βΌ CVE-2021-39883 βΌ
π Read
via "National Vulnerability Database".
Improper authorization checks in GitLab EE > 13.11 allows subgroup members to see epics from all parent subgroups.π Read
via "National Vulnerability Database".
βΌ CVE-2021-39896 βΌ
π Read
via "National Vulnerability Database".
In all versions of GitLab CE/EE since version 8.0, when an admin uses the impersonate feature twice and stops impersonating, the admin may be logged in as the second user they impersonated, which may lead to repudiation issues.π Read
via "National Vulnerability Database".
βΌ CVE-2020-28119 βΌ
π Read
via "National Vulnerability Database".
Cross site scripting vulnerability in 53KF < 2.0.0.2 that allows for arbitrary code to be executed via crafted HTML statement inserted into chat window.π Read
via "National Vulnerability Database".
βΌ CVE-2021-39868 βΌ
π Read
via "National Vulnerability Database".
In all versions of GitLab CE/EE since version 8.12, an authenticated low-privileged malicious user may create a project with unlimited repository size by modifying values in a project export.π Read
via "National Vulnerability Database".
βΌ CVE-2021-41591 βΌ
π Read
via "National Vulnerability Database".
ACINQ Eclair before 0.6.3 allows loss of funds because of dust HTLC exposure.π Read
via "National Vulnerability Database".
βΌ CVE-2021-41593 βΌ
π Read
via "National Vulnerability Database".
Lightning Labs lnd before 0.13.3-beta allows loss of funds because of dust HTLC exposure.π Read
via "National Vulnerability Database".
π New Bill Would Empower ITC to Protect US IP Owners π
π Read
via "".
If passed, a new bill would strengthen the International Trade Commissionβs ability to fight back against trade secret misappropriation.π Read
via "".
Digital Guardian
New Bill Would Empower ITC to Protect US IP Owners
If passed, a new bill would strengthen the International Trade Commissionβs ability to fight back against trade secret misappropriation.
π΄ Law Enforcement Agencies Seize $375K in Ukraine Ransomware Bust π΄
π Read
via "Dark Reading".
A coordinated effort by law enforcement agencies is viewed as a good sign, but security analysts fear this is just the tip of the iceberg.π Read
via "Dark Reading".
Dark Reading
Law Enforcement Agencies Seize $375K in Ukraine Ransomware Bust
A coordinated effort by law enforcement agencies is viewed as a good sign, but security analysts fear this is just the tip of the iceberg.
π΄ New Atom Silo Ransomware Group Targets Confluence Servers π΄
π Read
via "Dark Reading".
An attack that took place over two days used a recently disclosed vulnerability in Atlassian's Confluence collaboration software.π Read
via "Dark Reading".
Dark Reading
New Atom Silo Ransomware Group Targets Confluence Servers
An attack that took place over two days used a recently disclosed vulnerability in Atlassian's Confluence collaboration software.
βΌ CVE-2021-32672 βΌ
π Read
via "National Vulnerability Database".
Redis is an open source, in-memory database that persists on disk. When using the Redis Lua Debugger, users can send malformed requests that cause the debuggerΓ’β¬β’s protocol parser to read data beyond the actual buffer. This issue affects all versions of Redis with Lua debugging support (3.2 or newer). The problem is fixed in versions 6.2.6, 6.0.16 and 5.0.14.π Read
via "National Vulnerability Database".
βΌ CVE-2021-41579 βΌ
π Read
via "National Vulnerability Database".
LCDS LAquis SCADA through 4.3.1.1085 is vulnerable to a control bypass and path traversal. If an attacker can get a victim to load a malicious els project file and use the play feature, then the attacker can bypass a consent popup and write arbitrary files to OS locations where the user has permission, leading to code execution.π Read
via "National Vulnerability Database".
βΌ CVE-2021-32675 βΌ
π Read
via "National Vulnerability Database".
Redis is an open source, in-memory database that persists on disk. When parsing an incoming Redis Standard Protocol (RESP) request, Redis allocates memory according to user-specified values which determine the number of elements (in the multi-bulk header) and size of each element (in the bulk header). An attacker delivering specially crafted requests over multiple connections can cause the server to allocate significant amount of memory. Because the same parsing mechanism is used to handle authentication requests, this vulnerability can also be exploited by unauthenticated users. The problem is fixed in Redis versions 6.2.6, 6.0.16 and 5.0.14. An additional workaround to mitigate this problem without patching the redis-server executable is to block access to prevent unauthenticated users from connecting to Redis. This can be done in different ways: Using network access control tools like firewalls, iptables, security groups, etc. or Enabling TLS and requiring users to authenticate using client side certificates.π Read
via "National Vulnerability Database".
