βΌ CVE-2021-23033 βΌ
π Read
via "National Vulnerability Database".
On BIG-IP Advanced WAF and BIG-IP ASM version 16.x before 16.1.0x, 15.1.x before 15.1.3.1, 14.1.x before 14.1.4.3, 13.1.x before 13.1.4.1, and all versions of 12.1.x, when a WebSocket profile is configured on a virtual server, undisclosed requests can cause bd to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.π Read
via "National Vulnerability Database".
βΌ CVE-2021-23031 βΌ
π Read
via "National Vulnerability Database".
On version 16.0.x before 16.0.1.2, 15.1.x before 15.1.3, 14.1.x before 14.1.4.1, 13.1.x before 13.1.4, 12.1.x before 12.1.6, and 11.6.x before 11.6.5.3, an authenticated user may perform a privilege escalation on the BIG-IP Advanced WAF and ASM Configuration utility. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.π Read
via "National Vulnerability Database".
βΌ CVE-2021-23035 βΌ
π Read
via "National Vulnerability Database".
On BIG-IP 14.1.x before 14.1.4.4, when an HTTP profile is configured on a virtual server, after a specific sequence of packets, chunked responses can cause the Traffic Management Microkernel (TMM) to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.π Read
via "National Vulnerability Database".
βΌ CVE-2021-23034 βΌ
π Read
via "National Vulnerability Database".
On BIG-IP version 16.x before 16.1.0 and 15.1.x before 15.1.3.1, when a DNS profile using a DNS cache resolver is configured on a virtual server, undisclosed requests can cause the Traffic Management Microkernel (TMM) process to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.π Read
via "National Vulnerability Database".
βΌ CVE-2021-23039 βΌ
π Read
via "National Vulnerability Database".
On version 16.0.x before 16.0.1.2, 15.1.x before 15.1.3, 14.1.x before 14.1.2.8, and all versions of 13.1.x and 12.1.x, when IPSec is configured on a BIG-IP system, undisclosed requests from an authorized remote (IPSec) peer, which already has a negotiated Security Association, can cause the Traffic Management Microkernel (TMM) to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.π Read
via "National Vulnerability Database".
βΌ CVE-2021-35493 βΌ
π Read
via "National Vulnerability Database".
The WebFOCUS Reporting Server and WebFOCUS Client components of TIBCO Software Inc.'s TIBCO WebFOCUS Client, TIBCO WebFOCUS Installer, and TIBCO WebFOCUS Reporting Server contain easily exploitable Stored and Reflected Cross Site Scripting (XSS) vulnerabilities that allow a low privileged attacker to social engineer a legitimate user with network access to execute scripts targeting the affected system or the victim's local system. A successful attack using this vulnerability requires human interaction from a person other than the attacker. Affected releases are TIBCO Software Inc.'s TIBCO WebFOCUS Client: versions 8207.27.0 and below, TIBCO WebFOCUS Installer: versions 8207.27.0 and below, and TIBCO WebFOCUS Reporting Server: versions 8207.27.0 and below.π Read
via "National Vulnerability Database".
βΌ CVE-2021-23036 βΌ
π Read
via "National Vulnerability Database".
On version 16.0.x before 16.0.1.2, when a BIG-IP ASM and DataSafe profile are configured on a virtual server, undisclosed requests can cause the Traffic Management Microkernel (TMM) to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.π Read
via "National Vulnerability Database".
βΌ CVE-2021-23037 βΌ
π Read
via "National Vulnerability Database".
On all versions of 16.1.x, 16.0.x, 15.1.x, 14.1.x, 13.1.x, 12.1.x, and 11.6.x, a reflected cross-site scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP Configuration utility that allows an attacker to execute JavaScript in the context of the currently logged-in user. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.π Read
via "National Vulnerability Database".
βΌ CVE-2021-23032 βΌ
π Read
via "National Vulnerability Database".
On version 16.x before 16.1.0, 15.1.x before 15.1.3.1, 14.1.x before 14.1.4.4, and all versions of 13.1.x and 12.1.x, when a BIG-IP DNS system is configured with non-default Wide IP and pool settings, undisclosed DNS responses can cause the Traffic Management Microkernel (TMM) to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.π Read
via "National Vulnerability Database".
βΌ CVE-2021-39391 βΌ
π Read
via "National Vulnerability Database".
Cross Site Scripting (XSS) vulnerability exists in the admin panel in Beego v2.0.1 via the URI path in an HTTP request, which is activated by administrators viewing the "Request Statistics" page.π Read
via "National Vulnerability Database".
β 2021βs Most Dangerous Software Weaknesses β
π Read
via "Threat Post".
Saryu Nayyar, CEO at Gurucul, peeks into Mitre's list of dangerous software bug types, highlighting that the oldies are still the goodies for attackers.π Read
via "Threat Post".
Threat Post
2021βs Most Dangerous Software Weaknesses
Saryu Nayyar, CEO at Gurucul, peeks into Mitre's list of dangerous software bug types, highlighting that the oldies are still the goodies for attackers.
