βΌ CVE-2021-41087 βΌ
π Read
via "National Vulnerability Database".
in-toto-golang is a go implementation of the in-toto framework to protect software supply chain integrity. In affected versions authenticated attackers posing as functionaries (i.e., within a trusted set of users for a layout) are able to create attestations that may bypass DISALLOW rules in the same layout. An attacker with access to trusted private keys, may issue an attestation that contains a disallowed artifact by including path traversal semantics (e.g., foo vs dir/../foo). Exploiting this vulnerability is dependent on the specific policy applied. The problem has been fixed in version 0.3.0.π Read
via "National Vulnerability Database".
βΌ CVE-2020-35540 βΌ
π Read
via "National Vulnerability Database".
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2020. Notes: none.π Read
via "National Vulnerability Database".
βΌ CVE-2020-19554 βΌ
π Read
via "National Vulnerability Database".
Cross Site Scripting (XSS) vulnerability exists in ManageEngine OPManager <=12.5.174 when the API key contains an XML-based XSS payload.π Read
via "National Vulnerability Database".
βΌ CVE-2021-41086 βΌ
π Read
via "National Vulnerability Database".
jsuites is an open source collection of common required javascript web components. In affected versions users are subject to cross site scripting (XSS) attacks via clipboard content. jsuites is vulnerable to DOM based XSS if the user can be tricked into copying _anything_ from a malicious and pasting it into the html editor. This is because a part of the clipboard content is directly written to `innerHTML` allowing for javascript injection and thus XSS. Users are advised to update to version 4.9.11 to resolve.π Read
via "National Vulnerability Database".
βΌ CVE-2021-41382 βΌ
π Read
via "National Vulnerability Database".
Plastic SCM before 10.0.16.5622 mishandles the WebAdmin server management interface.π Read
via "National Vulnerability Database".
βΌ CVE-2021-31819 βΌ
π Read
via "National Vulnerability Database".
In Halibut versions prior to 4.4.7 there is a deserialisation vulnerability that could allow remote code execution on systems that already trust each other based on certificate verification.π Read
via "National Vulnerability Database".
βΌ CVE-2021-38112 βΌ
π Read
via "National Vulnerability Database".
In the Amazon AWS WorkSpaces client before 3.1.9 on Windows, argument injection in the workspaces:// URI handler can lead to remote code execution because of the Chromium Embedded Framework (CEF) --gpu-launcher argument.π Read
via "National Vulnerability Database".
βΌ CVE-2020-23266 βΌ
π Read
via "National Vulnerability Database".
An issue was discovered in gpac 0.8.0. The OD_ReadUTF8String function in odf_code.c has a heap-based buffer overflow which can lead to a denial of service (DOS) via a crafted media file.π Read
via "National Vulnerability Database".
βΌ CVE-2020-23273 βΌ
π Read
via "National Vulnerability Database".
Heap-buffer overflow in the randomize_iparp function in edit_packet.c. of Tcpreplay v4.3.2 allows attackers to cause a denial of service (DOS) via a crafted pcap.π Read
via "National Vulnerability Database".
βΌ CVE-2020-23267 βΌ
π Read
via "National Vulnerability Database".
An issue was discovered in gpac 0.8.0. The gf_hinter_track_process function in isom_hinter_track_process.c has a heap-based buffer overflow which can lead to a denial of service (DOS) via a crafted media fileπ Read
via "National Vulnerability Database".
βΌ CVE-2020-23269 βΌ
π Read
via "National Vulnerability Database".
An issue was discovered in gpac 0.8.0. The stbl_GetSampleSize function in isomedia/stbl_read.c has a heap-based buffer overflow which can lead to a denial of service (DOS) via a crafted media file.π Read
via "National Vulnerability Database".
ποΈ New iCloud Private Relay service leaks usersβ true IP addresses, researcher claims ποΈ
π Read
via "The Daily Swig".
