βΌ CVE-2021-41537 βΌ
π Read
via "National Vulnerability Database".
A vulnerability has been identified in Solid Edge SE2021 (All versions < SE2021MP8). The affected application contains a use-after-free vulnerability while parsing OBJ files. An attacker could leverage this vulnerability to execute code in the context of the current process (ZDI-CAN-13789).π Read
via "National Vulnerability Database".
βΌ CVE-2021-41538 βΌ
π Read
via "National Vulnerability Database".
A vulnerability has been identified in Solid Edge SE2021 (All versions < SE2021MP8). The affected application is vulnerable to information disclosure by unexpected access to an uninitialized pointer while parsing user-supplied OBJ files. An attacker could leverage this vulnerability to leak information from unexpected memory locations (ZDI-CAN-13770).π Read
via "National Vulnerability Database".
βΌ CVE-2021-41533 βΌ
π Read
via "National Vulnerability Database".
A vulnerability has been identified in Solid Edge SE2021 (All versions < SE2021MP8). The affected application is vulnerable to an out of bounds read past the end of an allocated buffer when parsing JT files. An attacker could leverage this vulnerability to leak information in the context of the current process (ZDI-CAN-13565).π Read
via "National Vulnerability Database".
βΌ CVE-2021-41535 βΌ
π Read
via "National Vulnerability Database".
A vulnerability has been identified in Solid Edge SE2021 (All versions < SE2021MP8). The affected application contains a use-after-free vulnerability while parsing OBJ files. An attacker could leverage this vulnerability to execute code in the context of the current process (ZDI-CAN-13771).π Read
via "National Vulnerability Database".
βΌ CVE-2021-41534 βΌ
π Read
via "National Vulnerability Database".
A vulnerability has been identified in Solid Edge SE2021 (All versions < SE2021MP8). The affected application is vulnerable to an out of bounds read past the end of an allocated buffer when parsing JT files. An attacker could leverage this vulnerability to leak information in the context of the current process (ZDI-CAN-13703).π Read
via "National Vulnerability Database".
βΌ CVE-2021-41539 βΌ
π Read
via "National Vulnerability Database".
A vulnerability has been identified in Solid Edge SE2021 (All versions < SE2021MP8). The affected application contains a use-after-free vulnerability while parsing OBJ files. An attacker could leverage this vulnerability to execute code in the context of the current process (ZDI-CAN-13773).π Read
via "National Vulnerability Database".
ποΈ Mission accomplished: Security plugin HTTPS Everywhere to be deprecated in 2022 ποΈ
π Read
via "The Daily Swig".
Browser extension can be retired as push to encrypt the web is almost complete, says EFFπ Read
via "The Daily Swig".
The Daily Swig | Cybersecurity news and views
Mission accomplished: Security plugin HTTPS Everywhere to be deprecated in 2022
Browser extension can be retired as push to encrypt the web is almost complete, says EFF
β SolarWinds Attackers Hit Active Directory Servers with FoggyWeb Backdoor β
π Read
via "Threat Post".
Microsoft is warning that the Nobelium APT is compromising single-sign-on servers to install a post-exploitation backdoor that steals data and maintains network persistence.π Read
via "Threat Post".
Threat Post
SolarWinds Attackers Hit Active Directory Servers with FoggyWeb Backdoor
Microsoft is warning that the Nobelium APT is compromising single-sign-on servers to install a post-exploitation backdoor that steals data and maintains network persistence.
β Working Exploit Is Out for VMware vCenter CVE-2021-22005 Flaw β
π Read
via "Threat Post".
The unredacted RCE exploit allows unauthenticated, remote attackers to upload files to the vCenter Server analytics service.π Read
via "Threat Post".
Threat Post
Working Exploit Is Out for VMware vCenter CVE-2021-22005 Flaw
UPDATE: Indicators of compromise are now available. The unredacted RCE exploit released on Monday allows unauthenticated, remote attackers to upload files to the vCenter Server analytics service.
π΄ Notorious Spyware Tool Found Hiding Beneath Four Layers of Obfuscation π΄
π Read
via "Dark Reading".
FinFisher (aka FinSpy) surveillance software now goes to extreme lengths to duck analysis and discovery, researchers found in a months-long investigation.π Read
via "Dark Reading".
Dark Reading
Notorious Spyware Tool Found Hiding Beneath Four Layers of Obfuscation
FinFisher (aka FinSpy) surveillance software now goes to extreme lengths to duck analysis and discovery, researchers found in a months-long investigation.
π¦Ώ OWASP updates top 10 list with decades old security risk in #1 spot π¦Ώ
π Read
via "Tech Republic".
2021 list shows how far application security has come and how much work is left to do.π Read
via "Tech Republic".
