🛡 Cybersecurity & Privacy 🛡 - News
@cibsecurity
25.8K subscribers
89.2K links
🗞 The finest daily news on cybersecurity and privacy.

🔔 Daily releases.

💻 Is your online life secure?

📩 lalilolalo.dev@gmail.com
Download Telegram
About
Blog
Apps
Platform
Join
🛡 Cybersecurity & Privacy 🛡 - News
25.8K subscribers
🛡 Cybersecurity & Privacy 🛡 - News
‼ CVE-2021-39205 ‼

Jitsi Meet is an open source video conferencing application. Versions prior to 2.0.6173 are vulnerable to client-side cross-site scripting via injecting properties into JSON objects that were not properly escaped. There are no known incidents related to this vulnerability being exploited in the wild. This issue is fixed in Jitsi Meet version 2.0.6173. There are no known workarounds aside from upgrading.

📖 Read

via "National Vulnerability Database".
144 views
🛡 Cybersecurity & Privacy 🛡 - News
‼ CVE-2021-33692 ‼

SAP Cloud Connector, version - 2.0, allows the upload of zip files as backup. This backup file can be tricked to inject special elements such as '..' and '/' separators, for attackers to escape outside of the restricted location to access files or directories.

📖 Read

via "National Vulnerability Database".
135 views
🛡 Cybersecurity & Privacy 🛡 - News
‼ CVE-2021-37912 ‼

The HGiga OAKlouds mobile portal does not filter special characters of the Ethernet number parameter of the network interface card setting page. Remote attackers can use this vulnerability to perform command injection and execute arbitrary commands in the system without logging in.

📖 Read

via "National Vulnerability Database".
114 views
🛡 Cybersecurity & Privacy 🛡 - News
‼ CVE-2021-33705 ‼

The SAP NetWeaver Portal, versions - 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, component Iviews Editor contains a Server-Side Request Forgery (SSRF) vulnerability which allows an unauthenticated attacker to craft a malicious URL which when clicked by a user can make any type of request (e.g. POST, GET) to any internal or external server. This can result in the accessing or modification of data accessible from the Portal but will not affect its availability.

📖 Read

via "National Vulnerability Database".
102 views
🛡 Cybersecurity & Privacy 🛡 - News
‼ CVE-2021-40862 ‼

HashiCorp Terraform Enterprise up to v202108-1 contained an API endpoint that erroneously disclosed a sensitive URL to authenticated parties, which could be used for privilege escalation or unauthorized modification of a Terraform configuration. Fixed in v202109-1.

📖 Read

via "National Vulnerability Database".
98 views
🛡 Cybersecurity & Privacy 🛡 - News
‼ CVE-2021-40965 ‼

A Cross-Site Request Forgery (CSRF) vulnerability exists in TinyFileManager all version up to and including 2.4.6 that allows attackers to upload files and run OS commands by inducing the Administrator user to browse a URL controlled by an attacker.

📖 Read

via "National Vulnerability Database".
94 views
🛡 Cybersecurity & Privacy 🛡 - News
‼ CVE-2021-33697 ‼

Under certain conditions, SAP BusinessObjects Business Intelligence Platform (SAPUI5), versions - 420, 430, can allow an unauthenticated attacker to redirect users to a malicious site due to Reverse Tabnabbing vulnerabilities.

📖 Read

via "National Vulnerability Database".
90 views
🛡 Cybersecurity & Privacy 🛡 - News
‼ CVE-2021-33690 ‼

Server-Side Request Forgery (SSRF) vulnerability has been detected in the SAP NetWeaver Development Infrastructure Component Build Service versions - 7.11, 7.20, 7.30, 7.31, 7.40, 7.50The SAP NetWeaver Development Infrastructure Component Build Service allows a threat actor who has access to the server to perform proxy attacks on server by sending crafted queries. Due to this, the threat actor could completely compromise sensitive data residing on the Server and impact its availability.Note: The impact of this vulnerability depends on whether SAP NetWeaver Development Infrastructure (NWDI) runs on the intranet or internet. The CVSS score reflects the impact considering the worst-case scenario that it runs on the internet.

📖 Read

via "National Vulnerability Database".
90 views
🛡 Cybersecurity & Privacy 🛡 - News
‼ CVE-2021-37913 ‼

The HGiga OAKlouds mobile portal does not filter special characters of the IPv6 Gateway parameter of the network interface card setting page. Remote attackers can use this vulnerability to perform command injection and execute arbitrary commands in the system without logging in.

