βΌ CVE-2021-1939 βΌ
π Read
via "National Vulnerability Database".
Null pointer dereference occurs due to improper validation when the preemption feature enablement is toggled in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Wearablesπ Read
via "National Vulnerability Database".
βΌ CVE-2021-1976 βΌ
π Read
via "National Vulnerability Database".
A use after free can occur due to improper validation of P2P device address in PD Request frame in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Voice & Music, Snapdragon Wearables, Snapdragon Wired Infrastructure and Networkingπ Read
via "National Vulnerability Database".
βΌ CVE-2021-3811 βΌ
π Read
via "National Vulnerability Database".
adminlte is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')π Read
via "National Vulnerability Database".
βΌ CVE-2021-3805 βΌ
π Read
via "National Vulnerability Database".
object-path is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')π Read
via "National Vulnerability Database".
βΌ CVE-2021-3810 βΌ
π Read
via "National Vulnerability Database".
code-server is vulnerable to Inefficient Regular Expression Complexityπ Read
via "National Vulnerability Database".
βΌ CVE-2021-30261 βΌ
π Read
via "National Vulnerability Database".
Possible integer and heap overflow due to lack of input command size validation while handling beacon template update command from HLOS in Snapdragon Auto, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearablesπ Read
via "National Vulnerability Database".
βΌ CVE-2021-3803 βΌ
π Read
via "National Vulnerability Database".
nth-check is vulnerable to Inefficient Regular Expression Complexityπ Read
via "National Vulnerability Database".
β AT&T Phone-Unlocking Malware Ring Costs Carrier $200M β
π Read
via "Threat Post".
With the help of malicious insiders, a fraudster was able to install malware and remotely divorce iPhones and other handsets from the carrier's U.S. network -- all the way from Pakistan.π Read
via "Threat Post".
Threat Post
AT&T Phone-Unlocking Malware Ring Costs Carrier $200M
With the help of malicious insiders, a fraudster was able to install malware and remotely divorce iPhones and other handsets from the carrier's U.S. network β all the way from Pakistan.
ποΈ Google announces partnership to review security of open source software projects ποΈ
π Read
via "The Daily Swig".
Tech giant will lend its support to security reviews of eight projects, including Git, Lodash, and Laravel π Read
via "The Daily Swig".
The Daily Swig | Cybersecurity news and views
Google announces partnership to review security of open source software projects
Tech giant will lend its support to security reviews of eight projects, including Git, Lodash, and Laravel
β Ditch the Alert Cannon: Modernizing IDS is a Security Must-Do β
π Read
via "Threat Post".
Jeff Costlow, CISO at ExtraHop, makes the case for implementing next-gen intrusion-detection systems (NG-IDS) and retiring those noisy 90s compliance platforms.π Read
via "Threat Post".
Threat Post
Ditch the Alert Cannon: Modernizing IDS is a Security Must-Do
Jeff Costlow, CISO at ExtraHop, makes the case for implementing next-gen intrusion-detection systems (NG-IDS) and retiring those noisy 90s compliance platforms.
ποΈ Epik hack exposes lax security practices at controversial web host ποΈ
π Read
via "The Daily Swig".
ISP guilty of βlaziest design possibleβ, critics allegeπ Read
via "The Daily Swig".
The Daily Swig | Cybersecurity news and views
Epik hack exposes lax security practices at controversial web host
ISP guilty of βlaziest design possibleβ, critics allege
ποΈ Alaska Department of Health reveals data breach potentially exposing residentsβ financial, health information ποΈ
π Read
via "The Daily Swig".
Disclosure part of lengthy investigation into sophisticated attack that took place in Mayπ Read
via "The Daily Swig".
The Daily Swig | Cybersecurity news and views
Alaska Department of Health reveals data breach potentially exposing residentsβ financial, health information
Disclosure part of lengthy investigation into sophisticated attack that took place in May
π¦Ώ Small businesses need to step up efforts to secure and retain hybrid workers π¦Ώ
π Read
via "Tech Republic".
Only 31% are shipping laptops to employees and nearly half have spent their own money on a remote workspace, a survey from GetApp finds.π Read
via "Tech Republic".
