β Apple Pay with Visa Hacked to Make Payments via Unlocked iPhones β
π Read
via "Threat Post".
Researchers have demonstrated that someone could use a stolen, unlocked iPhone to pay for thousands of dollars of goods or services, no authentication needed.π Read
via "Threat Post".
βΌ CVE-2021-41720 βΌ
π Read
via "National Vulnerability Database".
A command injection vulnerability in Lodash in 4.17.21 allows attackers to arbitrary code execution via the template function. NOTE: this is a different parameter, method, and version than CVE-2021-23337.π Read
via "National Vulnerability Database".
βΌ CVE-2021-41109 βΌ
π Read
via "National Vulnerability Database".
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to version 4.10.4, for regular (non-LiveQuery) queries, the session token is removed from the response, but for LiveQuery payloads it is currently not. If a user has a LiveQuery subscription on the `Parse.User` class, all session tokens created during user sign-ups will be broadcast as part of the LiveQuery payload. A patch in version 4.10.4 removes session tokens from the LiveQuery payload. As a workaround, set `user.acl(new Parse.ACL())` in a beforeSave trigger to make the user private already on sign-up.π Read
via "National Vulnerability Database".
βΌ CVE-2021-21089 βΌ
π Read
via "National Vulnerability Database".
Acrobat Reader DC versions versions 2020.013.20074 (and earlier), 2020.001.30018 (and earlier) and 2017.011.30188 (and earlier) are affected by an out-of-bounds Read vulnerability. An unauthenticated attacker could leverage this vulnerability to locally escalate privileges in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.π Read
via "National Vulnerability Database".
ποΈ Bug Bounty Radar // The latest bug bounty programs for October 2021 ποΈ
π Read
via "The Daily Swig".
New web targets for the discerning hackerπ Read
via "The Daily Swig".
The Daily Swig | Cybersecurity news and views
Bug Bounty Radar // The latest bug bounty programs for October 2021
New web targets for the discerning hacker
π΄ The New Security Basics: 10 Most Common Defensive Actions π΄
π Read
via "Dark Reading".
Companies now commonly collect security metrics from their software development life cycle, implement basic security measures, and define their obligations to protect user data as part of a basic security strategy.π Read
via "Dark Reading".
Dark Reading
The New Security Basics: 10 Most Common Defensive Actions
Companies now commonly collect security metrics from their software development life cycle, implement basic security measures, and define their obligations to protect user data as part of a basic security strategy.
β How to steal money via Apple Pay using the βExpress Transitβ feature β
π Read
via "Naked Security".
Could a rogue vendor with a dodgy payment terminal rip you off via Apple Pay? Maybe. Here's what to do about it.π Read
via "Naked Security".
Naked Security
How to steal money via Apple Pay using the βExpress Transitβ feature
Could a rogue vendor with a dodgy payment terminal rip you off via Apple Pay? Maybe. Hereβs what to do about it.
β S3 Ep52: Letβs Encrypt, Outlook leak, and VMware exploit [Podcast] β
π Read
via "Naked Security".
Latest episode - listen now!π Read
via "Naked Security".
Naked Security
S3 Ep52: Letβs Encrypt, Outlook leak, and VMware exploit [Podcast]
Latest episode β listen now!
π Haveged 1.9.15 π
π Read
via "Packet Storm Security".
haveged is a daemon that feeds the /dev/random pool on Linux using an adaptation of the HArdware Volatile Entropy Gathering and Expansion algorithm invented at IRISA. The algorithm is self-tuning on machines with cpuid support, and has been tested in both 32-bit and 64-bit environments. The tarball uses the GNU build mechanism, and includes self test targets and a spec file for those who want to build an RPM.π Read
via "Packet Storm Security".
Packetstormsecurity
Haveged 1.9.15 β Packet Storm
Information Security Services, News, Files, Tools, Exploits, Advisories and Whitepapers
β Innovative Proxy Phantom ATO Fraud Ring Haunts eCommerce Accounts β
π Read
via "Threat Post".
