βΌ CVE-2020-4803 βΌ
π Read
via "National Vulnerability Database".
IBM Edge 4.2 allows web pages to be stored locally which can be read by another user on the system. IBM X-Force ID: 189535.π Read
via "National Vulnerability Database".
βΌ CVE-2020-4690 βΌ
π Read
via "National Vulnerability Database".
IBM Security Guardium 11.3 contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data. IBM X-Force ID: 186697.π Read
via "National Vulnerability Database".
βΌ CVE-2021-29800 βΌ
π Read
via "National Vulnerability Database".
IBM Tivoli Netcool/OMNIbus_GUI and IBM Jazz for Service Management 1.1.3.10 is vulnerable to stored cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.π Read
via "National Vulnerability Database".
βΌ CVE-2020-4809 βΌ
π Read
via "National Vulnerability Database".
IBM Edge 4.2 allows web pages to be stored locally which can be read by another user on the system. IBM X-Force ID: 189633.π Read
via "National Vulnerability Database".
β 100M IoT Devices Exposed By Zero-Day Bug β
π Read
via "Threat Post".
A high-severity vulnerability could cause system crashes, knocking out sensors, medical equipment and more.π Read
via "Threat Post".
β 5 Tips for Achieving Better Cybersecurity Risk Management β
π Read
via "Threat Post".
Casey Ellis, founder, CTO and chairman of Bugcrowd, discusses a roadmap for lowering risk from cyberattacks most effectively.π Read
via "Threat Post".
Threat Post
5 Tips for Achieving Better Cybersecurity Risk Management
Casey Ellis, founder, CTO and chairman of Bugcrowd, discusses a roadmap for lowering risk from cyberattacks most effectively.
π NYDFS Clarifies Portions of Cybersecurity Regulation in Update π
π Read
via "".
The New York Department of Financial Services has updated its guidance on incidents affecting third party services and multi-factor authentication.π Read
via "".
Digital Guardian
NYDFS Clarifies Portions of Cybersecurity Regulation in Update
The New York Department of Financial Services has updated its guidance on incidents affecting third party services and multi-factor authentication.
π1
π¦Ώ Here's a fix for open source supply chain attacks π¦Ώ
π Read
via "Tech Republic".
Commentary: Open source has never been more popular or more under attack, but there's something cloud providers can do to make OSS more secure.π Read
via "Tech Republic".
TechRepublic
Here's a fix for open source supply chain attacks
Commentary: Open source has never been more popular or more under attack, but there's something cloud providers can do to make OSS more secure.
βΌ CVE-2021-41088 βΌ
π Read
via "National Vulnerability Database".
Elvish is a programming language and interactive shell, combined into one package. In versions prior to 0.14.0 Elvish's web UI backend (started by `elvish -web`) hosts an endpoint that allows executing the code sent from the web UI. The backend does not check the origin of requests correctly. As a result, if the user has the web UI backend open and visits a compromised or malicious website, the website can send arbitrary code to the endpoint in localhost. All Elvish releases from 0.14.0 onward no longer include the the web UI, although it is still possible for the user to build a version from source that includes the web UI. The issue can be patched for previous versions by removing the web UI (found in web, pkg/web or pkg/prog/web, depending on the exact version).π Read
via "National Vulnerability Database".
βΌ CVE-2020-19949 βΌ
π Read
via "National Vulnerability Database".
A cross-site scripting (XSS) vulnerability in the /link/add.html component of YzmCMS v5.3 allows attackers to execute arbitrary web scripts or HTML.π Read
via "National Vulnerability Database".
βΌ CVE-2020-19951 βΌ
π Read
via "National Vulnerability Database".
A cross-site request forgery (CSRF) in /controller/pay.class.php of YzmCMS v5.5 allows attackers to access sensitive components of the application.π Read
via "National Vulnerability Database".
βΌ CVE-2020-19950 βΌ
π Read
via "National Vulnerability Database".
