‼ CVE-2021-38345 ‼
📖 Read
via "National Vulnerability Database".
The Brizy Page Builder plugin <= 2.3.11 for WordPress used an incorrect authorization check that allowed any logged-in user accessing any endpoint in the wp-admin directory to modify the content of any existing post or page created with the Brizy editor. An identical issue was found by another researcher in Brizy <= 1.0.125 and fixed in version 1.0.126, but the vulnerability was reintroduced in version 1.0.127.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-37933 ‼
📖 Read
via "National Vulnerability Database".
An LDAP injection vulnerability in /account/login in Huntflow Enterprise before 3.10.6 could allow an unauthenticated, remote user to modify the logic of an LDAP query and bypass authentication. The vulnerability is due to insufficient server-side validation of the email parameter before using it to construct LDAP queries. An attacker could bypass authentication exploiting this vulnerability by sending login attempts in which there is a valid password but a wildcard character in email parameter.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-41132 ‼
📖 Read
via "National Vulnerability Database".
OMERO.web provides a web based client and plugin infrastructure. In versions prior to 5.11.0, a variety of templates do not perform proper sanitization through HTML escaping. Due to the lack of sanitization and use of ``jQuery.html()``, there are a whole host of cross-site scripting possibilities with specially crafted input to a variety of fields. This issue is patched in version 5.11.0. There are no known workarounds aside from upgrading.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-32569 ‼
📖 Read
via "National Vulnerability Database".
** UNSUPPORTED WHEN ASSIGNED ** In OSS-RC systems of the release 18B and older customer documentation browsing libraries under ALEX are subject to Cross-Site Scripting. This problem is completely resolved in new Ericsson library browsing tool ELEX used in systems like Ericsson Network Manager. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. Ericsson Network Manager is a new generation OSS system which OSS-RC customers shall upgrade to.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-38346 ‼
📖 Read
via "National Vulnerability Database".
The Brizy Page Builder plugin <= 2.3.11 for WordPress allowed authenticated users to upload executable files to a location of their choice using the brizy_create_block_screenshot AJAX action. The file would be named using the id parameter, which could be prepended with "../" to perform directory traversal, and the file contents were populated via the ibsf parameter, which would be base64-decoded and written to the file. While the plugin added a .jpg extension to all uploaded filenames, a double extension attack was still possible, e.g. a file named shell.php would be saved as shell.php.jpg, and would be executable on a number of common configurations.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-39330 ‼
📖 Read
via "National Vulnerability Database".
The Formidable Form Builder WordPress plugin is vulnerable to Stored Cross-Site Scripting due to insufficient input validation and sanitization found in the ~/classes/helpers/FrmAppHelper.php file which allowed attackers with administrative user access to inject arbitrary web scripts, in versions up to and including 5.0.06. This affects multi-site installations where unfiltered_html is disabled for administrators, and sites where unfiltered_html is disabled.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-38344 ‼
📖 Read
via "National Vulnerability Database".
The Brizy Page Builder plugin <= 2.3.11 for WordPress was vulnerable to stored XSS by lower-privileged users such as a subscribers. It was possible to add malicious JavaScript to a page by modifying the request sent to update the page via the brizy_update_item AJAX action and adding JavaScript to the data parameter, which would be executed in the session of any visitor viewing or previewing the post or page.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-41142 ‼
📖 Read
via "National Vulnerability Database".
Tuleap Open ALM is a libre and open source tool for end to end traceability of application and system developments. There is a cross-site scripting vulnerability in Tuleap Community Edition prior to 12.11.99.25 and Tuleap Enterprise Edition 12.11-2. A malicious user with the capability to add and remove attachment to an artifact could force a victim to execute uncontrolled code. Tuleap Community Edition 11.17.99.146 and Tuleap Enterprise Edition 12.11-2 contain a fix for the issue.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-42228 ‼
📖 Read
via "National Vulnerability Database".
Cross Site Request Forgery (CSRF) vulnerability exists in KindEdirot 4.1.x. First, you upload an html file containing csrf on the website that uses a google editor, (you only need to search in google: inurl:/examples/uploadbutton.html) and then use the authority of this website to trick users into clicking your malicious html link.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-42227 ‼
📖 Read
via "National Vulnerability Database".
Cross SIte Scripting (XSS) vulnerability exists in KindEditor 4.1.x via a Google search inurl:/examples/uploadbutton.html and then the .html file on the website that uses this editor (the file suffix is allowed).📖 Read
via "National Vulnerability Database".
