‼ CVE-2021-37535 ‼
📖 Read
via "National Vulnerability Database".
SAP NetWeaver Application Server Java (JMS Connector Service) - versions 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, does not perform necessary authorization checks for user privileges.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-23053 ‼
📖 Read
via "National Vulnerability Database".
On version 15.1.x before 15.1.3, 14.1.x before 14.1.3.1, and 13.1.x before 13.1.3.6, when the brute force protection feature of BIG-IP Advanced WAF or BIG-IP ASM is enabled on a virtual server and the virtual server is under brute force attack, the MySQL database may run out of disk space due to lack of row limit on undisclosed tables in the MYSQL database. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-33688 ‼
📖 Read
via "National Vulnerability Database".
SAP Business One allows an attacker with business privileges to execute crafted database queries, exposing the back-end database. Due to framework restrictions, only some information can be obtained.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-38162 ‼
📖 Read
via "National Vulnerability Database".
SAP Web Dispatcher versions - 7.49, 7.53, 7.77, 7.81, KRNL64NUC - 7.22, 7.22EXT, 7.49, KRNL64UC -7.22, 7.22EXT, 7.49, 7.53, KERNEL - 7.22, 7.49, 7.53, 7.77, 7.81, 7.83 processes allow an unauthenticated attacker to submit a malicious crafted request over a network to a front-end server which may, over several attempts, result in a back-end server confusing the boundaries of malicious and legitimate messages. This can result in the back-end server executing a malicious payload which can be used to read or modify any information on the server or consume server resources making it temporarily unavailable.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-33685 ‼
📖 Read
via "National Vulnerability Database".
SAP Business One version - 10.0 allows low-level authorized attacker to traverse the file system to access files or directories that are outside of the restricted directory. A successful attack allows access to high level sensitive data📖 Read
via "National Vulnerability Database".
‼ CVE-2021-38164 ‼
📖 Read
via "National Vulnerability Database".
SAP ERP Financial Accounting (RFOPENPOSTING_FR) versions - SAP_APPL - 600, 602, 603, 604, 605, 606, 616, SAP_FIN - 617, 618, 700, 720, 730, SAPSCORE - 125, S4CORE, 100, 101, 102, 103, 104, 105, allows a registered attacker to invoke certain functions that would otherwise be restricted to specific users. These functions are normally exposed over the network and once exploited the attacker may be able to view and modify financial accounting data that only a specific user should have access to.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-38177 ‼
📖 Read
via "National Vulnerability Database".
SAP CommonCryptoLib version 8.5.38 or lower is vulnerable to null pointer dereference vulnerability when an unauthenticated attacker sends crafted malicious data in the HTTP requests over the network, this causes the SAP application to crash and has high impact on the availability of the SAP system.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-33679 ‼
📖 Read
via "National Vulnerability Database".
The SAP BusinessObjects BI Platform version - 420 allows an attacker, who has basic access to the application, to inject a malicious script while creating a new module document, file, or folder. When another user visits that page, the stored malicious script will execute in their session, hence allowing the attacker to compromise their confidentiality and integrity.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-38150 ‼
📖 Read
via "National Vulnerability Database".
When an attacker manages to get access to the local memory, or the memory dump of a victim, for example by a social engineering attack, SAP Business Client versions - 7.0, 7.70, will allow him to read extremely sensitive data, such as credentials. This would allow the attacker to compromise the corresponding backend for which the credentials are valid.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-23049 ‼
📖 Read
via "National Vulnerability Database".
On BIG-IP version 16.0.x before 16.0.1.2 and 15.1.x before 15.1.3, when the iRules RESOLVER::summarize command is used on a virtual server, undisclosed requests can cause an increase in Traffic Management Microkernel (TMM) memory utilization resulting in an out-of-memory condition and a denial-of-service (DoS). Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-38176 ‼
📖 Read
via "National Vulnerability Database".
