‼ CVE-2021-36691 ‼
📖 Read
via "National Vulnerability Database".
libjxl v0.5.0 is affected by a Assertion failed issue in lib/jxl/image.cc jxl::PlaneBase::PlaneBase(). When encoding a malicous GIF file using cjxl, an attacker can trigger a denial of service.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-39133 ‼
📖 Read
via "National Vulnerability Database".
Rundeck is an open source automation service with a web console, command line tools and a WebAPI. Prior to version 3.3.14 and version 3.4.3, a user with `admin` access to the `system` resource type is potentially vulnerable to a CSRF attack that could cause the server to run untrusted code on all Rundeck editions. Patches are available in Rundeck versions 3.4.3 and 3.3.14.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-27558 ‼
📖 Read
via "National Vulnerability Database".
A cross site scripting (XSS) issue in EasyCorp ZenTao 12.5.3 allows remote attackers to execute arbitrary web script via various areas such as data-link-creator.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-13639 ‼
📖 Read
via "National Vulnerability Database".
A stored XSS vulnerability was discovered in the ECT Provider in OutSystems before 2020-09-04, affecting generated applications. It could allow an unauthenticated remote attacker to craft and store malicious Feedback content into /ECT_Provider/, such that when the content is viewed (it can only be viewed by Administrators), attacker-controlled JavaScript will execute in the security context of an administrator's browser. This is fixed in Outsystems 10.0.1005.2, Outsystems 11.9.0 Platform Server, and Outsystems 11.7.0 LifeTime Management Console.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-39178 ‼
📖 Read
via "National Vulnerability Database".
Next.js is a React framework. Versions of Next.js between 10.0.0 and 11.0.0 contain a cross-site scripting vulnerability. In order for an instance to be affected by the vulnerability, the `next.config.js` file must have `images.domains` array assigned and the image host assigned in `images.domains` must allow user-provided SVG. If the `next.config.js` file has `images.loader` assigned to something other than default or the instance is deployed on Vercel, the instance is not affected by the vulnerability. The vulnerability is patched in Next.js version 11.1.1.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-36981 ‼
📖 Read
via "National Vulnerability Database".
In the server in SerNet verinice before 1.22.2, insecure Java deserialization allows remote authenticated attackers to execute arbitrary code.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-27557 ‼
📖 Read
via "National Vulnerability Database".
A cross-site request forgery (CSRF) vulnerability in the Cron job tab in EasyCorp ZenTao 12.5.3 allows attackers to update the fields of a Cron job.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-40330 ‼
📖 Read
via "National Vulnerability Database".
git_connect_git in connect.c in Git before 2.30.1 allows a repository path to contain a newline character, which may result in unexpected cross-protocol requests, as demonstrated by the git://localhost:1234/%0d%0a%0d%0aGET%20/%20HTTP/1.1 substring.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-27556 ‼
📖 Read
via "National Vulnerability Database".
The Cron job tab in EasyCorp ZenTao 12.5.3 allows remote attackers (who have admin access) to execute arbitrary code by setting the type parameter to System.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-36356 ‼
📖 Read
via "National Vulnerability Database".
KRAMER VIAware through August 2021 allows remote attackers to execute arbitrary code because ajaxPages/writeBrowseFilePathAjax.php accepts arbitrary executable pathnames (even though browseSystemFiles.php is no longer reachable via the GUI). NOTE: this issue exists because of an incomplete fix for CVE-2019-17124.📖 Read
via "National Vulnerability Database".
❌ LockFile Ransomware Uses Never-Before Seen Encryption to Avoid Detection ❌
📖 Read
via "Threat Post".
Researchers from Sophos discovered the emerging threat in July, which exploits the ProxyShell vulnerabilities in Microsoft Exchange servers to attack systems.📖 Read
via "Threat Post".
Threat Post
LockFile Ransomware Uses Never-Before Seen Encryption to Avoid Detection
Researchers from Sophos discovered the emerging threat in July, which exploits the ProxyShell vulnerabilities in Microsoft Exchange servers to attack systems.
🦿 Cybercriminals are holding schools ransom for billions and some are paying up 🦿
📖 Read
via "Tech Republic".
A new report highlights the financial costs of school ransomware, days lost to downtime and the number of students impacted, as these incidents become a steady source of criminal income.📖 Read
via "Tech Republic".
TechRepublic
Cybercriminals are holding schools ransom for billions and some are paying up
A new report highlights the financial costs of school ransomware, days lost to downtime and the number of students impacted, as these incidents become a steady source of criminal income.
‼ CVE-2021-34578 ‼
📖 Read
via "National Vulnerability Database".
This vulnerability allows an attacker who has access to the WBM to read and write settings-parameters of the device by sending specifically constructed requests without authentication on multiple WAGO PLCs in firmware versions up to FW07.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-34559 ‼
📖 Read
via "National Vulnerability Database".
In PEPPERL+FUCHS WirelessHART-Gateway <= 3.0.8 a vulnerability may allow remote attackers to rewrite links and URLs in cached pages to arbitrary strings.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-33555 ‼
📖 Read
via "National Vulnerability Database".
In PEPPERL+FUCHS WirelessHART-Gateway <= 3.0.7 the filename parameter is vulnerable to unauthenticated path traversal attacks, enabling read access to arbitrary files on the server.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-34565 ‼
📖 Read
via "National Vulnerability Database".
In PEPPERL+FUCHS WirelessHART-Gateway 3.0.7 to 3.0.9 the SSH and telnet services are active with hard-coded credentials.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-34560 ‼
📖 Read
via "National Vulnerability Database".
In PEPPERL+FUCHS WirelessHART-Gateway <= 3.0.9 a form contains a password field with autocomplete enabled. The stored credentials can be captured by an attacker who gains control over the user's computer. Therefore the user must have logged in at least once.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-34562 ‼
📖 Read
via "National Vulnerability Database".
In PEPPERL+FUCHS WirelessHART-Gateway 3.0.8 it is possible to inject arbitrary JavaScript into the application's response.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-3749 ‼
📖 Read
via "National Vulnerability Database".
axios is vulnerable to Inefficient Regular Expression Complexity📖 Read
via "National Vulnerability Database".
‼ CVE-2021-34564 ‼
📖 Read
via "National Vulnerability Database".
Any cookie-stealing vulnerabilities within the application or browser would enable an attacker to steal the user's credentials to the PEPPERL+FUCHS WirelessHART-Gateway 3.0.9.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-34563 ‼
📖 Read
via "National Vulnerability Database".
In PEPPERL+FUCHS WirelessHART-Gateway 3.0.8 and 3.0.9 the HttpOnly attribute is not set on a cookie. This allows the cookie's value to be read or set by client-side JavaScript.📖 Read
via "National Vulnerability Database".