🦿 Apple releases emergency patch to protect all devices against Pegasus spyware 🦿
📖 Read
via "Tech Republic".
Designed to combat zero-day flaws exploited in Apple's operating systems, the patch applies to the iPhone, iPad, Apple Watch and Mac.📖 Read
via "Tech Republic".
‼ CVE-2021-33674 ‼
📖 Read
via "National Vulnerability Database".
Under certain conditions, SAP Contact Center - version 700, does not sufficiently encode user-controlled inputs. This allows an attacker to exploit a Reflected Cross-Site Scripting (XSS) vulnerability when creating a new email and to execute arbitrary code on the victim's browser.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-36582 ‼
📖 Read
via "National Vulnerability Database".
In Kooboo CMS 2.1.1.0, it is possible to upload a remote shell (e.g., aspx) to the server and then call upon it to receive a reverse shell from the victim server. The files are uploaded to /Content/Template/root/reverse-shell.aspx and can be simply triggered by browsing that URL.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-38163 ‼
📖 Read
via "National Vulnerability Database".
SAP NetWeaver (Visual Composer 7.0 RT) versions - 7.30, 7.31, 7.40, 7.50, without restriction, an attacker authenticated as a non-administrative user can upload a malicious file over a network and trigger its processing, which is capable of running operating system commands with the privilege of the Java Server process. These commands can be used to read or modify any information on the server or shut the server down making it unavailable.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-38175 ‼
📖 Read
via "National Vulnerability Database".
SAP Analysis for Microsoft Office - version 2.8, allows an attacker with high privileges to read sensitive data over the network, and gather or change information in the current system without user interaction. The attack would not lead to an impact on the availability of the system, but there would be an impact on integrity and confidentiality.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-33686 ‼
📖 Read
via "National Vulnerability Database".
Under certain conditions, SAP Business One version - 10.0, allows an unauthorized attacker to get access to some encrypted sensitive information, but does not have control over kind or degree.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-37532 ‼
📖 Read
via "National Vulnerability Database".
SAP Business One version - 10, due to improper input validation, allows an authenticated User to gain access to directory and view the contents of index in the directory, which would otherwise be restricted to high privileged User.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-37535 ‼
📖 Read
via "National Vulnerability Database".
SAP NetWeaver Application Server Java (JMS Connector Service) - versions 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, does not perform necessary authorization checks for user privileges.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-23053 ‼
📖 Read
via "National Vulnerability Database".
On version 15.1.x before 15.1.3, 14.1.x before 14.1.3.1, and 13.1.x before 13.1.3.6, when the brute force protection feature of BIG-IP Advanced WAF or BIG-IP ASM is enabled on a virtual server and the virtual server is under brute force attack, the MySQL database may run out of disk space due to lack of row limit on undisclosed tables in the MYSQL database. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-33688 ‼
📖 Read
via "National Vulnerability Database".
SAP Business One allows an attacker with business privileges to execute crafted database queries, exposing the back-end database. Due to framework restrictions, only some information can be obtained.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-38162 ‼
📖 Read
via "National Vulnerability Database".
SAP Web Dispatcher versions - 7.49, 7.53, 7.77, 7.81, KRNL64NUC - 7.22, 7.22EXT, 7.49, KRNL64UC -7.22, 7.22EXT, 7.49, 7.53, KERNEL - 7.22, 7.49, 7.53, 7.77, 7.81, 7.83 processes allow an unauthenticated attacker to submit a malicious crafted request over a network to a front-end server which may, over several attempts, result in a back-end server confusing the boundaries of malicious and legitimate messages. This can result in the back-end server executing a malicious payload which can be used to read or modify any information on the server or consume server resources making it temporarily unavailable.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-33685 ‼
📖 Read
via "National Vulnerability Database".
SAP Business One version - 10.0 allows low-level authorized attacker to traverse the file system to access files or directories that are outside of the restricted directory. A successful attack allows access to high level sensitive data📖 Read
via "National Vulnerability Database".
‼ CVE-2021-38164 ‼
📖 Read
via "National Vulnerability Database".
SAP ERP Financial Accounting (RFOPENPOSTING_FR) versions - SAP_APPL - 600, 602, 603, 604, 605, 606, 616, SAP_FIN - 617, 618, 700, 720, 730, SAPSCORE - 125, S4CORE, 100, 101, 102, 103, 104, 105, allows a registered attacker to invoke certain functions that would otherwise be restricted to specific users. These functions are normally exposed over the network and once exploited the attacker may be able to view and modify financial accounting data that only a specific user should have access to.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-38177 ‼
📖 Read
via "National Vulnerability Database".
SAP CommonCryptoLib version 8.5.38 or lower is vulnerable to null pointer dereference vulnerability when an unauthenticated attacker sends crafted malicious data in the HTTP requests over the network, this causes the SAP application to crash and has high impact on the availability of the SAP system.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-33679 ‼
📖 Read
via "National Vulnerability Database".
The SAP BusinessObjects BI Platform version - 420 allows an attacker, who has basic access to the application, to inject a malicious script while creating a new module document, file, or folder. When another user visits that page, the stored malicious script will execute in their session, hence allowing the attacker to compromise their confidentiality and integrity.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-38150 ‼
📖 Read
via "National Vulnerability Database".
When an attacker manages to get access to the local memory, or the memory dump of a victim, for example by a social engineering attack, SAP Business Client versions - 7.0, 7.70, will allow him to read extremely sensitive data, such as credentials. This would allow the attacker to compromise the corresponding backend for which the credentials are valid.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-23049 ‼
📖 Read
via "National Vulnerability Database".
On BIG-IP version 16.0.x before 16.0.1.2 and 15.1.x before 15.1.3, when the iRules RESOLVER::summarize command is used on a virtual server, undisclosed requests can cause an increase in Traffic Management Microkernel (TMM) memory utilization resulting in an out-of-memory condition and a denial-of-service (DoS). Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-38176 ‼
📖 Read
via "National Vulnerability Database".
Due to improper input sanitization, an authenticated user with certain specific privileges can remotely call NZDT function modules listed in Solution Section to execute manipulated query to gain access to Backend Database. On successful exploitation the threat actor could completely compromise confidentiality, integrity, and availability of the system.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-37531 ‼
📖 Read
via "National Vulnerability Database".
SAP NetWeaver Knowledge Management XML Forms versions - 7.10, 7.11, 7.30, 7.31, 7.40, 7.50, contains an XSLT vulnerability which allows a non-administrative authenticated attacker to craft a malicious XSL stylesheet file containing a script with OS-level commands, copy it into a location to be accessed by the system and then create a file which will trigger the XSLT engine to execute the script contained within the malicious XSL file. This can result in a full compromise of the confidentiality, integrity, and availability of the system.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-21489 ‼
📖 Read
via "National Vulnerability Database".
SAP NetWeaver Enterprise Portal versions - 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, does not sufficiently encode user related data, resulting in Stored Cross-Site Scripting (XSS) vulnerability. This would allow an attacker with administrative privileges to store a malicious script on the portal. The execution of the script content by a victim registered on the portal could compromise the confidentiality and integrity of portal content.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-38174 ‼
📖 Read
via "National Vulnerability Database".
When a user opens manipulated files received from untrusted sources in SAP 3D Visual Enterprise Viewer version - 9, the application crashes and becomes temporarily unavailable to the user until restart of the application.📖 Read
via "National Vulnerability Database".