‼ CVE-2021-39214 ‼
📖 Read
via "National Vulnerability Database".
mitmproxy is an interactive, SSL/TLS-capable intercepting proxy. In mitmproxy 7.0.2 and below, a malicious client or server is able to perform HTTP request smuggling attacks through mitmproxy. This means that a malicious client/server could smuggle a request/response through mitmproxy as part of another request/response's HTTP message body. While a smuggled request is still captured as part of another request's body, it does not appear in the request list and does not go through the usual mitmproxy event hooks, where users may have implemented custom access control checks or input sanitization. Unless one uses mitmproxy to protect an HTTP/1 service, no action is required. The vulnerability has been fixed in mitmproxy 7.0.3 and above.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-34798 ‼
📖 Read
via "National Vulnerability Database".
Malformed requests may cause the server to dereference a NULL pointer. This issue affects Apache HTTP Server 2.4.48 and earlier.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-27340 ‼
📖 Read
via "National Vulnerability Database".
OpenSIS Community Edition version <= 7.6 is affected by a reflected XSS vulnerability in EmailCheck.php via the "opt" parameter.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-39275 ‼
📖 Read
via "National Vulnerability Database".
ap_escape_quotes() may write beyond the end of a buffer when given malicious input. No included modules pass untrusted data to these functions, but third-party / external modules may. This issue affects Apache HTTP Server 2.4.48 and earlier.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-39208 ‼
📖 Read
via "National Vulnerability Database".
SharpCompress is a fully managed C# library to deal with many compression types and formats. Versions prior to 0.29.0 are vulnerable to partial path traversal. SharpCompress recreates a hierarchy of directories under destinationDirectory if ExtractFullPath is set to true in options. In order to prevent extraction outside the destination directory the destinationFileName path is verified to begin with fullDestinationDirectoryPath. However, prior to version 0.29.0, it is not enforced that fullDestinationDirectoryPath ends with slash. If the destinationDirectory is not slash terminated like `/home/user/dir` it is possible to create a file with a name thats begins as the destination directory one level up from the directory, i.e. `/home/user/dir.sh`. Because of the file name and destination directory constraints the arbitrary file creation impact is limited and depends on the use case. This issue is fixed in SharpCompress version 0.29.0.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-39239 ‼
📖 Read
via "National Vulnerability Database".
A vulnerability in XML processing in Apache Jena, in versions up to 4.1.0, may allow an attacker to execute XML External Entities (XXE), including exposing the contents of local files to a remote server.📖 Read
via "National Vulnerability Database".
🦿 It's time enterprise businesses place their complete trust in open source 🦿
📖 Read
via "Tech Republic".
Canonical announced that its managed services had MSPCV Certification. Jack Wallen believes this milestone should help big businesses realize it is time to trust open source software.📖 Read
via "Tech Republic".
TechRepublic
It's time enterprise businesses place their complete trust in open source
Canonical announced that its managed services had MSPCV Certification. Jack Wallen believes this milestone should help big businesses realize it is time to trust open source software.
‼ CVE-2021-29763 ‼
📖 Read
via "National Vulnerability Database".
IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.1 and 11.5 under very specific conditions, could allow a local user to keep running a procedure that could cause the system to run out of memory.and cause a denial of service. IBM X-Force ID: 202267.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-29825 ‼
📖 Read
via "National Vulnerability Database".
IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) could disclose sensitive information when using ADMIN_CMD with LOAD or BACKUP. IBM X-Force ID: 204470.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-29752 ‼
📖 Read
via "National Vulnerability Database".
IBM Db2 11.2 and 11.5 contains an information disclosure vulnerability, exposing remote storage credentials to privileged users under specific conditions. IBM X-Fporce ID: 201780.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-29842 ‼
📖 Read
via "National Vulnerability Database".
IBM WebSphere Application Server 7.0, 8.0, 8.5, 9.0 and Liberty 17.0.0.3 through 21.0.0.9 could allow a remote user to enumerate usernames due to a difference of responses from valid and invalid login attempts. IBM X-Force ID: 205202.📖 Read
via "National Vulnerability Database".
❌ Airline Credential-Theft Takes Off in Widening Campaign ❌
📖 Read
via "Threat Post".
A spyware effort bent on stealing cookies and logins is being driven by unsophisticated attackers cashing in on the initial-access-broker boom.📖 Read
via "Threat Post".
Threat Post
Airline Credential-Theft Takes Off in Widening Campaign
A spyware effort bent on stealing cookies and logins is being driven by unsophisticated attackers cashing in on the initial-access-broker boom.
‼ CVE-2021-40669 ‼
📖 Read
via "National Vulnerability Database".
SQL Injection vulnerability exists in Wuzhi CMS 4.1.0 via the keywords parameter under the coreframe/app/promote/admin/index.php file.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-40670 ‼
📖 Read
via "National Vulnerability Database".
SQL Injection vulnerability exists in Wuzhi CMS 4.1.0 via the keywords iparameter under the /coreframe/app/order/admin/card.php file.📖 Read
via "National Vulnerability Database".
❌ CISA, FBI: State-Backed APTs May Be Exploiting Critical Zoho Bug ❌
📖 Read
via "Threat Post".
The newly identified bug in a Zoho single sign-on and password management tool has been under active attack since early August.📖 Read
via "Threat Post".
Threat Post
CISA, FBI: State-Backed APTs May Be Exploiting Critical Zoho Bug
The newly identified bug in a Zoho single sign-on and password management tool has been under active attack since early August.
‼ CVE-2020-21535 ‼
📖 Read
via "National Vulnerability Database".
fig2dev 3.2.7b contains a segmentation fault in the gencgm_start function in gencgm.c.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-21531 ‼
📖 Read
via "National Vulnerability Database".
fig2dev 3.2.7b contains a global buffer overflow in the conv_pattern_index function in gencgm.c.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-21532 ‼
📖 Read
via "National Vulnerability Database".
fig2dev 3.2.7b contains a global buffer overflow in the setfigfont function in genepic.c.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-21530 ‼
📖 Read
via "National Vulnerability Database".
fig2dev 3.2.7b contains a segmentation fault in the read_objects function in read.c.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-21529 ‼
📖 Read
via "National Vulnerability Database".
fig2dev 3.2.7b contains a stack buffer overflow in the bezier_spline function in genepic.c.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-21533 ‼
📖 Read
via "National Vulnerability Database".
fig2dev 3.2.7b contains a stack buffer overflow in the read_textobject function in read.c.📖 Read
via "National Vulnerability Database".