TechRepublic
Small businesses need to step up efforts to secure and retain hybrid workers
Only 31% are shipping laptops to employees and nearly half have spent their own money on a remote workspace, a survey from GetApp finds.
π¦Ώ Dell study finds most organizations don't think they can recover from a ransomware attack π¦Ώ
π Read
via "Tech Republic".
Sixty-seven percent lack confidence in their ability to recover business-critical data, which is troubling given that the amount of data businesses manage has grown by more than 10x since 2016.π Read
via "Tech Republic".
TechRepublic
Dell study finds most organizations don't think they can recover from a ransomware attack
Sixty-seven percent lack confidence in their ability to recover business-critical data, which is troubling given that the amount of data businesses manage has grown by more than 10x since 2016.
π1
βΌ CVE-2021-41315 βΌ
π Read
via "National Vulnerability Database".
The Device42 Remote Collector before 17.05.01 does not sanitize user input in its SNMP Connectivity utility. This allows an authenticated attacker (with access to the console application) to execute arbitrary OS commands and escalate privileges.π Read
via "National Vulnerability Database".
βΌ CVE-2021-31844 βΌ
π Read
via "National Vulnerability Database".
A buffer overflow vulnerability in McAfee Data Loss Prevention (DLP) Endpoint for Windows prior to 11.6.200 allows a local attacker to execute arbitrary code with elevated privileges through placing carefully constructed Ami Pro (.sam) files onto the local system and triggering a DLP Endpoint scan through accessing a file. This is caused by the destination buffer being of fixed size and incorrect checks being made on the source size.π Read
via "National Vulnerability Database".
βΌ CVE-2021-39227 βΌ
π Read
via "National Vulnerability Database".
ZRender is a lightweight graphic library providing 2d draw for Apache ECharts. In versions prior to 5.2.1, using `merge` and `clone` helper methods in the `src/core/util.ts` module results in prototype pollution. It affects the popular data visualization library Apache ECharts, which uses and exports these two methods directly. The GitHub Security Advisory page for this vulnerability contains a proof of concept. This issue is patched in ZRender version 5.2.1. One workaround is available: Check if there is `__proto__` in the object keys. Omit it before using it as an parameter in these affected methods. Or in `echarts.util.merge` and `setOption` if project is using ECharts.π Read
via "National Vulnerability Database".
βΌ CVE-2021-39228 βΌ
π Read
via "National Vulnerability Database".
Tremor is an event processing system for unstructured data. A vulnerability exists between versions 0.7.2 and 0.11.6. This vulnerability is a memory safety Issue when using `patch` or `merge` on `state` and assign the result back to `state`. In this case, affected versions of Tremor and the tremor-script crate maintains references to memory that might have been freed already. And these memory regions can be accessed by retrieving the `state`, e.g. send it over TCP or HTTP. This requires the Tremor server (or any other program using tremor-script) to execute a tremor-script script that uses the mentioned language construct. The issue has been patched in version 0.11.6 by removing the optimization and always cloning the target expression of a Merge or Patch. If an upgrade is not possible, a possible workaround is to avoid the optimization by introducing a temporary variable and not immediately reassigning to `state`.π Read
via "National Vulnerability Database".
βΌ CVE-2021-41316 βΌ
π Read
via "National Vulnerability Database".
The Device42 Main Appliance before 17.05.01 does not sanitize user input in its Nmap Discovery utility. An attacker (with permissions to add or edit jobs run by this utility) can inject an extra argument to overwrite arbitrary files as the root user on the Remote Collector.π Read
via "National Vulnerability Database".
βΌ CVE-2021-31843 βΌ
π Read
via "National Vulnerability Database".
Improper privileges management vulnerability in McAfee Endpoint Security (ENS) Windows prior to 10.7.0 September 2021 Update allows local users to access files which they would otherwise not have access to via manipulating junction links to redirect McAfee folder operations to an unintended location.π Read
via "National Vulnerability Database".
βΌ CVE-2021-31842 βΌ
π Read
via "National Vulnerability Database".
XML Entity Expansion injection vulnerability in McAfee Endpoint Security (ENS) for Windows prior to 10.7.0 September 2021 Update allows a local user to initiate high CPU and memory consumption resulting in a Denial of Service attack through carefully editing the EPDeploy.xml file and then executing the setup process.π Read
via "National Vulnerability Database".