β Microsoft Patches Actively Exploited Windows Zero-Day Bug β
π Read
via "Threat Post".
On Patch Tuesday, Microsoft fixed 66 CVEs, including an RCE bug in MSHTML under active attack as threat actors passed around guides for the drop-dead simple exploit.π Read
via "Threat Post".
Threat Post
Microsoft Patches Actively Exploited Windows Zero-Day Bug
On Patch Tuesday, Microsoft fixed 66 CVEs, including an RCE bug in MSHTML under active attack as threat actors passed around guides for the drop-dead simple exploit.
βοΈ Microsoft Patch Tuesday, September 2021 Edition βοΈ
π Read
via "Krebs on Security".
Microsoft today pushed software updates to plug dozens of security holes in Windows and related products, including a vulnerability that is already being exploited in active attacks. Also, Apple has issued an emergency update to fix a flaw that's reportedly been abused to install spyware on iOS products, and Google's got a new version of Chrome that tackles two zero-day flaws. Finally, Adobe has released critical security updates for Acrobat, Reader and a slew of other software.π Read
via "Krebs on Security".
Krebsonsecurity
Microsoft Patch Tuesday, September 2021 Edition
Microsoft today pushed software updates to plug dozens of security holes in Windows and related products, including a vulnerability that is already being exploited in active attacks. Also, Apple has issued an emergency update to fix a flaw that's reportedlyβ¦
β Adobe Snuffs Critical Bugs in Acrobat, Experience Manager β
π Read
via "Threat Post".
Adobe releases security updates for 59 bugs affecting its core products, including Adobe Acrobat Reader, XMP Toolkit SDK and Photoshop.π Read
via "Threat Post".
Threat Post
Adobe Snuffs Critical Bugs in Acrobat, Experience Manager
Adobe releases security updates for 59 bugs, affecting its core products including Adobe Acrobat Reader, XMP Toolkit SDK and Photoshop.
π¦Ώ Dark Web sees spike in fake COVID vaccine card sales π¦Ώ
π Read
via "Tech Republic".
Some people would rather pay money for a phony vaccine card than get the actual shot for free, according to Check Point Research.π Read
via "Tech Republic".
TechRepublic
Dark Web sees spike in fake COVID vaccine card sales
Some people would rather pay money for a phony vaccine card than get the actual shot for free, according to Check Point Research.
π¦Ώ T-Mobile was breached: Here's how to protect your account π¦Ώ
π Read
via "Tech Republic".
T-Mobile customers should change their password and PIN and set up two-step verification to protect their accounts.π Read
via "Tech Republic".
TechRepublic
T-Mobile was breached: Here's how to protect your account
T-Mobile customers should change their password and PIN and set up two-step verification to protect their accounts.
βΌ CVE-2021-23025 βΌ
π Read
via "National Vulnerability Database".
On version 15.1.x before 15.1.0.5, 14.1.x before 14.1.3.1, 13.1.x before 13.1.3.5, and all versions of 12.1.x and 11.6.x, an authenticated remote command execution vulnerability exists in the BIG-IP Configuration utility. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.π Read
via "National Vulnerability Database".
βΌ CVE-2021-23028 βΌ
π Read
via "National Vulnerability Database".
On version 16.0.x before 16.0.1.2, 15.1.x before 15.1.3.1, 14.1.x before 14.1.4.2, and 13.1.x before 13.1.4, when JSON content profiles are configured for URLs as part of an F5 Advanced Web Application Firewall (WAF)/BIG-IP ASM security policy and applied to a virtual server, undisclosed requests may cause the BIG-IP ASM bd process to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.π Read
via "National Vulnerability Database".
βΌ CVE-2021-23030 βΌ
π Read
via "National Vulnerability Database".
On BIG-IP Advanced WAF and BIG-IP ASM version 16.0.x before 16.0.1.2, 15.1.x before 15.1.3.1, 14.1.x before 14.1.4.3, 13.1.x before 13.1.4.1, and all versions of 12.1.x, when a WebSocket profile is configured on a virtual server, undisclosed requests can cause bd to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.π Read
via "National Vulnerability Database".
βΌ CVE-2021-23027 βΌ
π Read
via "National Vulnerability Database".
On version 16.0.x before 16.0.1.2, 15.1.x before 15.1.3.1, and 14.1.x before 14.1.4.3, a DOM based cross-site scripting (XSS) vulnerability exists in an undisclosed page of the BIG-IP Configuration utility that allows an attacker to execute JavaScript in the context of the currently logged-in user. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.π Read
via "National Vulnerability Database".
βΌ CVE-2021-23029 βΌ
π Read
via "National Vulnerability Database".
On version 16.0.x before 16.0.1.2, insufficient permission checks may allow authenticated users with guest privileges to perform Server-Side Request Forgery (SSRF) attacks through F5 Advanced Web Application Firewall (WAF) and the BIG-IP ASM Configuration utility. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.π Read
via "National Vulnerability Database".