๐ Read
via "National Vulnerability Database".
In asf extractor, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android SoCAndroid ID: A-187231635๐ Read
via "National Vulnerability Database".
โผ CVE-2021-22156 โผ
๐ Read
via "National Vulnerability Database".
An integer overflow vulnerability in the calloc() function of the C runtime library of affected versions of BlackBerryรยฎ QNX Software Development Platform (SDP) version(s) 6.5.0SP1 and earlier, QNX OS for Medical 1.1 and earlier, and QNX OS for Safety 1.0.1 and earlier that could allow an attacker to potentially perform a denial of service or execute arbitrary code.๐ Read
via "National Vulnerability Database".