🦿 Broadcom Software's Symantec Threat Hunter Team discovers first-of-its-kind ransomware 🦿
📖 Read
via "Tech Republic".
The new ransomware family, called Yanluowang, appears to still be under development and lacks some sophisticated features found in similar code. Nonetheless, Symantec said, it's dangerous.📖 Read
via "Tech Republic".
TechRepublic
Broadcom Software's Symantec Threat Hunter Team discovers first-of-its-kind ransomware
The new ransomware family, called Yanluowang, appears to still be under development and lacks some sophisticated features found in similar code. Nonetheless, Symantec said, it's dangerous.
🕴 Praetorian Launches Snowcat Tool for Istio 🕴
📖 Read
via "Dark Reading".
Snowcat is the world's first static analysis tool dedicated to Istio.📖 Read
via "Dark Reading".
Dark Reading
Praetorian Launches Snowcat Tool for Istio
Snowcat is the world's first static analysis tool dedicated to Istio.
🔏 2021 to Date Has Seen More Data Breaches Than 2020 🔏
📖 Read
via "".
We're poised to break records this year when it comes to statistics on breaches, ransomware, and phishing, according to a new report.📖 Read
via "".
Digital Guardian
2021 to Date Has Seen More Data Breaches Than 2020
We're poised to break records this year when it comes to statistics on breaches, ransomware, and phishing, according to a new report.
🕴 US Water and Wastewater Facilities Targeted in Cyberattacks, Feds Warn 🕴
📖 Read
via "Dark Reading".
CISA, FBI, and NSA issue advisory and defense practices to help these utilities thwart "ongoing" threats targeting IT and OT networks.📖 Read
via "Dark Reading".
Dark Reading
US Water and Wastewater Facilities Targeted in Cyberattacks, Feds Warn
CISA, FBI, and NSA issue advisory and defense practices to help these utilities thwart "ongoing" threats targeting IT and OT networks.
‼ CVE-2021-32571 ‼
📖 Read
via "National Vulnerability Database".
** UNSUPPORTED WHEN ASSIGNED ** In OSS-RC systems of the release 18B and older during data migration procedures certain files containing usernames and passwords are left in the system undeleted but in folders accessible by top privileged accounts only. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. Ericsson Network Manager is a new generation OSS system which OSS-RC customers shall upgrade to.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-42369 ‼
📖 Read
via "National Vulnerability Database".
Imagicle Application Suite (for Cisco UC) before 2021.Summer.2 allows SQL injection. A low-privileged user could inject a SQL statement through the "Export to CSV" feature of the Contact Manager web GUI.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-36389 ‼
📖 Read
via "National Vulnerability Database".
In Yellowfin before 9.6.1 it is possible to enumerate and download uploaded images through an Insecure Direct Object Reference vulnerability exploitable by sending a specially crafted HTTP GET request to the page "MIImage.i4".📖 Read
via "National Vulnerability Database".
‼ CVE-2021-36387 ‼
📖 Read
via "National Vulnerability Database".
In Yellowfin before 9.6.1 there is a Stored Cross-Site Scripting vulnerability in the video embed functionality exploitable through a specially crafted HTTP POST request to the page "ActivityStreamAjax.i4".📖 Read
via "National Vulnerability Database".
‼ CVE-2021-36388 ‼
📖 Read
via "National Vulnerability Database".
In Yellowfin before 9.6.1 it is possible to enumerate and download users profile pictures through an Insecure Direct Object Reference vulnerability exploitable by sending a specially crafted HTTP GET request to the page "MIIAvatarImage.i4".📖 Read
via "National Vulnerability Database".
🦿 How a vishing attack spoofed Microsoft to try to gain remote access 🦿
📖 Read
via "Tech Republic".
A voice phishing campaign spotted by Armorblox tried to convince people to give the attackers access to their computer.📖 Read
via "Tech Republic".
🕴 Deepfence Announces Open Source Availability of ThreatMapper 🕴
📖 Read
via "Dark Reading".
Cloud native security observability platform seamlessly scans, maps, and ranks application vulnerabilities from development through critical production stage.📖 Read
via "Dark Reading".
Dark Reading
Deepfence Announces Open Source Availability of ThreatMapper
Cloud native security observability platform seamlessly scans, maps, and ranks application vulnerabilities from development through critical production stage.