A cross-site scripting (XSS) vulnerability in the /banner/add.html component of YzmCMS v5.3 allows attackers to execute arbitrary web scripts or HTML.π Read
via "National Vulnerability Database".
β STILL ALIVE! iOS 12 gets 3 zero-day security patches β update now β
π Read
via "Naked Security".
It wasn't dead, just resting.π Read
via "Naked Security".
Sophos News
Naked Security β Sophos News
β REvil Affiliates Confirm: Leadership Were Cheating Dirtbags β
π Read
via "Threat Post".
After news of REvil's rip-off-the-affiliates backdoor & double chats, affiliates fumed, reiterating prior claims against the gang in "Hackers Court."π Read
via "Threat Post".
Threat Post
REvil Affiliates Confirm: Leadership Were Cheating Dirtbags
Following the discovery of REvil's rip-off-the-affiliates backdoor and double chats, those affiliates fumed on the underground, pointing to negotiations that ended abruptly just before payment came.
βΌ CVE-2021-41584 βΌ
π Read
via "National Vulnerability Database".
Gradle Enterprise before 2021.1.3 can allow unauthorized viewing of a response (information disclosure of possibly sensitive build/configuration details) via a crafted HTTP request with the X-Gradle-Enterprise-Ajax-Request header.π Read
via "National Vulnerability Database".
βΌ CVE-2021-31923 βΌ
π Read
via "National Vulnerability Database".
Ping Identity PingAccess before 5.3.3 allows HTTP request smuggling via header manipulation.π Read
via "National Vulnerability Database".
βΌ CVE-2021-41583 βΌ
π Read
via "National Vulnerability Database".
vpn-user-portal (aka eduVPN or Let's Connect!) before 2.3.14, as packaged for Debian 10, Debian 11, and Fedora, allows remote authenticated users to obtain OS filesystem access, because of the interaction of QR codes with an exec that uses the -r option. This can be leveraged to obtain additional VPN access.π Read
via "National Vulnerability Database".
βΌ CVE-2021-41581 βΌ
π Read
via "National Vulnerability Database".
x509_constraints_parse_mailbox in lib/libcrypto/x509/x509_constraints.c in LibreSSL through 3.4.0 has a stack-based buffer over-read. When the input exceeds DOMAIN_PART_MAX_LEN, the buffer lacks '\0' termination.π Read
via "National Vulnerability Database".
β Apple Patches 3 More Zero-Days Under Active Attack β
π Read
via "Threat Post".
One of the bugs, which affects macOS as well as older versions of iPhones, could allow an attacker to execute arbitrary code with kernel privileges.π Read
via "Threat Post".
Threat Post
Apple Patches 3 More Zero-Days Under Active Attack
One of the bugs, which affects macOS as well as older versions of iPhones, could allow an attacker to execute arbitrary code with kernel privileges.
ποΈ Millions of South Africans caught up in security incident after debt recovery firm suffers βsignificant data breachβ ποΈ
π Read
via "The Daily Swig".
Sensitive information is among datasets potentially exposedπ Read
via "The Daily Swig".
The Daily Swig | Cybersecurity news and views
Millions of South Africans caught up in security incident after debt recovery firm suffers βsignificant data breachβ
Sensitive information is among datasets potentially exposed
βΌ CVE-2021-36749 βΌ
π Read
via "National Vulnerability Database".
In the Druid ingestion system, the InputSource is used for reading data from a certain data source. However, the HTTP InputSource allows authenticated users to read data from other sources than intended, such as the local file system, with the privileges of the Druid server process. This is not an elevation of privilege when users access Druid directly, since Druid also provides the Local InputSource, which allows the same level of access. But it is problematic when users interact with Druid indirectly through an application that allows users to specify the HTTP InputSource, but not the Local InputSource. In this case, users could bypass the application-level restriction by passing a file URL to the HTTP InputSource. This issue was previously mentioned as being fixed in 0.21.0 as per CVE-2021-26920 but was not fixed in 0.21.0 or 0.21.1.π Read
via "National Vulnerability Database".