‼ CVE-2021-40310 ‼
📖 Read
via "National Vulnerability Database".
OpenSIS Community Edition version 8.0 is affected by a cross-site scripting (XSS) vulnerability in the TakeAttendance.php via the cp_id_miss_attn parameter.📖 Read
via "National Vulnerability Database".
❌ Exchange/Outlook Autodiscover Bug Spills $100K+ Email Passwords ❌
📖 Read
via "Threat Post".
Hundreds of thousands of email credentials, many of which double as Active Directory domain credentials, came through to credential-trapping domains in clear text.📖 Read
via "Threat Post".
Threat Post
Exchange/Outlook Autodiscover Bug Spills 100K+ Email Passwords
Hundreds of thousands of email credentials, many of which double as Active Directory domain credentials, came through to credential-trapping domains in clear text.
🦿 Are VPNs still the best solution for security? 🦿
📖 Read
via "Tech Republic".
Cybersecurity professionals rely on VPNs to secure remote endpoints with an organization's home network. One expert suggests there is a better, simpler and safer approach to accomplish the same thing.📖 Read
via "Tech Republic".
TechRepublic
Are VPNs still the best solution for security?
Cybersecurity professionals rely on VPNs to secure remote endpoints with an organization's home network. One expert suggests there is a better, simpler and safer approach to accomplish the same thing.
🕴 Consumers Share Security Fears as Risky Behaviors Persist 🕴
📖 Read
via "Dark Reading".
While most US adults know they aren't sufficiently protecting their data online, many find security time-consuming or don't know the steps they should take.📖 Read
via "Dark Reading".
Dark Reading
Consumers Share Security Fears as Risky Behaviors Persist
While most US adults know they aren't sufficiently protecting their data online, many find security time-consuming or don't know the steps they should take.
🕴 What Is the Difference Between Security and Resilience? 🕴
📖 Read
via "Dark Reading".
Resilience shifts the focus toward eliminating the probable impact of the full attack chain.📖 Read
via "Dark Reading".
Dark Reading
What Is the Difference Between Security and Resilience?
Resilience shifts the focus toward eliminating the probable impact of the full attack chain.
‼ CVE-2021-22868 ‼
📖 Read
via "National Vulnerability Database".
A path traversal vulnerability was identified in GitHub Enterprise Server that could be exploited when building a GitHub Pages site. User-controlled configuration options used by GitHub Pages were not sufficiently restricted and made it possible to read files on the GitHub Enterprise Server instance. To exploit this vulnerability, an attacker would need permission to create and build a GitHub Pages site on the GitHub Enterprise Server instance. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.1.8 and was fixed in 3.1.8, 3.0.16, and 2.22.22. This vulnerability was reported via the GitHub Bug Bounty program. This is the result of an incomplete fix for CVE-2021-22867.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-35313 ‼
📖 Read
via "National Vulnerability Database".
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-39246 ‼
📖 Read
via "National Vulnerability Database".
Tor Browser through 10.5.6 and 11.x through 11.0a4 allows a correlation attack that can compromise the privacy of visits to v2 onion addresses. If --log or --verbose is used, exact timestamps of these onion-service visits are logged locally, and an attacker might be able to compare them to timestamp data collected by the destination server (or collected by a rogue site within the Tor network).📖 Read
via "National Vulnerability Database".
‼ CVE-2021-22869 ‼
📖 Read
via "National Vulnerability Database".
An improper access control vulnerability in GitHub Enterprise Server allowed a workflow job to execute in a self-hosted runner group it should not have had access to. This affects customers using self-hosted runner groups for access control. A repository with access to one enterprise runner group could access all of the enterprise runner groups within the organization because of improper authentication checks during the request. This could cause code to be run unintentionally by the incorrect runner group. This vulnerability affected GitHub Enterprise Server versions from 3.0.0 to 3.0.15 and 3.1.0 to 3.1.7 and was fixed in 3.0.16 and 3.1.8 releases.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-2464 ‼
📖 Read
via "National Vulnerability Database".
Vulnerability in Oracle Linux (component: OSwatcher). Supported versions that are affected are 7 and 8. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle Linux executes to compromise Oracle Linux. Successful attacks of this vulnerability can result in takeover of Oracle Linux. CVSS 3.1 Base Score 7.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).📖 Read
via "National Vulnerability Database".