The group uses millions of password combos at the rate of nearly 2,700 login attempts per minute with new techniques that push the ATO envelope.π Read
via "Threat Post".
Threat Post
Innovative Proxy Phantom ATO Fraud Ring Haunts eCommerce Accounts
The group uses millions of password combos at the rate of 2,700 login attempts per minute with new techniques that push the ATO envelope.
β Babyβs Death Alleged to Be Linked to Ransomware β
π Read
via "Threat Post".
Access to heart monitors disabled by the attack allegedly kept staff from spotting blood & oxygen deprivation that led to the baby's death.π Read
via "Threat Post".
Threat Post
Babyβs Death Alleged to Be Linked to Ransomware
Access to heart monitors disabled by the attack allegedly kept staff from spotting blood & oxygen deprivation that led to the baby's death.
π΄ You're Going to Be the Victim of a Ransomware Attack π΄
π Read
via "Dark Reading".
That's not admitting defeat. It's preparing for success.π Read
via "Dark Reading".
Dark Reading
You're Going to Be the Victim of a Ransomware Attack
That's not admitting defeat. It's preparing for success.
β Tips & Tricks for Unmasking Ghoulish API Behavior β
π Read
via "Threat Post".
Jason Kent, hacker-in-residence at Cequence Security, discusses how to track user-agent connections to mobile and desktop APIs, to spot malicious activity.π Read
via "Threat Post".
Threat Post
Tips & Tricks for Unmasking Ghoulish API Behavior
Jason Kent, hacker-in-residence at Cequence Security, discusses how to track user-agent connections to mobile and desktop APIs, to spot malicious activity.
βΌ CVE-2021-29894 βΌ
π Read
via "National Vulnerability Database".
IBM Cloud Pak for Security (CP4S) 1.7.0.0, 1.7.1.0, 1.7.2.0, and 1.8.0.0 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 207320.π Read
via "National Vulnerability Database".
βΌ CVE-2021-24016 βΌ
π Read
via "National Vulnerability Database".
An improper neutralization of formula elements in a csv file in Fortinet FortiManager version 6.4.3 and below, 6.2.7 and below allows attacker to execute arbitrary commands via crafted IPv4 field in policy name, when exported as excel file and opened unsafely on the victim host.π Read
via "National Vulnerability Database".
βΌ CVE-2021-24017 βΌ
π Read
via "National Vulnerability Database".
An improper authentication in Fortinet FortiManager version 6.4.3 and below, 6.2.6 and below allows attacker to assign arbitrary Policy and Object modules via crafted requests to the request handler.π Read
via "National Vulnerability Database".
βΌ CVE-2020-20662 βΌ
π Read
via "National Vulnerability Database".
libiec_iccp_mod v1.5 contains a heap-buffer-overflow in the component mms_client_example1.c.π Read
via "National Vulnerability Database".
βΌ CVE-2020-20664 βΌ
π Read
via "National Vulnerability Database".
libiec_iccp_mod v1.5 contains a segmentation violation in the component server_example1.c.π Read
via "National Vulnerability Database".
βΌ CVE-2020-20663 βΌ
π Read
via "National Vulnerability Database".
libiec_iccp_mod v1.5 contains a heap-buffer-overflow in the component mms_client_connection.c.π Read
via "National Vulnerability Database".
βΌ CVE-2021-20578 βΌ
π Read
via "National Vulnerability Database".
IBM Cloud Pak for Security (CP4S) 1.7.0.0, 1.7.1.0, 1.7.2.0, and 1.8.0.0 could allow an attacker to perform unauthorized actions due to improper or missing authentication controls. IBM X-Force ID: 199282.π Read
via "National Vulnerability Database".
βΌ CVE-2021-20554 βΌ
π Read
via "National Vulnerability Database".
IBM Sterling Order Management 9.4, 9.5, and 10.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 199179.π Read
via "National Vulnerability Database".