‼ CVE-2021-29853 ‼
📖 Read
via "National Vulnerability Database".
IBM Planning Analytics 2.0 could expose information that could be used to to create attacks by not validating the return values from some methods or functions. IBM X-Force ID: 205529.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-29852 ‼
📖 Read
via "National Vulnerability Database".
IBM Planning Analytics 2.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 205528.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-40385 ‼
📖 Read
via "National Vulnerability Database".
An issue was discovered in the server software in Kaseya Unitrends Backup Software before 10.5.5-2. There is a privilege escalation from read-only user to admin.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-20340 ‼
📖 Read
via "National Vulnerability Database".
A SQL injection vulnerability in the 4.edu.php\conn\function.php component of S-CMS v1.0 allows attackers to access sensitive database information.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-39181 ‼
📖 Read
via "National Vulnerability Database".
OpenOlat is a web-based learning management system (LMS). Prior to version 15.3.18, 15.5.3, and 16.0.0, using a prepared import XML file (e.g. a course) any class on the Java classpath can be instantiated, including spring AOP bean factories. This can be used to execute code arbitrary code by the attacker. The attack requires an OpenOlat user account with the authoring role. It can not be exploited by unregistered users. The problem is fixed in versions 15.3.18, 15.5.3, and 16.0.0. There are no known workarounds aside from upgrading.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-39186 ‼
📖 Read
via "National Vulnerability Database".
GlobalNewFiles is a package in Miraheze, a wiki hosting service. Prior to commit number cee254e1b158cdb0ddbea716b1d3edc31fa4fb5d, the username column of the GlobalNewFiles special page is vulnerable to a stored XSS. Commit number cee254e1b158cdb0ddbea716b1d3edc31fa4fb5d contains a patch. As a workaround, one may disallow <,> (or other characters required to insert html/js) from being used in account names so an XSS is not possible.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-39185 ‼
📖 Read
via "National Vulnerability Database".
Http4s is a minimal, idiomatic Scala interface for HTTP services. In http4s versions 0.21.26 and prior, 0.22.0 through 0.22.2, 0.23.0, 0.23.1, and 1.0.0-M1 through 1.0.0-M24, the default CORS configuration is vulnerable to an origin reflection attack. The middleware is also susceptible to a Null Origin Attack. The problem is fixed in 0.21.27, 0.22.3, 0.23.2, and 1.0.0-M25. The original `CORS` implementation and `CORSConfig` are deprecated. See the GitHub GHSA for more information, including code examples and workarounds.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-20341 ‼
📖 Read
via "National Vulnerability Database".
YzmCMS v5.5 contains a server-side request forgery (SSRF) in the grab_image() function.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-40387 ‼
📖 Read
via "National Vulnerability Database".
An issue was discovered in the server software in Kaseya Unitrends Backup Software before 10.5.5-2. There is authenticated remote code execution.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-34733 ‼
📖 Read
via "National Vulnerability Database".
A vulnerability in the CLI of Cisco Prime Infrastructure and Cisco Evolved Programmable Network (EPN) Manager could allow an authenticated, local attacker to access sensitive information stored on the underlying file system of an affected system. This vulnerability exists because sensitive information is not sufficiently secured when it is stored. An attacker could exploit this vulnerability by gaining unauthorized access to sensitive information on an affected system. A successful exploit could allow the attacker to create forged authentication requests and gain unauthorized access to the affected system.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-34759 ‼
📖 Read
via "National Vulnerability Database".
A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) Software could allow an authenticated, remote attacker with administrative credentials to conduct a cross-site scripting (XSS) attack against a user of the interface. This vulnerability exists because the web-based management interface does not properly validate user-supplied input. An attacker could exploit this vulnerability by injecting malicious code into specific pages of the interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface or access sensitive, browser-based information. To exploit this vulnerability, an attacker would need valid administrative credentials.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-31797 ‼
📖 Read
via "National Vulnerability Database".
The user identification mechanism used by CyberArk Credential Provider prior to 12.1 is susceptible to a local host race condition, leading to password disclosure.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-34746 ‼
📖 Read
via "National Vulnerability Database".
A vulnerability in the TACACS+ authentication, authorization and accounting (AAA) feature of Cisco Enterprise NFV Infrastructure Software (NFVIS) could allow an unauthenticated, remote attacker to bypass authentication and log in to an affected device as an administrator. This vulnerability is due to incomplete validation of user-supplied input that is passed to an authentication script. An attacker could exploit this vulnerability by injecting parameters into an authentication request. A successful exploit could allow the attacker to bypass authentication and log in as an administrator to the affected device.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-31798 ‼
📖 Read
via "National Vulnerability Database".
The effective key space used to encrypt the cache in CyberArk Credential Provider prior to 12.1 has low entropy, and under certain conditions a local malicious user can obtain the plaintext of cache files.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-31796 ‼
📖 Read
via "National Vulnerability Database".
An inadequate encryption vulnerability discovered in CyberArk Credential Provider before 12.1 may lead to Information Disclosure. An attacker may realistically have enough information that the number of possible keys (for a credential file) is only one, and the number is usually not higher than 2^36.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-34765 ‼
📖 Read
via "National Vulnerability Database".
A vulnerability in the web UI for Cisco Nexus Insights could allow an authenticated, remote attacker to view and download files related to the web application. The attacker requires valid device credentials. This vulnerability exists because proper role-based access control (RBAC) filters are not applied to file download actions. An attacker could exploit this vulnerability by logging in to the application and then navigating to the directory listing and download functions. A successful exploit could allow the attacker to download sensitive files that should be restricted, which could result in disclosure of sensitive information.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-34732 ‼
📖 Read
via "National Vulnerability Database".
A vulnerability in the web-based management interface of Cisco Prime Collaboration Provisioning could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface. This vulnerability is due to insufficient validation of user-supplied input by the web-based management interface. An attacker could exploit this vulnerability by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface or access sensitive, browser-based information.📖 Read
via "National Vulnerability Database".
❌ Digital State IDs Start Rollouts Despite Privacy Concerns ❌
📖 Read
via "Threat Post".
Eight states are introducing drivers licenses and identification cards available for use on Apple iPhones and Watches, but critics warn about the dangers of eliminating the use of a paper-based system entirely.📖 Read
via "Threat Post".
Threat Post
Digital State IDs Start Rollouts Despite Privacy Concerns
Eight states are introducing drivers licenses and identification cards available for use on Apple iPhones and Watches, but critics warn about the dangers of eliminating the use of a paper-based system entirely.
❌ WhatsApp Photo Filter Bug Allows Sensitive Info to Be Lifted ❌
📖 Read
via "Threat Post".
Users should be careful whose pics they view and should, of course, update their apps.📖 Read
via "Threat Post".
Threat Post
WhatsApp Photo Filter Bug Allows Sensitive Info to Be Lifted
Users should be careful whose pics they view and should, of course, update their apps.
❌ 7 Ways to Defend Mobile Apps, APIs from Cyberattacks ❌
📖 Read
via "Threat Post".
David Stewart, CEO, Approov, discusses the top mobile attack routes the bad guys use and the best defenses organizations can deploy against them.📖 Read
via "Threat Post".
Threat Post
7 Ways to Defend Mobile Apps, APIs from Cyberattacks
David Stewart, CEO, Approov, discusses the top mobile attack routes the bad guys use and the best defenses organizations can deploy against them.
‼ CVE-2021-3757 ‼
📖 Read
via "National Vulnerability Database".
immer is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')📖 Read
via "National Vulnerability Database".