βΌ CVE-2021-38392 βΌ
π Read
via "National Vulnerability Database".
A skilled attacker with physical access to the affected device can gain access to the hard disk drive of the device to change the telemetry region and could use this setting to interrogate or program an implantable device in any region in the world.π Read
via "National Vulnerability Database".
βΌ CVE-2021-41651 βΌ
π Read
via "National Vulnerability Database".
A blind SQL injection vulnerability exists in the Raymart DG / Ahmed Helal Hotel-mgmt-system. A malicious attacker can retrieve sensitive database information and interact with the database using the vulnerable cid parameter in process_update_profile.php.π Read
via "National Vulnerability Database".
βΌ CVE-2021-32687 βΌ
π Read
via "National Vulnerability Database".
Redis is an open source, in-memory database that persists on disk. An integer overflow bug affecting all versions of Redis can be exploited to corrupt the heap and potentially be used to leak arbitrary contents of the heap or trigger remote code execution. The vulnerability involves changing the default set-max-intset-entries configuration parameter to a very large value and constructing specially crafted commands to manipulate sets. The problem is fixed in Redis versions 6.2.6, 6.0.16 and 5.0.14. An additional workaround to mitigate the problem without patching the redis-server executable is to prevent users from modifying the set-max-intset-entries configuration parameter. This can be done using ACL to restrict unprivileged users from using the CONFIG SET command.π Read
via "National Vulnerability Database".
βΌ CVE-2021-39347 βΌ
π Read
via "National Vulnerability Database".
The Stripe for WooCommerce WordPress plugin is missing a capability check on the save() function found in the ~/includes/admin/class-wc-stripe-admin-user-edit.php file that makes it possible for attackers to configure their account to use other site users unique STRIPE identifier and make purchases with their payment accounts. This affects versions 3.0.0 - 3.3.9.π Read
via "National Vulnerability Database".
βΌ CVE-2021-41099 βΌ
π Read
via "National Vulnerability Database".
Redis is an open source, in-memory database that persists on disk. An integer overflow bug in the underlying string library can be used to corrupt the heap and potentially result with denial of service or remote code execution. The vulnerability involves changing the default proto-max-bulk-len configuration parameter to a very large value and constructing specially crafted network payloads or commands. The problem is fixed in Redis versions 6.2.6, 6.0.16 and 5.0.14. An additional workaround to mitigate the problem without patching the redis-server executable is to prevent users from modifying the proto-max-bulk-len configuration parameter. This can be done using ACL to restrict unprivileged users from using the CONFIG SET command.π Read
via "National Vulnerability Database".
βΌ CVE-2021-38400 βΌ
π Read
via "National Vulnerability Database".
An attacker with physical access to Boston Scientific Zoom Latitude Model 3120 can remove the hard disk drive or create a specially crafted USB to extract the password hash for brute force reverse engineering of the system password.π Read
via "National Vulnerability Database".
βΌ CVE-2021-41578 βΌ
π Read
via "National Vulnerability Database".
mySCADA myDESIGNER 8.20.0 and below allows Directory Traversal attacks when importing project files. If an attacker can trick a victim into importing a malicious mep file, then they gain the ability to write arbitrary files to OS locations where the user has permission. This would typically lead to code execution.π Read
via "National Vulnerability Database".
βΌ CVE-2021-38396 βΌ
π Read
via "National Vulnerability Database".
The programmer installation utility does not perform a cryptographic authenticity or integrity checks of the software on the flash drive. An attacker could leverage this weakness to install unauthorized software using a specially crafted USB.π Read
via "National Vulnerability Database".
βΌ CVE-2021-32628 βΌ
π Read
via "National Vulnerability Database".
Redis is an open source, in-memory database that persists on disk. An integer overflow bug in the ziplist data structure used by all versions of Redis can be exploited to corrupt the heap and potentially result with remote code execution. The vulnerability involves modifying the default ziplist configuration parameters (hash-max-ziplist-entries, hash-max-ziplist-value, zset-max-ziplist-entries or zset-max-ziplist-value) to a very large value, and then constructing specially crafted commands to create very large ziplists. The problem is fixed in Redis versions 6.2.6, 6.0.16, 5.0.14. An additional workaround to mitigate the problem without patching the redis-server executable is to prevent users from modifying the above configuration parameters. This can be done using ACL to restrict unprivileged users from using the CONFIG SET command.π Read
via "National Vulnerability Database".