‼ CVE-2021-41587 ‼
📖 Read
via "National Vulnerability Database".
In Gradle Enterprise before 2021.1.3, an attacker with the ability to perform SSRF attacks can potentially discover credentials for other resources.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-40099 ‼
📖 Read
via "National Vulnerability Database".
An issue was discovered in Concrete CMS through 8.5.5. Fetching the update json scheme over HTTP leads to remote code execution.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-41586 ‼
📖 Read
via "National Vulnerability Database".
In Gradle Enterprise before 2021.1.3, an attacker with the ability to perform SSRF attacks can potentially reset the system user password.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-40102 ‼
📖 Read
via "National Vulnerability Database".
An issue was discovered in Concrete CMS through 8.5.5. Arbitrary File deletion can occur via PHAR deserialization in is_dir (PHP Object Injection associated with the __wakeup magic method).📖 Read
via "National Vulnerability Database".
‼ CVE-2021-40100 ‼
📖 Read
via "National Vulnerability Database".
An issue was discovered in Concrete CMS through 8.5.5. Stored XSS can occur in Conversations when the Active Conversation Editor is set to Rich Text.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-41588 ‼
📖 Read
via "National Vulnerability Database".
In Gradle Enterprise before 2021.1.3, a crafted request can trigger deserialization of arbitrary unsafe Java objects. The attacker must have the encryption and signing keys.📖 Read
via "National Vulnerability Database".
🕴 TangleBot Campaign Underscores SMS Threat 🕴
📖 Read
via "Dark Reading".
The attack targets Android devices and starts with a malicious SMS message that aims to bring malware onto compromised devices.📖 Read
via "Dark Reading".
Dark Reading
TangleBot Campaign Underscores SMS Threat
The attack targets Android devices and starts with a malicious SMS message that aims to bring malware onto compromised devices.
👍1
🔏 Friday Five 9/24 🔏
📖 Read
via "".
New iOS privacy settings, the Exchange autodiscover bug, and subsidiary risk - catch up on the week's infosec news with the Friday Five!📖 Read
via "".
Digital Guardian
Friday Five 9/24
New iOS privacy settings, the Exchange autodiscover bug, and subsidiary risk - catch up on the week's infosec news with the Friday Five!
‼ CVE-2021-28130 ‼
📖 Read
via "National Vulnerability Database".
Dr.Web Firewall 12.5.2.4160 on Windows incorrectly restricts applications signed by Dr.Web. A DLL for a custom payload within a legitimate binary (e.g., frwl_svc.exe) bypasses firewall filters.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-40309 ‼
📖 Read
via "National Vulnerability Database".
A SQL injection vulnerability exists in the Take Attendance functionality of OS4Ed's OpenSIS 8.0. allows an attacker to inject their own SQL query. The cp_id_miss_attn parameter from TakeAttendance.php is vulnerable to SQL injection. An attacker can make an authenticated HTTP request as a user with access to "Take Attendance" functionality to trigger this vulnerability.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-40310 ‼
📖 Read
via "National Vulnerability Database".
OpenSIS Community Edition version 8.0 is affected by a cross-site scripting (XSS) vulnerability in the TakeAttendance.php via the cp_id_miss_attn parameter.📖 Read
via "National Vulnerability Database".
❌ Exchange/Outlook Autodiscover Bug Spills $100K+ Email Passwords ❌
📖 Read
via "Threat Post".
Hundreds of thousands of email credentials, many of which double as Active Directory domain credentials, came through to credential-trapping domains in clear text.📖 Read
via "Threat Post".
Threat Post
Exchange/Outlook Autodiscover Bug Spills 100K+ Email Passwords
Hundreds of thousands of email credentials, many of which double as Active Directory domain credentials, came through to credential-trapping domains in clear text.
🦿 Are VPNs still the best solution for security? 🦿
📖 Read
via "Tech Republic".
Cybersecurity professionals rely on VPNs to secure remote endpoints with an organization's home network. One expert suggests there is a better, simpler and safer approach to accomplish the same thing.📖 Read
via "Tech Republic".
TechRepublic
Are VPNs still the best solution for security?
Cybersecurity professionals rely on VPNs to secure remote endpoints with an organization's home network. One expert suggests there is a better, simpler and safer approach to accomplish the same thing.
🕴 Consumers Share Security Fears as Risky Behaviors Persist 🕴
📖 Read
via "Dark Reading".
While most US adults know they aren't sufficiently protecting their data online, many find security time-consuming or don't know the steps they should take.📖 Read
via "Dark Reading".
Dark Reading
Consumers Share Security Fears as Risky Behaviors Persist
While most US adults know they aren't sufficiently protecting their data online, many find security time-consuming or don't know the steps they should take.
🕴 What Is the Difference Between Security and Resilience? 🕴
📖 Read
via "Dark Reading".
Resilience shifts the focus toward eliminating the probable impact of the full attack chain.📖 Read
via "Dark Reading".
Dark Reading
What Is the Difference Between Security and Resilience?
Resilience shifts the focus toward eliminating the probable impact of the full attack chain.
‼ CVE-2021-22868 ‼
📖 Read
via "National Vulnerability Database".
A path traversal vulnerability was identified in GitHub Enterprise Server that could be exploited when building a GitHub Pages site. User-controlled configuration options used by GitHub Pages were not sufficiently restricted and made it possible to read files on the GitHub Enterprise Server instance. To exploit this vulnerability, an attacker would need permission to create and build a GitHub Pages site on the GitHub Enterprise Server instance. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.1.8 and was fixed in 3.1.8, 3.0.16, and 2.22.22. This vulnerability was reported via the GitHub Bug Bounty program. This is the result of an incomplete fix for CVE-2021-22867.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-35313 ‼
📖 Read
via "National Vulnerability Database".
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-39246 ‼
📖 Read
via "National Vulnerability Database".
Tor Browser through 10.5.6 and 11.x through 11.0a4 allows a correlation attack that can compromise the privacy of visits to v2 onion addresses. If --log or --verbose is used, exact timestamps of these onion-service visits are logged locally, and an attacker might be able to compare them to timestamp data collected by the destination server (or collected by a rogue site within the Tor network).📖 Read
via "National Vulnerability Database".
‼ CVE-2021-22869 ‼
📖 Read
via "National Vulnerability Database".
An improper access control vulnerability in GitHub Enterprise Server allowed a workflow job to execute in a self-hosted runner group it should not have had access to. This affects customers using self-hosted runner groups for access control. A repository with access to one enterprise runner group could access all of the enterprise runner groups within the organization because of improper authentication checks during the request. This could cause code to be run unintentionally by the incorrect runner group. This vulnerability affected GitHub Enterprise Server versions from 3.0.0 to 3.0.15 and 3.1.0 to 3.1.7 and was fixed in 3.0.16 and 3.1.8 releases.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-2464 ‼
📖 Read
via "National Vulnerability Database".
Vulnerability in Oracle Linux (component: OSwatcher). Supported versions that are affected are 7 and 8. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle Linux executes to compromise Oracle Linux. Successful attacks of this vulnerability can result in takeover of Oracle Linux. CVSS 3.1 Base Score 7.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).📖 Read
via "National Vulnerability Database".
🦿 How to improve relations between developers and security teams and boost application security 🦿
📖 Read
via "Tech Republic".
Chris Wysopal shared a history lesson about the evolution of application security and advice on how to make all apps more secure.📖 Read
via "Tech Republic".
TechRepublic
How to improve relations between developers and security teams and boost application security
Chris Wysopal shared a history lesson about the evolution of application security and advice on how to make all apps more secure.