De-anonymizing users of VPN-like service, launched with iOS 15 yesterday, is βeasily accomplishedβπ Read
via "The Daily Swig".
The Daily Swig | Cybersecurity news and views
New iCloud Private Relay service leaks usersβ true IP addresses, researcher claims
De-anonymizing users of VPN-like service, launched with iOS 15 yesterday, is βeasily accomplishedβ
βΌ CVE-2021-39339 βΌ
π Read
via "National Vulnerability Database".
The Telefication WordPress plugin is vulnerable to Open Proxy and Server-Side Request Forgery via the ~/bypass.php file due to a user-supplied URL request value that gets called by a curl requests. This affects versions up to, and including, 1.8.0.π Read
via "National Vulnerability Database".
β VMware patch bulletin warns: βThis needs your immediate attention.β β
π Read
via "Naked Security".
"It is a matter of time before working exploits are available," warns VMware.π Read
via "Naked Security".
Naked Security
VMware patch bulletin warns: βThis needs your immediate attention.β
βIt is a matter of time before working exploits are available,β warns VMware.
ποΈ APT focus: βNoisyβ Russian hacking crews are among the worldβs most sophisticated ποΈ
π Read
via "The Daily Swig".
Unpacking the Matryoshka dolls behind Kremlin-backed cybercrime campaignsπ Read
via "The Daily Swig".
The Daily Swig | Cybersecurity news and views
APT focus: βNoisyβ Russian hacking crews are among the worldβs most sophisticated
Unpacking the Matryoshka dolls behind Kremlin-backed cybercrime campaigns
π¦Ώ Study to become a CompTIA security infrastructure expert π¦Ώ
π Read
via "Tech Republic".
IT professionals who want to move up into elite cybersecurity positions can now boost their career trajectories instead of taking years to advance up the hierarchy.π Read
via "Tech Republic".
TechRepublic
Study to become a CompTIA security infrastructure expert
IT professionals who want to move up into elite cybersecurity positions can now boost their career trajectories instead of taking years to advance up the hierarchy.
ποΈ VMware security warning: Multiple vulnerabilities in vCenter Server could allow remote network access ποΈ
π Read
via "The Daily Swig".
Several issues including one critical bug have been remedied in latest patch cycleπ Read
via "The Daily Swig".
The Daily Swig | Cybersecurity news and views
VMware security warning: Multiple vulnerabilities in vCenter Server could allow remote network access
Several issues including one critical bug have been remedied in latest patch cycle
βΌ CVE-2021-3583 βΌ
π Read
via "National Vulnerability Database".
A flaw was found in Ansible, where a user's controller is vulnerable to template injection. This issue can occur through facts used in the template if the user is trying to put templates in multi-line YAML strings and the facts being handled do not routinely include special template characters. This flaw allows attackers to perform command injection, which discloses sensitive information. The highest threat from this vulnerability is to confidentiality and integrity.π Read
via "National Vulnerability Database".
βΌ CVE-2021-36260 βΌ
π Read
via "National Vulnerability Database".
A command injection vulnerability in the web server of some Hikvision product. Due to the insufficient input validation, attacker can exploit the vulnerability to launch a command injection attack by sending some messages with malicious commands.π Read
via "National Vulnerability Database".
βΌ CVE-2021-39404 βΌ
π Read
via "National Vulnerability Database".
MaianAffiliate v1.0 allows an authenticated administrative user to save an XSS to the database.π Read
via "National Vulnerability Database".
β Feds Sanctions SUEX Cryptocurrency Exchange for Laundering Ransomware Payouts β
π Read
via "Threat Post".
The action is the first of its kind in the U.S., as the government increases efforts to get a handle on cybercrime.π Read
via "Threat Post".
Threat Post
Feds Sanctions SUEX Cryptocurrency Exchange for Laundering Ransomware Payouts
The action is the first of its kind in the U.S., as the government increases efforts to get a handle on cybercrime.