βΌ CVE-2020-19669 βΌ
π Read
via "National Vulnerability Database".
Cross Site Request Forgery (CSRF) vulnerability exists in Eyoucms 1.3.6 that can add an admin account via /login.php?m=admin&c=Admin&a=admin_add&lang=cn.π Read
via "National Vulnerability Database".
βΌ CVE-2020-22122 βΌ
π Read
via "National Vulnerability Database".
A SQL injection vulnerability in /oa.php?c=Staff&a=read of Find a Place LJCMS v 1.3 allows attackers to access sensitive database information via a crafted POST request.π Read
via "National Vulnerability Database".
π¦Ώ Expert: Cyberattacks in the energy sector put lives in danger π¦Ώ
π Read
via "Tech Republic".
Zero-trust is a good way to prevent hackers from gaining control of our infrastructure and energy industries, expert says.π Read
via "Tech Republic".
TechRepublic
Expert: Cyberattacks in the energy sector put lives in danger
Zero-trust is a good way to prevent hackers from gaining control of our infrastructure and energy industries, expert says.
βΌ CVE-2021-34745 βΌ
π Read
via "National Vulnerability Database".
A vulnerability in the AppDynamics .NET Agent for Windows could allow an attacker to leverage an authenticated, local user account to gain SYSTEM privileges. This vulnerability is due to the .NET Agent Coordinator Service executing code with SYSTEM privileges. An attacker with local access to a device that is running the vulnerable agent could create a custom process that would be launched with those SYSTEM privileges. A successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system. This vulnerability is fixed in AppDynamics .NET Agent Release 21.7.π Read
via "National Vulnerability Database".
βΌ CVE-2021-34730 βΌ
π Read
via "National Vulnerability Database".
A vulnerability in the Universal Plug-and-Play (UPnP) service of Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers could allow an unauthenticated, remote attacker to execute arbitrary code or cause an affected device to restart unexpectedly, resulting in a denial of service (DoS) condition. This vulnerability is due to improper validation of incoming UPnP traffic. An attacker could exploit this vulnerability by sending a crafted UPnP request to an affected device. A successful exploit could allow the attacker to execute arbitrary code as the root user on the underlying operating system or cause the device to reload, resulting in a DoS condition. Cisco has not released software updates that address this vulnerability.π Read
via "National Vulnerability Database".
βΌ CVE-2021-34749 βΌ
π Read
via "National Vulnerability Database".
A vulnerability in Server Name Identification (SNI) request filtering of Cisco Web Security Appliance (WSA), Cisco Firepower Threat Defense (FTD), and the Snort detection engine could allow an unauthenticated, remote attacker to bypass filtering technology on an affected device and exfiltrate data from a compromised host. This vulnerability is due to inadequate filtering of the SSL handshake. An attacker could exploit this vulnerability by using data from the SSL client hello packet to communicate with an external server. A successful exploit could allow the attacker to execute a command-and-control attack on a compromised host and perform additional data exfiltration attacks.π Read
via "National Vulnerability Database".
βΌ CVE-2021-1561 βΌ
π Read
via "National Vulnerability Database".
A vulnerability in the spam quarantine feature of Cisco Secure Email and Web Manager, formerly Cisco Security Management Appliance (SMA), could allow an authenticated, remote attacker to gain unauthorized access and modify the spam quarantine settings of another user. This vulnerability exists because access to the spam quarantine feature is not properly restricted. An attacker could exploit this vulnerability by sending malicious requests to an affected system. A successful exploit could allow the attacker to modify another user's spam quarantine settings, possibly disabling security controls or viewing email messages stored on the spam quarantine interfaces.π Read
via "National Vulnerability Database".
βΌ CVE-2021-34715 βΌ
π Read
via "National Vulnerability Database".
A vulnerability in the image verification function of Cisco Expressway Series and Cisco TelePresence Video Communication Server (VCS) could allow an authenticated, remote attacker to execute code with internal user privileges on the underlying operating system. The vulnerability is due to insufficient validation of the content of upgrade packages. An attacker could exploit this vulnerability by uploading a malicious archive to the Upgrade page of the administrative web interface. A successful exploit could allow the attacker to execute code with user-level privileges (the _nobody account) on the underlying operating system.π Read
via "National Vulnerability Database".
βΌ CVE-2021-34734 βΌ
π Read
via "National Vulnerability Database".
A vulnerability in the Link Layer Discovery Protocol (LLDP) implementation for the Cisco Video Surveillance 7000 Series IP Cameras firmware could allow an unauthenticated, adjacent attacker to cause a denial of service (DoS) condition. This vulnerability is due to improper management of memory resources, referred to as a double free. An attacker could exploit this vulnerability by sending crafted LLDP packets to an affected device. A successful exploit could allow the attacker to cause the affected device to reload, resulting in a DoS condition. Note: LLDP is a Layer 2 protocol. To exploit these vulnerabilities, an attacker must be in the same broadcast domain as the affected device (Layer 2 adjacent).π Read
via "National Vulnerability Database".
βΌ CVE-2021-34716 βΌ
π Read
via "National Vulnerability Database".