Due to improper input sanitization, an authenticated user with certain specific privileges can remotely call NZDT function modules listed in Solution Section to execute manipulated query to gain access to Backend Database. On successful exploitation the threat actor could completely compromise confidentiality, integrity, and availability of the system.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-37531 ‼
📖 Read
via "National Vulnerability Database".
SAP NetWeaver Knowledge Management XML Forms versions - 7.10, 7.11, 7.30, 7.31, 7.40, 7.50, contains an XSLT vulnerability which allows a non-administrative authenticated attacker to craft a malicious XSL stylesheet file containing a script with OS-level commands, copy it into a location to be accessed by the system and then create a file which will trigger the XSLT engine to execute the script contained within the malicious XSL file. This can result in a full compromise of the confidentiality, integrity, and availability of the system.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-21489 ‼
📖 Read
via "National Vulnerability Database".
SAP NetWeaver Enterprise Portal versions - 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, does not sufficiently encode user related data, resulting in Stored Cross-Site Scripting (XSS) vulnerability. This would allow an attacker with administrative privileges to store a malicious script on the portal. The execution of the script content by a victim registered on the portal could compromise the confidentiality and integrity of portal content.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-38174 ‼
📖 Read
via "National Vulnerability Database".
When a user opens manipulated files received from untrusted sources in SAP 3D Visual Enterprise Viewer version - 9, the application crashes and becomes temporarily unavailable to the user until restart of the application.📖 Read
via "National Vulnerability Database".
🗓️ Speer review: Researchers pick apart Node.js communication app 🗓️
📖 Read
via "The Daily Swig".
Email content injection flaws chained to bypass security controls📖 Read
via "The Daily Swig".
The Daily Swig | Cybersecurity news and views
Speer review: Researchers pick apart Node.js communication app
Email content injection flaws chained to bypass security controls
❌ Pair of Google Chrome Zero-Day Bugs Actively Exploited ❌
📖 Read
via "Threat Post".
The security vulnerabilities bring the web behemoth up to 10 browser zero-days found so far this year.📖 Read
via "Threat Post".
Threat Post
Pair of Google Chrome Zero-Day Bugs Actively Exploited
The security vulnerabilities bring the web behemoth up to 10 browser zero-days found so far this year.
‼ CVE-2021-23043 ‼
📖 Read
via "National Vulnerability Database".
On BIG-IP, on all versions of 16.1.x, 16.0.x, 15.1.x, 14.1.x, 13.1.x, 12.1.x, and 11.6.x, a directory traversal vulnerability exists in an undisclosed page of the BIG-IP Configuration utility that allows an attacker to access arbitrary files. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-23040 ‼
📖 Read
via "National Vulnerability Database".
On BIG-IP AFM version 16.0.x before 16.0.1.2, 15.1.x before 15.1.3, 14.1.x before 14.1.4.2, 13.1.x before 13.1.4.1, and all versions of 12.1.x, a SQL injection vulnerability exists in an undisclosed page of the BIG-IP Configuration utility. This issue is exposed only when BIG-IP AFM is provisioned. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-23041 ‼
📖 Read
via "National Vulnerability Database".
On BIG-IP version 16.0.x before 16.0.1.2, 15.1.x before 15.1.3, 14.1.x before 14.1.4.2, 13.1.x before 13.1.4.1, and all versions of 12.1.x, a DOM based cross-site scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP Configuration utility that allows an attacker to execute JavaScript in the context of the current logged-in user. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-23047 ‼
📖 Read
via "National Vulnerability Database".
On version 16.x before 16.1.0, 15.1.x before 15.1.3.1, 14.1.x before 14.1.4.3, and all versions of 13.1.x, 12.1.x and 11.6.x, when BIG-IP APM performs Online Certificate Status Protocol (OCSP) verification of a certificate that contains Authority Information Access (AIA), undisclosed requests may cause an increase in memory use. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-29841 ‼
📖 Read
via "National Vulnerability Database".
IBM Financial Transaction Manager 3.2.4 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 205045.📖 Read
via "National Vulnerability Database".