🦿 How to improve relations between developers and security teams and boost application security 🦿
📖 Read
via "Tech Republic".
Chris Wysopal shared a history lesson about the evolution of application security and advice on how to make all apps more secure.📖 Read
via "Tech Republic".
TechRepublic
How to improve relations between developers and security teams and boost application security
Chris Wysopal shared a history lesson about the evolution of application security and advice on how to make all apps more secure.
‼ CVE-2021-41503 ‼
📖 Read
via "National Vulnerability Database".
** UNSUPPORTED WHEN ASSIGNED ** DCS-5000L v1.05 and DCS-932L v2.17 and older are affecged by Incorrect Acess Control. The use of the basic authentication for the devices command interface allows attack vectors that may compromise the cameras configuration and allow malicious users on the LAN to access the device. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.📖 Read
via "National Vulnerability Database".
‼ CVE-2016-6555 ‼
📖 Read
via "National Vulnerability Database".
OpenNMS version 18.0.1 and prior are vulnerable to a stored XSS issue due to insufficient filtering of SNMP trap supplied data. By creating a malicious SNMP trap, an attacker can store an XSS payload which will trigger when a user of the web UI views the events list page. This issue was fixed in version 18.0.2, released on September 20, 2016.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-40655 ‼
📖 Read
via "National Vulnerability Database".
An informtion disclosure issue exists in D-LINK-DIR-605 B2 Firmware Version : 2.01MT. An attacker can obtain a user name and password by forging a post request to the / getcfg.php page📖 Read
via "National Vulnerability Database".
‼ CVE-2021-40654 ‼
📖 Read
via "National Vulnerability Database".
An information disclosure issue exist in D-LINK-DIR-615 B2 2.01mt. An attacker can obtain a user name and password by forging a post request to the / getcfg.php page📖 Read
via "National Vulnerability Database".
‼ CVE-2016-6556 ‼
📖 Read
via "National Vulnerability Database".
OpenNMS version 18.0.1 and prior are vulnerable to a stored XSS issue due to insufficient filtering of SNMP agent supplied data. By creating a malicious SNMP 'sysName' or 'sysContact' response, an attacker can store an XSS payload which will trigger when a user of the web UI views the data. This issue was fixed in version 18.0.2, released on September 20, 2016.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-41504 ‼
📖 Read
via "National Vulnerability Database".
** UNSUPPORTED WHEN ASSIGNED ** An Elevated Privileges issue exists in D-Link DCS-5000L v1.05 and DCS-932L v2.17 and older. The use of the digest-authentication for the devices command interface may allow further attack vectors that may compromise the cameras configuration and allow malicious users on the LAN to access the device. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-21742 ‼
📖 Read
via "National Vulnerability Database".
There is an information leak vulnerability in the message service app of a ZTE mobile phone. Due to improper parameter settings, attackers could use this vulnerability to obtain some sensitive information of users by accessing specific pages.📖 Read
via "National Vulnerability Database".
📢 Microsoft exposes BulletProofLink 'phishing as a service' criminal enterprise 📢
📖 Read
via "ITPro".
The sophisticated outfit handles everything from template design to web hosting and credentials processing📖 Read
via "ITPro".
ITPro
Microsoft exposes BulletProofLink 'phishing as a service' criminal enterprise
The sophisticated outfit handles everything from template design to web hosting and credentials processing
📢 The new frontier of endpoint management 📢
📖 Read
via "ITPro".
How analytics and security stacks are driving employee experience initiatives📖 Read
via "ITPro".
IT PRO
The new frontier of endpoint management
How analytics and security stacks are driving employee experience initiatives
📢 IT Pro News in Review: MoD data leak, UK tech jobs boom, Facebook launches Portal for Business 📢
📖 Read
via "ITPro".
Catch up on the biggest headlines of the week in just two minutes📖 Read
via "ITPro".
IT PRO
IT Pro News in Review: MoD data leak, UK tech jobs boom, Facebook launches Portal for Business
Welcome to IT Pro's News in Review, a weekly bite-sized bulletin of the top tech stories of the week, for the week ending 24 September, 2021.