📖 Read

via "National Vulnerability Database".
92 views
🛡 Cybersecurity & Privacy 🛡 - News
‼ CVE-2021-29773 ‼

IBM Security Guardium 10.6 and 11.3 could allow a remote authenticated attacker to obtain sensitive information or modify user details caused by an insecure direct object vulnerability (IDOR). IBM X-Force ID: 202865.

📖 Read

via "National Vulnerability Database".
92 views
🛡 Cybersecurity & Privacy 🛡 - News
‼ CVE-2021-33693 ‼

SAP Cloud Connector, version - 2.0, allows an authenticated administrator to modify a configuration file to inject malicious codes that could potentially lead to OS command execution.

📖 Read

via "National Vulnerability Database".
95 views
🛡 Cybersecurity & Privacy 🛡 - News
‼ CVE-2021-40964 ‼

A Path Traversal vulnerability exists in TinyFileManager all version up to and including 2.4.6 that allows attackers to upload a file (with Admin credentials or with the CSRF vulnerability) with the "fullpath" parameter containing path traversal strings (../ and ..\) in order to escape the server's intended working directory and write malicious files onto any directory on the computer.

📖 Read

via "National Vulnerability Database".
106 views
🛡 Cybersecurity & Privacy 🛡 - News
‼ CVE-2021-29750 ‼

IBM QRadar SIEM 7.3 and 7.4 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 201778.

📖 Read

via "National Vulnerability Database".
112 views
🛡 Cybersecurity & Privacy 🛡 - News
‼ CVE-2021-39215 ‼

Jitsi Meet is an open source video conferencing application. In versions prior to 2.0.5963, a Prosody module allows the use of symmetrical algorithms to validate JSON web tokens. This means that tokens generated by arbitrary sources can be used to gain authorization to protected rooms. This issue is fixed in Jitsi Meet 2.0.5963. There are no known workarounds aside from updating.

📖 Read

via "National Vulnerability Database".
122 views
🛡 Cybersecurity & Privacy 🛡 - News
‼ CVE-2021-33704 ‼

The Service Layer of SAP Business One, version - 10.0, allows an authenticated attacker to invoke certain functions that would otherwise be restricted to specific users. For an attacker to discover the vulnerable function, no in-depth system knowledge is required. Once exploited via Network stack, the attacker may be able to read, modify or delete restricted data. The impact is that missing authorization can result of abuse of functionality usually restricted to specific users.

📖 Read

via "National Vulnerability Database".
128 views
🛡 Cybersecurity & Privacy 🛡 - News
‼ CVE-2021-28901 ‼

Multiple cross-site scripting (XSS) vulnerabilities exist in SITA Software Azur CMS 1.2.3.1 and earlier, which allows remote attackers to inject arbitrary web script or HTML via the (1) NOM_CLI , (2) ADRESSE , (3) ADRESSE2, (4) LOCALITE parameters to /eshop/products/json/aouCustomerAdresse; and the (5) nom_liste parameter to /eshop/products/json/addCustomerFavorite.

📖 Read

via "National Vulnerability Database".
124 views
🛡 Cybersecurity & Privacy 🛡 - News
‼ CVE-2021-33695 ‼

Potentially, SAP Cloud Connector, version - 2.0 communication with the backend is accepted without sufficient validation of the certificate.

📖 Read

via "National Vulnerability Database".
135 views
🛡 Cybersecurity & Privacy 🛡 - News
‼ CVE-2021-33694 ‼

SAP Cloud Connector, version - 2.0, does not sufficiently encode user-controlled inputs, allowing an attacker with Administrator rights, to include malicious codes that get stored in the database, and when accessed, could be executed in the application, resulting in Stored Cross-Site Scripting.

📖 Read

via "National Vulnerability Database".
155 views
🛡 Cybersecurity & Privacy 🛡 - News
‼ CVE-2021-33698 ‼

SAP Business One, version - 10.0, allows an attacker with business authorization to upload any files (including script files) without the proper file format validation.

📖 Read

via "National Vulnerability Database".
179 views
🛡 Cybersecurity & Privacy 🛡 - News
‼ CVE-2021-40966 ‼

A Stored XSS exists in TinyFileManager All version up to and including 2.4.6 in /tinyfilemanager.php when the server is given a file that contains HTML and javascript in its name. A malicious user can upload a file with a malicious filename containing javascript code and it will run on any user browser when they access the server.

📖 Read

via "National Vulnerability Database".
205 views
🛡 Cybersecurity & Privacy 🛡 - News
‼ CVE-2016-20012 ‼

OpenSSH through 8.7 allows remote attackers, who have a suspicion that a certain combination of username and public key is known to an SSH server, to test whether this suspicion is correct. This occurs because a challenge is sent only when that combination could be valid for a login session.

📖 Read

via "National Vulnerability Database".
200 views