‼ CVE-2021-33362 ‼
📖 Read
via "National Vulnerability Database".
Stack buffer overflow in the hevc_parse_vps_extension function in MP4Box in GPAC 1.0.1 allows attackers to cause a denial of service or execute arbitrary code via a crafted file.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-24724 ‼
📖 Read
via "National Vulnerability Database".
The Timetable and Event Schedule by MotoPress WordPress plugin before 2.3.19 does not sanitise some of its parameters, which could allow low privilege users such as author to perform XSS attacks against frontend and backend users when viewing the related event/s📖 Read
via "National Vulnerability Database".
‼ CVE-2021-24431 ‼
📖 Read
via "National Vulnerability Database".
The Language Bar Flags WordPress plugin through 1.0.8 does not have any CSRF in place when saving its settings and did not sanitise or escape them when generating the flag bar in the frontend. This could allow attackers to make a logged in admin change the settings, and set Cross-Site Scripting payload in them, which will be executed in the frontend for all users📖 Read
via "National Vulnerability Database".
‼ CVE-2021-40824 ‼
📖 Read
via "National Vulnerability Database".
A logic error in the room key sharing functionality of Element Android before 1.2.2 and matrix-android-sdk2 (aka Matrix SDK for Android) before 1.2.2 leads to a situation where identity verification is inadequate and thus a key-requesting device can be impersonated.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-32138 ‼
📖 Read
via "National Vulnerability Database".
The DumpTrackInfo function in GPAC 1.0.1 allows attackers to cause a denial of service (NULL pointer dereference) via a crafted file in the MP4Box command.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-33365 ‼
📖 Read
via "National Vulnerability Database".
Memory leak in the gf_isom_get_root_od function in MP4Box in GPAC 1.0.1 allows attackers to read memory via a crafted file.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-33363 ‼
📖 Read
via "National Vulnerability Database".
Memory leak in the infe_box_read function in MP4Box in GPAC 1.0.1 allows attackers to read memory via a crafted file.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-33361 ‼
📖 Read
via "National Vulnerability Database".
Memory leak in the afra_box_read function in MP4Box in GPAC 1.0.1 allows attackers to read memory via a crafted file.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-32139 ‼
📖 Read
via "National Vulnerability Database".
The gf_isom_vp_config_get function in GPAC 1.0.1 allows attackers to cause a denial of service (NULL pointer dereference) via a crafted file in the MP4Box command.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-41054 ‼
📖 Read
via "National Vulnerability Database".
tftpd_file.c in atftp through 0.7.4 has a buffer overflow because buffer-size handling does not properly consider the combination of data, OACK, and other options.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-41033 ‼
📖 Read
via "National Vulnerability Database".
In all released versions of Eclipse Equinox, at least until version 4.21 (September 2021), installation can be vulnerable to man-in-the-middle attack if using p2 repos that are HTTP; that can then be exploited to serve incorrect p2 metadata and entirely alter the local installation, particularly by installing plug-ins that may then run malicious code.📖 Read
via "National Vulnerability Database".
❌ Apple Issues Emergency Fix for NSO Zero-Click Zero Day ❌
📖 Read
via "Threat Post".
Citizen Lab urges Apple users to update immediately. The new zero-click zero-day ForcedEntry flaw affects all things Apple: iPhones, iPads, Macs and Watches.📖 Read
via "Threat Post".
Threat Post
Apple Issues Emergency Fix for NSO Zero-Click Zero Day
Citizen Lab urges Apple users to update immediately. The new zero-click zero-day ForcedEntry flaw affects all things Apple: iPhones, iPads, Macs and Watches.
‼ CVE-2020-20671 ‼
📖 Read
via "National Vulnerability Database".
A cross-site request forgery (CSRF) in KiteCMS V1.1 allows attackers to arbitrarily add an administrator account.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-20672 ‼
📖 Read
via "National Vulnerability Database".
An arbitrary file upload vulnerability in /admin/upload/uploadfile of KiteCMS V1.1 allows attackers to getshell via a crafted PHP file.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-20670 ‼
📖 Read
via "National Vulnerability Database".
An arbitrary file upload vulnerability in /admin/media/upload of ZKEACMS V3.2.0 allows attackers to execute arbitrary code via a crafted HTML file.📖 Read
via "National Vulnerability Database".
⚠ Apple products vulnerable to FORCEDENTRY zero-day attack – patch now! ⚠
📖 Read
via "Naked Security".
Double trouble: two zero-days, patched in the same emergency update. So please don't delay - patch today!📖 Read
via "Naked Security".
Sophos News
Naked Security – Sophos News
‼ CVE-2021-41072 ‼
📖 Read
via "National Vulnerability Database".
squashfs_opendir in unsquash-2.c in Squashfs-Tools 4.5 allows Directory Traversal, a different vulnerability than CVE-2021-40153. A squashfs filesystem that has been crafted to include a symbolic link and then contents under the same filename in a filesystem can cause unsquashfs to first create the symbolic link pointing outside the expected directory, and then the subsequent write operation will cause the unsquashfs process to write through the symbolic link elsewhere in the filesystem.📖 Read
via "National Vulnerability Database".
❌ BlackMatter Ransomware Hits Japanese Tech Giant Olympus ❌
📖 Read
via "Threat Post".
The incident that occurred Sept. 8 and affected its EMEA IT systems seems to signal a return to business as usual for ransomware groups.📖 Read
via "Threat Post".
Threat Post
BlackMatter Ransomware Hits Japanese Tech Giant Olympus
The incident that occurred Sept. 8 and affected its EMEA IT systems seems to signal a return to business as usual for ransomware groups.
‼ CVE-2021-37183 ‼
📖 Read
via "National Vulnerability Database".
A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.0 SP2). The affected software allows sending send-to-sleep notifications to the managed devices. An unauthenticated attacker in the same network of the affected system can abuse these notifications to cause a Denial-of-Service condition in the managed devices.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-33719 ‼
📖 Read
via "National Vulnerability Database".
A vulnerability has been identified in SIPROTEC 5 relays with CPU variants CP050 (All versions < V8.80), SIPROTEC 5 relays with CPU variants CP100 (All versions < V8.80), SIPROTEC 5 relays with CPU variants CP200 (All versions), SIPROTEC 5 relays with CPU variants CP300 (All versions < V8.80). Specially crafted packets sent to port 4443/tcp could cause a Denial-of-Service condition or potential remote code execution.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-37201 ‼
📖 Read
via "National Vulnerability Database".
A vulnerability has been identified in SINEC NMS (All versions < V1.0 SP1). The web interface of affected devices is vulnerable to a Cross-Site Request Forgery (CSRF) attack. This could allow an attacker to manipulate the SINEC NMS configuration by tricking an unsuspecting user with administrative privileges to click on a malicious link.📖 Read
via "National Vulnerability Database".