βΌ CVE-2021-39230 βΌ
π Read
via "National Vulnerability Database".
Butter is a system usability utility. Due to a kernel error the JPNS kernel is being discontinued. Affected users are recommend to update to the Trinity kernel. There are no workarounds.π Read
via "National Vulnerability Database".
βΌ CVE-2021-29831 βΌ
π Read
via "National Vulnerability Database".
IBM Jazz for Service Management 1.1.3.10 and IBM Tivoli Netcool/OMNIbus_GUI is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 204775.π Read
via "National Vulnerability Database".
βΌ CVE-2021-29795 βΌ
π Read
via "National Vulnerability Database".
IBM PowerVM Hypervisor FW860, FW930, FW940, and FW950 could allow a local user to create a specially crafted sequence of hypervisor calls from a partition that could crash the system. IBM X-Force ID: 203557.π Read
via "National Vulnerability Database".
π Cryptocurrency Exchange Linked to Ransomware Groups Sanctioned π
π Read
via "".
The move, the Treasury's first sanctions designation against a virtual currency exchange, is part of the US governmentβs attempt to cut off revenue to ransomware gangs.π Read
via "".
Digital Guardian
Cryptocurrency Exchange Linked to Ransomware Groups Sanctioned
The move, the Treasury's first sanctions designation against a virtual currency exchange, is part of the US governmentβs attempt to cut off revenue to ransomware gangs.
β Epik Confirms Hack, Gigabytes of Data on Offer β
π Read
via "Threat Post".
"Time to find out who in your family secretly ran ... [a] QAnon hellhole," said attackers who affiliated themselves with the hacktivist collective Anonymous, noting that Epik had laughable security.π Read
via "Threat Post".
Threat Post
Epik Confirms Hack, Gigabytes of Data on Offer
Hacktivist collective Anonymous said the company had laughable security.
βΌ CVE-2021-40847 βΌ
π Read
via "National Vulnerability Database".
The update process of the Circle Parental Control Service on various NETGEAR routers allows remote attackers to achieve remote code execution as root via a MitM attack. While the parental controls themselves are not enabled by default on the routers, the Circle update daemon, circled, is enabled by default. This daemon connects to Circle and NETGEAR to obtain version information and updates to the circled daemon and its filtering database. However, database updates from NETGEAR are unsigned and downloaded via cleartext HTTP. As such, an attacker with the ability to perform a MitM attack on the device can respond to circled update requests with a crafted, compressed database file, the extraction of which gives the attacker the ability to overwrite executable files with attacker-controlled code. This affects R6400v2 1.0.4.106, R6700 1.0.2.16, R6700v3 1.0.4.106, R6900 1.0.2.16, R6900P 1.3.2.134, R7000 1.0.11.123, R7000P 1.3.2.134, R7850 1.0.5.68, R7900 1.0.4.38, R8000 1.0.4.68, and RS400 1.5.0.68.π Read
via "National Vulnerability Database".
βΌ CVE-2020-19553 βΌ
π Read
via "National Vulnerability Database".
Cross Site Scripting (XSS) vlnerability exists in WUZHI CMS up to and including 4.1.0 in the config function in coreframe/app/attachment/libs/class/ckditor.class.php.π Read
via "National Vulnerability Database".
βΌ CVE-2020-19551 βΌ
π Read
via "National Vulnerability Database".
Blacklist bypass issue exists in WUZHI CMS up to and including 4.1.0 in common.func.php, which when uploaded can cause remote code executiong.π Read
via "National Vulnerability Database".
βΌ CVE-2021-41084 βΌ
π Read
via "National Vulnerability Database".
http4s is an open source scala interface for HTTP. In affected versions http4s is vulnerable to response-splitting or request-splitting attacks when untrusted user input is used to create any of the following fields: Header names (`Header.name`ΓΒ₯), Header values (`Header.value`), Status reason phrases (`Status.reason`), URI paths (`Uri.Path`), URI authority registered names (`URI.RegName`) (through 0.21). This issue has been resolved in versions 0.21.30, 0.22.5, 0.23.4, and 1.0.0-M27 perform the following. As a matter of practice http4s services and client applications should sanitize any user input in the aforementioned fields before returning a request or response to the backend. The carriage return, newline, and null characters are the most threatening.π Read
via "National Vulnerability Database".