A vulnerability in the web-based management interface of Cisco Expressway Series and Cisco TelePresence Video Communication Server (VCS) could allow an authenticated, remote attacker to execute arbitrary code on the underlying operating system as the root user. This vulnerability is due to incorrect handling of certain crafted software images that are uploaded to the affected device. An attacker could exploit this vulnerability by authenticating to the system as an administrative user and then uploading specific crafted software images to the affected device. A successful exploit could allow the attacker to execute arbitrary code on the underlying operating system as the root user.π Read
via "National Vulnerability Database".
βΌ CVE-2020-22345 βΌ
π Read
via "National Vulnerability Database".
/graphStatus/displayServiceStatus.php in Centreon 19.10.8 allows remote attackers to execute arbitrary OS commands via shell metacharacters in the RRDdatabase_path parameter.π Read
via "National Vulnerability Database".
β S3 Ep46: Copyright scams, video snooping and Grand Theft Crypto [Podcast] β
π Read
via "Naked Security".
Lastest episode - listen, laugh and learn! This week, Chester Wisniewski joins us on the show.π Read
via "Naked Security".
Naked Security
S3 Ep46: Copyright scams, video snooping and Grand Theft Crypto [Podcast]
Lastest episode β listen, laugh and learn! This week, Chester Wisniewski joins us on the show.
βΌ CVE-2021-31228 βΌ
π Read
via "National Vulnerability Database".
An issue was discovered in HCC embedded InterNiche 4.0.1. This vulnerability allows the attacker to predict a DNS query's source port in order to send forged DNS response packets that will be accepted as valid answers to the DNS client's requests (without sniffing the specific request). Data is predictable because it is based on the time of day, and has too few bits.π Read
via "National Vulnerability Database".
βΌ CVE-2021-31227 βΌ
π Read
via "National Vulnerability Database".
An issue was discovered in HCC embedded InterNiche 4.0.1. A potential heap buffer overflow exists in the code that parses the HTTP POST request, due to an incorrect signed integer comparison. This vulnerability requires the attacker to send a malformed HTTP packet with a negative Content-Length, which bypasses the size checks and results in a large heap overflow in the wbs_multidata buffer copy.π Read
via "National Vulnerability Database".
βΌ CVE-2021-31226 βΌ
π Read
via "National Vulnerability Database".
An issue was discovered in HCC embedded InterNiche 4.0.1. A potential heap buffer overflow exists in the code that parses the HTTP POST request, due to lack of size validation. This vulnerability requires the attacker to send a crafted HTTP POST request with a URI longer than 50 bytes. This leads to a heap overflow in wbs_post() via an strcpy() call.π Read
via "National Vulnerability Database".
βΌ CVE-2021-31400 βΌ
π Read
via "National Vulnerability Database".
An issue was discovered in tcp_pulloutofband() in tcp_in.c in HCC embedded InterNiche 4.0.1. The TCP out-of-band urgent-data processing function invokes a panic function if the pointer to the end of the out-of-band data points outside of the TCP segment's data. If the panic function hadn't a trap invocation removed, it will enter an infinite loop and therefore cause DoS (continuous loop or a device reset).π Read
via "National Vulnerability Database".
π¦Ώ Knockoff semiconductor chips flood the enterprise market π¦Ώ
π Read
via "Tech Republic".
As the predominantly pandemic-caused global chip shortage rolls on, businesses are now facing another challenge β component scams and bogus supply-chain claims.π Read
via "Tech Republic".
TechRepublic
Knockoff semiconductor chips flood the enterprise market
As the predominantly pandemic-caused global chip shortage rolls on, businesses are now facing another challengeβcomponent scams and bogus supply-chain claims.
βΌ CVE-2021-39273 βΌ
π Read
via "National Vulnerability Database".
In XeroSecurity Sn1per 9.0 (free version), insecure permissions (0777) are set upon application execution, allowing an unprivileged user to modify the application, modules, and configuration files. This leads to arbitrary code execution with root privileges.π Read
via "National Vulnerability Database".
βΌ CVE-2021-36762 βΌ
π Read
via "National Vulnerability Database".
An issue was discovered in HCC Embedded InterNiche NicheStack through 4.3. The tfshnd():tftpsrv.c TFTP packet processing function doesn't ensure that a filename is adequately '\0' terminated; therefore, a subsequent call to strlen for the filename might read out of bounds of the protocol packet buffer (if no '\0' byte exists within a reasonable range).π Read
via "National Vulnerability Database".
βΌ CVE-2020-35684 βΌ
π Read
via "National Vulnerability Database".
An issue was discovered in HCC Nichestack 3.0. The code that parses TCP packets relies on an unchecked value of the IP payload size (extracted from the IP header) to compute the length of the TCP payload within the TCP checksum computation function. When the IP payload size is set to be smaller than the size of the IP header, the TCP checksum computation function may read out of bounds (a low-impact write-out-of-bounds is also possible).π Read
via "National Vulnerability Database".
βΌ CVE-2021-27565 βΌ
π Read
via "National Vulnerability Database".
The web server in InterNiche NicheStack through 4.0.1 allows remote attackers to cause a denial of service (infinite loop and networking outage) via an unexpected valid HTTP request such as OPTIONS. This occurs because the HTTP request handler enters a miscoded wbs_loop() debugger hook.π Read
via "National Vulnerability Database".