βΌ CVE-2021-32778 βΌ
π Read
via "National Vulnerability Database".
Envoy is an open source L7 proxy and communication bus designed for large modern service oriented architectures. In affected versions envoyΓ’β¬β’s procedure for resetting a HTTP/2 stream has O(N^2) complexity, leading to high CPU utilization when a large number of streams are reset. Deployments are susceptible to Denial of Service when Envoy is configured with high limit on H/2 concurrent streams. An attacker wishing to exploit this vulnerability would require a client opening and closing a large number of H/2 streams. Envoy versions 1.19.1, 1.18.4, 1.17.4, 1.16.5 contain fixes to reduce time complexity of resetting HTTP/2 streams. As a workaround users may limit the number of simultaneous HTTP/2 dreams for upstream and downstream peers to a low number, i.e. 100.π Read
via "National Vulnerability Database".
βΌ CVE-2021-31151 βΌ
π Read
via "National Vulnerability Database".
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by the CVE program. Notes: none.π Read
via "National Vulnerability Database".
βΌ CVE-2020-18917 βΌ
π Read
via "National Vulnerability Database".
The plus/search.php component in DedeCMS 5.7 SP2 allows remote attackers to execute arbitrary PHP code via the typename parameter because the contents of typename.inc are under an attacker's control.π Read
via "National Vulnerability Database".
βΌ CVE-2020-18913 βΌ
π Read
via "National Vulnerability Database".
EARCLINK ESPCMS-P8 was discovered to contain a SQL injection vulnerability in the espcms_web/Search.php component via the attr_array parameter. This vulnerability allows attackers to access sensitive database information.π Read
via "National Vulnerability Database".
βΌ CVE-2021-39155 βΌ
π Read
via "National Vulnerability Database".
Istio is an open source platform for providing a uniform way to integrate microservices, manage traffic flow across microservices, enforce policies and aggregate telemetry data. According to [RFC 4343](https://datatracker.ietf.org/doc/html/rfc4343), Istio authorization policy should compare the hostname in the HTTP Host header in a case insensitive way, but currently the comparison is case sensitive. The proxy will route the request hostname in a case-insensitive way which means the authorization policy could be bypassed. As an example, the user may have an authorization policy that rejects request with hostname "httpbin.foo" for some source IPs, but the attacker can bypass this by sending the request with hostname "Httpbin.Foo". Patches are available in Istio 1.11.1, Istio 1.10.4 and Istio 1.9.8. As a work around a Lua filter may be written to normalize Host header before the authorization check. This is similar to the Path normalization presented in the [Security Best Practices](https://istio.io/latest/docs/ops/best-practices/security/#case-normalization) guide.π Read
via "National Vulnerability Database".
βΌ CVE-2021-39156 βΌ
π Read
via "National Vulnerability Database".
Istio is an open source platform for providing a uniform way to integrate microservices, manage traffic flow across microservices, enforce policies and aggregate telemetry data. Istio 1.11.0, 1.10.3 and below, and 1.9.7 and below contain a remotely exploitable vulnerability where an HTTP request with `#fragment` in the path may bypass IstioΓΒ’Γ’β¬ÒβΒ’s URI path based authorization policies. Patches are available in Istio 1.11.1, Istio 1.10.4 and Istio 1.9.8. As a work around a Lua filter may be written to normalize the path.π Read
via "National Vulnerability Database".
β California Man Hacked iCloud Accounts to Steal Nude Photos β
π Read
via "Threat Post".
Hao Kou Chi pleaded guilty to four felonies in a hacker-for-hire scam that used socially engineered emails to trick people out of their credentials.π Read
via "Threat Post".
Threat Post
California Man Hacked iCloud Accounts to Steal Nude Photos
Hao Kou Chi pleaded guilty to four felonies in a hacker-for-hire scam that used socially engineered emails to trick people out of their credentials.
π¦Ώ How safe is a quantum-safe virtual private network? π¦Ώ
π Read
via "Tech Republic".
Verizon aims to find out by testing the technology, which is geared at enhancing encryption methods using session key exchange security mechanisms, the carrier said.π Read
via "Tech Republic".
TechRepublic
How safe is a quantum-safe virtual private network?
Verizon aims to find out by testing the technology, which is geared at enhancing encryption methods using session key exchange security mechanisms, the carrier said.
βΌ CVE-2021-33884 βΌ
π Read
via "National Vulnerability Database".
An Unrestricted Upload of File with Dangerous Type vulnerability in B. Braun SpaceCom2 prior to 012U000062 allows remote attackers to upload any files to the /tmp directory of the device through the webpage API. This can result in critical files being overwritten.π Read
via "National Vulnerability Database".
βΌ CVE-2021-33605 βΌ
π Read
via "National Vulnerability Database".
