βΌ CVE-2021-38355 βΌ
π Read
via "National Vulnerability Database".
The Bug Library WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the successimportcount parameter found in the ~/bug-library.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 2.0.3.π Read
via "National Vulnerability Database".
βΌ CVE-2021-38331 βΌ
π Read
via "National Vulnerability Database".
The WP-T-Wap WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the posted parameter found in the ~/wap/writer.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 1.13.2.π Read
via "National Vulnerability Database".
βΌ CVE-2021-38333 βΌ
π Read
via "National Vulnerability Database".
The WP Scrippets WordPress plugin is vulnerable to Reflected Cross-Site Scripting due to a reflected $_SERVER["PHP_SELF"] value in the ~/wp-scrippets.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 1.5.1.π Read
via "National Vulnerability Database".
βΌ CVE-2021-38336 βΌ
π Read
via "National Vulnerability Database".
The Edit Comments XT WordPress plugin is vulnerable to Reflected Cross-Site Scripting due to a reflected $_SERVER["PHP_SELF"] value in the ~/edit-comments-xt.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 1.0.π Read
via "National Vulnerability Database".
π Friday Five 9/10 π
π Read
via "".
The latest Windows zero day, ProtonMail under fire, and creating a more diverse cybersecurity workforce - catch up on the infosec news of the week with the Friday Five!π Read
via "".
Digital Guardian
Friday Five 9/10
The latest Windows zero day, ProtonMail under fire, and creating a more diverse cybersecurity workforce - catch up on the infosec news of the week with the Friday Five!
π¦Ώ Remote cybersecurity concerns and labor shortages are front and center in a new small business report π¦Ώ
π Read
via "Tech Republic".
Despite economic optimism, many companies are concerned about the impacts of the coronavirus pandemic and have temporarily closed as they adapt to new tech tools and work models.π Read
via "Tech Republic".
TechRepublic
Remote cybersecurity concerns and labor shortages are front and center in a new small business report
Despite economic optimism, many companies are concerned about the impacts of the coronavirus pandemic and have temporarily closed as they adapt to new tech tools and work models.
ποΈ VMware denies allegations it leaked Confluence RCE exploit ποΈ
π Read
via "The Daily Swig".
βIdenticalβ payload removed from GitHub after researcherβs complaintsπ Read
via "The Daily Swig".
The Daily Swig | Cybersecurity news and views
VMware denies allegations it leaked Confluence RCE exploit
βIdenticalβ payload removed from GitHub after researcherβs complaints
β Yandex Pummeled by Potent Meris DDoS Botnet β
π Read
via "Threat Post".
Record-breaking distributed denial of service attack targets Russiaβs version of Google - Yandex.π Read
via "Threat Post".
Threat Post
Yandex Pummeled by Potent Meris DDoS Botnet
Record-breaking distributed denial of service attack targets Russiaβs version of Google - Yandex.
βΌ CVE-2021-37422 βΌ
π Read
via "National Vulnerability Database".
Zoho ManageEngine ADSelfService Plus 6111 and prior is vulnerable to SQL Injection while linking the databases.π Read
via "National Vulnerability Database".
βοΈ KrebsOnSecurity Hit By Huge New IoT Botnet βMerisβ βοΈ
π Read
via "Krebs on Security".
On Thursday evening, KrebsOnSecurity was the subject of a rather massive (and mercifully brief) distributed denial-of-service (DDoS) attack. The assault came from "Meris," the same new "Internet of Things" (IoT) botnet behind record-shattering attacks against Russian search giant Yandex this week and internet infrastructure firm Cloudflare earlier this summer.π Read
via "Krebs on Security".
Krebs on Security
KrebsOnSecurity Hit By Huge New IoT Botnet βMerisβ
On Thursday evening, KrebsOnSecurity was the subject of a rather massive (and mercifully brief) distributed denial-of-service (DDoS) attack. The assault came from "Meris," the same new "Internet of Things" (IoT) botnet behind record-shattering attacks againstβ¦
π¦Ώ Your voiceprint could be your new password as companies look to increase security for remote workers π¦Ώ
π Read
via "Tech Republic".