TechRepublic
OWASP updates top 10 list with decades old security risk in #1 spot
2021 list shows how far application security has come and how much work is left to do.
βοΈ Apple Airtag Bug Enables βGood Samaritanβ Attack βοΈ
π Read
via "Krebs on Security".
The new $30 Airtag tracking device from Apple has a feature that allows anyone who finds one of these tiny location beacons to scan it with a mobile phone and discover its owner's phone number if the Airtag has been set to lost mode. But according to new research, this same feature can be abused to redirect the Good Samaritan to an iCloud phishing page -- or to any other malicious website.π Read
via "Krebs on Security".
Krebs on Security
Apple AirTag Bug Enables βGood Samaritanβ Attack
The new $30 Airtag tracking device from Apple has a feature that allows anyone who finds one of these tiny location beacons to scan it with a mobile phone and discover its owner's phone number if the Airtag has beenβ¦
βΌ CVE-2021-37104 βΌ
π Read
via "National Vulnerability Database".
There is a server-side request forgery vulnerability in HUAWEI P40 versions 10.1.0.118(C00E116R3P3). This vulnerability is due to insufficient validation of parameters while dealing with some messages. A successful exploit could allow the attacker to gain access to certain resource which the attacker are supposed not to do.π Read
via "National Vulnerability Database".
βΌ CVE-2021-22535 βΌ
π Read
via "National Vulnerability Database".
Unauthorized information security disclosure vulnerability on Micro Focus Directory and Resource Administrator (DRA) product, affecting all DRA versions prior to 10.1 Patch 1. The vulnerability could lead to unauthorized information disclosure.π Read
via "National Vulnerability Database".
βΌ CVE-2021-37105 βΌ
π Read
via "National Vulnerability Database".
There is an improper file upload control vulnerability in FusionCompute 6.5.0, 6.5.1 and 8.0.0. Due to the improper verification of file to be uploaded and does not strictly restrict the file access path, attackers may upload malicious files to the device, resulting in the service abnormal.π Read
via "National Vulnerability Database".
βΌ CVE-2021-38124 βΌ
π Read
via "National Vulnerability Database".
Remote Code Execution vulnerability in Micro Focus ArcSight Enterprise Security Manager (ESM) product, affecting versions 7.0.2 through 7.5. The vulnerability could be exploited resulting in remote code execution.π Read
via "National Vulnerability Database".
βΌ CVE-2021-34636 βΌ
π Read
via "National Vulnerability Database".
The Countdown and CountUp, WooCommerce Sales Timers WordPress plugin is vulnerable to Cross-Site Request Forgery via the save_theme function found in the ~/includes/admin/coundown_theme_page.php file due to a missing nonce check which allows attackers to inject arbitrary web scripts, in versions up to and including 1.5.7.π Read
via "National Vulnerability Database".
βΌ CVE-2021-37106 βΌ
π Read
via "National Vulnerability Database".
There is a command injection vulnerability in CMA service module of FusionCompute 6.3.0, 6.3.1, 6.5.0 and 8.0.0 when processing the default certificate file. The software constructs part of a command using external special input from users, but the software does not sufficiently validate the user input. Successful exploit could allow the attacker to inject certain commands to the system.π Read
via "National Vulnerability Database".
β Serious Security: Letβs Encrypt gets ready to go it alone (in a good way!) β
π Read
via "Naked Security".
Let's Encrypt is set to become a mainstream, self-certifying web certificate authority - here's why it took so many years.π Read
via "Naked Security".
Naked Security
Serious Security: Letβs Encrypt gets ready to go it alone (in a good way!)
Letβs Encrypt is set to become a mainstream, self-certifying web certificate authority β hereβs why it took so many years.
π¦Ώ 3 tips to protect your users against credential phishing attacks π¦Ώ
π Read
via "Tech Republic".
A new phishing campaign spotted by Armorblox tried to steal user credentials by spoofing a message notification from a company that provides email encryption.π Read
via "Tech Republic".
TechRepublic
3 tips to protect your users against credential phishing attacks
A new phishing campaign spotted by Armorblox tried to steal user credentials by spoofing a message notification from a company that provides email encryption.
π¦Ώ New Chrome feature can tell sites and webapps when you're idle π¦Ώ
π Read
via "Tech Republic".
The new Idle Detection API gives Chrome the ability to register whether a user is active, and has drawn concerns from privacy advocates. Here's how to disable it.π Read
via "Tech Republic".
TechRepublic
New Chrome feature can tell sites and webapps when youβre idle
The new Idle Detection API gives Chrome the ability to register whether a user is active, and has drawn concerns from privacy advocates. Here's how to disable it.