Improper check in CheckboxGroup in com.vaadin:vaadin-checkbox-flow versions 1.2.0 prior to 2.0.0 (Vaadin 12.0.0 prior to 14.0.0), 2.0.0 prior to 3.0.0 (Vaadin 14.0.0 prior to 14.5.0), 3.0.0 through 4.0.1 (Vaadin 15.0.0 through 17.0.11), 14.5.0 through 14.6.7 (Vaadin 14.5.0 through 14.6.7), and 18.0.0 through 20.0.5 (Vaadin 18.0.0 through 20.0.5) allows attackers to modify the value of a disabled Checkbox inside enabled CheckboxGroup component via unspecified vectors.π Read
via "National Vulnerability Database".
βΌ CVE-2021-33882 βΌ
π Read
via "National Vulnerability Database".
A Missing Authentication for Critical Function vulnerability in B. Braun SpaceCom2 prior to 012U000062 allows a remote attacker to reconfigure the device from an unknown source because of lack of authentication on proprietary networking commands.π Read
via "National Vulnerability Database".
βΌ CVE-2021-33885 βΌ
π Read
via "National Vulnerability Database".
An Insufficient Verification of Data Authenticity vulnerability in B. Braun SpaceCom2 prior to 012U000062 allows a remote unauthenticated attacker to send the device malicious data that will be used in place of the correct data. This results in full system command access and execution because of the lack of cryptographic signatures on critical data sets.π Read
via "National Vulnerability Database".
βΌ CVE-2021-33883 βΌ
π Read
via "National Vulnerability Database".
A Cleartext Transmission of Sensitive Information vulnerability in B. Braun SpaceCom2 prior to 012U000062 allows a remote attacker to obtain sensitive information by snooping on the network traffic. The exposed data includes critical values for a pump's internal configuration.π Read
via "National Vulnerability Database".
βΌ CVE-2021-33886 βΌ
π Read
via "National Vulnerability Database".
An improper sanitization of input vulnerability in B. Braun SpaceCom2 prior to 012U000062 allows a remote unauthenticated attacker to gain user-level command-line access by passing a raw external string straight through to printf statements. The attacker is required to be on the same network as the device.π Read
via "National Vulnerability Database".
π I2P 1.5.0 π
π Read
via "Packet Storm Security".
I2P is an anonymizing network, offering a simple layer that identity-sensitive applications can use to securely communicate. All data is wrapped with several layers of encryption, and the network is both distributed and dynamic, with no trusted parties. This is the source code release version.π Read
via "Packet Storm Security".
Packetstormsecurity
I2P 1.5.0 β Packet Storm
Information Security Services, News, Files, Tools, Exploits, Advisories and Whitepapers
β US Media, Retailers Targeted by New SparklingGoblin APT β
π Read
via "Threat Post".
The new APT uses an undocumented backdoor to infiltrate the education, retail and government sectors.π Read
via "Threat Post".
Threat Post
US Media, Retailers Targeted by New SparklingGoblin APT
The new APT uses an undocumented backdoor to infiltrate the education, retail and government sectors.
βΌ CVE-2018-10790 βΌ
π Read
via "National Vulnerability Database".
The AP4_CttsAtom class in Core/Ap4CttsAtom.cpp in Bento4 1.5.1.0 allows remote attackers to cause a denial of service (application crash), related to a memory allocation failure, as demonstrated by mp2aac.π Read
via "National Vulnerability Database".
β Win10 Admin Rights Tossed Off by Yet Another Plug-In β
π Read
via "Threat Post".
Then again, you donβt even need the actual device β in this case, a SteelSeries peripheral β since emulation works just fine to launch with full SYSTEM rights.π Read
via "Threat Post".
Threat Post
Win10 Admin Rights Tossed Off by Yet Another Plug-In
Then again, you donβt even need the actual device β in this case, a SteelSeries peripheral β since emulation works just fine to launch with full SYSTEM rights.
π OnePercent Ransomware Group Has Hit US Companies Since November π
π Read
via "".
The group, like other malicious campaigns of late, has been using Cobalt Strike to carry out ransomware attacks against companies.π Read
via "".
Digital Guardian
OnePercent Ransomware Group Has Hit US Companies Since November
The group, like other malicious campaigns of late, has been using Cobalt Strike to carry out ransomware attacks against companies.
π¦Ώ Kanye's upcoming album is a scam magnet, Kaspersky finds π¦Ώ
π Read
via "Tech Republic".
"Donda" will be out Aug. 26, and scammers are taking advantage of fan anticipation by seeding the internet with malicious fake downloads.π Read
via "Tech Republic".
TechRepublic
Kanye's upcoming album is a scam magnet, Kaspersky finds
"Donda" will be out Aug. 26, and scammers are taking advantage of fan anticipation by seeding the internet with malicious fake downloads.
βΌ CVE-2021-21869 βΌ
π Read
via "National Vulnerability Database".
An unsafe deserialization vulnerability exists in the Engine.plugin ProfileInformation ProfileData functionality of CODESYS GmbH CODESYS Development System 3.5.16 and 3.5.17. A specially crafted file can lead to arbitrary command execution. An attacker can provide a malicious file to trigger this vulnerability.π Read
via "National Vulnerability Database".