Biometrics are moving beyond banks and joining fingerprints and faceprints as a way to confirm employee and customer identities.π Read
via "Tech Republic".
TechRepublic
Your voiceprint could be your new password as companies look to increase security for remote workers
Biometrics are moving beyond banks and joining fingerprints and faceprints as a way to confirm employee and customer identities.
β Top Steps for Ransomware Recovery and Preparation β
π Read
via "Threat Post".
Alex Restrepo, Virtual Data Center Solutions at Veritas Technologies, discusses post-attack restoration options, and how to prepare for another one in the future.π Read
via "Threat Post".
Threat Post
Top Steps for Ransomware Recovery and Preparation
Alex Restrepo, Virtual Data Center Solutions at Veritas Technologies, discusses post-attack restoration options, and how to prepare for another one in the future.
β MyRepublic Data Breach Raises Data-Protection Questions β
π Read
via "Threat Post".
The incident raises considerations for security for critical data housed in third-party infrastructure, researchers say.π Read
via "Threat Post".
Threat Post
MyRepublic Data Breach Raises Data-Protection Questions
The incident raises considerations for security for critical data housed in third-party infrastructure, researchers say.
βΌ CVE-2021-3145 βΌ
π Read
via "National Vulnerability Database".
In Ionic Identity Vault before 5, a local root attacker on an Android device can bypass biometric authentication.π Read
via "National Vulnerability Database".
βΌ CVE-2021-40864 βΌ
π Read
via "National Vulnerability Database".
The Translate plugin 6.1.x through 6.3.x before 6.3.0.72 for ONLYOFFICE Document Server lacks escape calls for the msg.data and text fields.π Read
via "National Vulnerability Database".
βΌ CVE-2021-3646 βΌ
π Read
via "National Vulnerability Database".
btcpayserver is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')π Read
via "National Vulnerability Database".
βΌ CVE-2021-40347 βΌ
π Read
via "National Vulnerability Database".
An issue was discovered in views/list.py in GNU Mailman Postorius before 1.3.5. An attacker (logged into any account) can send a crafted POST request to unsubscribe any user from a mailing list, also revealing whether that address was subscribed in the first place.π Read
via "National Vulnerability Database".
βΌ CVE-2021-39207 βΌ
π Read
via "National Vulnerability Database".
parlai is a framework for training and evaluating AI models on a variety of openly available dialogue datasets. In affected versions the package is vulnerable to YAML deserialization attack caused by unsafe loading which leads to Arbitary code execution. This security bug is patched by avoiding unsafe loader users should update to version above v1.1.0. If upgrading is not possible then users can change the Loader used to SafeLoader as a workaround. See commit 507d066ef432ea27d3e201da08009872a2f37725 for details.π Read
via "National Vulnerability Database".
βΌ CVE-2021-24040 βΌ
π Read
via "National Vulnerability Database".
Due to use of unsafe YAML deserialization logic, an attacker with the ability to modify local YAML configuration files could provide malicious input, resulting in remote code execution or similar risks. This issue affects ParlAI prior to v1.1.0.π Read
via "National Vulnerability Database".
βΌ CVE-2021-38555 βΌ
π Read
via "National Vulnerability Database".
An XML external entity (XXE) injection vulnerability was discovered in the Any23 StreamUtils.java file and is known to affect Any23 versions < 2.5. XML external entity injection (also known as XXE) is a web security vulnerability that allows an attacker to interfere with an application's processing of XML data. It often allows an attacker to view files on the application server filesystem, and to interact with any back-end or external systems that the application itself can access.π Read
via "National Vulnerability Database".
βΌ CVE-2021-40146 βΌ
π Read
via "National Vulnerability Database".
A Remote Code Execution (RCE) vulnerability was discovered in the Any23 YAMLExtractor.java file and is known to affect Any23 versions < 2.5. RCE vulnerabilities allow a malicious actor to execute any code of their choice on a remote machine over LAN, WAN, or internet. RCE belongs to the broader class of arbitrary code execution (ACE) vulnerabilities.π Read
via "National Vulnerability Database".