π¦Ώ Is hacking back effective, or does it just scratch an evolutionary itch? π¦Ώ
π Read
via "Tech Republic".
Retribution by hacking back might make you feel better, but experts urge caution and explain why it's a bad idea.π Read
via "Tech Republic".
TechRepublic
Is hacking back effective, or does it just scratch an evolutionary itch?
Retribution by hacking back might make you feel better, but experts urge caution and explain why it's a bad idea.
βΌ CVE-2020-35541 βΌ
π Read
via "National Vulnerability Database".
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2020. Notes: none.π Read
via "National Vulnerability Database".
βΌ CVE-2021-41087 βΌ
π Read
via "National Vulnerability Database".
in-toto-golang is a go implementation of the in-toto framework to protect software supply chain integrity. In affected versions authenticated attackers posing as functionaries (i.e., within a trusted set of users for a layout) are able to create attestations that may bypass DISALLOW rules in the same layout. An attacker with access to trusted private keys, may issue an attestation that contains a disallowed artifact by including path traversal semantics (e.g., foo vs dir/../foo). Exploiting this vulnerability is dependent on the specific policy applied. The problem has been fixed in version 0.3.0.π Read
via "National Vulnerability Database".
βΌ CVE-2020-35540 βΌ
π Read
via "National Vulnerability Database".
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2020. Notes: none.π Read
via "National Vulnerability Database".
βΌ CVE-2020-19554 βΌ
π Read
via "National Vulnerability Database".
Cross Site Scripting (XSS) vulnerability exists in ManageEngine OPManager <=12.5.174 when the API key contains an XML-based XSS payload.π Read
via "National Vulnerability Database".
βΌ CVE-2021-41086 βΌ
π Read
via "National Vulnerability Database".
jsuites is an open source collection of common required javascript web components. In affected versions users are subject to cross site scripting (XSS) attacks via clipboard content. jsuites is vulnerable to DOM based XSS if the user can be tricked into copying _anything_ from a malicious and pasting it into the html editor. This is because a part of the clipboard content is directly written to `innerHTML` allowing for javascript injection and thus XSS. Users are advised to update to version 4.9.11 to resolve.π Read
via "National Vulnerability Database".
βΌ CVE-2021-41382 βΌ
π Read
via "National Vulnerability Database".
Plastic SCM before 10.0.16.5622 mishandles the WebAdmin server management interface.π Read
via "National Vulnerability Database".
βΌ CVE-2021-31819 βΌ
π Read
via "National Vulnerability Database".
In Halibut versions prior to 4.4.7 there is a deserialisation vulnerability that could allow remote code execution on systems that already trust each other based on certificate verification.π Read
via "National Vulnerability Database".
βΌ CVE-2021-38112 βΌ
π Read
via "National Vulnerability Database".
In the Amazon AWS WorkSpaces client before 3.1.9 on Windows, argument injection in the workspaces:// URI handler can lead to remote code execution because of the Chromium Embedded Framework (CEF) --gpu-launcher argument.π Read
via "National Vulnerability Database".
βΌ CVE-2020-23266 βΌ
π Read
via "National Vulnerability Database".
An issue was discovered in gpac 0.8.0. The OD_ReadUTF8String function in odf_code.c has a heap-based buffer overflow which can lead to a denial of service (DOS) via a crafted media file.π Read
via "National Vulnerability Database".
βΌ CVE-2020-23273 βΌ
π Read
via "National Vulnerability Database".
Heap-buffer overflow in the randomize_iparp function in edit_packet.c. of Tcpreplay v4.3.2 allows attackers to cause a denial of service (DOS) via a crafted pcap.π Read
via "National Vulnerability Database".
βΌ CVE-2020-23267 βΌ
π Read
via "National Vulnerability Database".
An issue was discovered in gpac 0.8.0. The gf_hinter_track_process function in isom_hinter_track_process.c has a heap-based buffer overflow which can lead to a denial of service (DOS) via a crafted media fileπ Read
via "National Vulnerability Database".