βΌ CVE-2021-41151 βΌ
π Read
via "National Vulnerability Database".
Backstage is an open platform for building developer portals. In affected versions A malicious actor could read sensitive files from the environment where Scaffolder Tasks are run. The attack is executed by crafting a custom Scaffolder template with a `github:publish:pull-request` action and a particular source path. When the template is executed the sensitive files would be included in the published pull request. This vulnerability is mitigated by the fact that an attacker would need access to create and register templates in the Backstage catalog, and that the attack is very visible given that the exfiltration happens via a pull request. The vulnerability is patched in the `0.15.9` release of `@backstage/plugin-scaffolder-backend`.π Read
via "National Vulnerability Database".
βΌ CVE-2021-41153 βΌ
π Read
via "National Vulnerability Database".
The evm crate is a pure Rust implementation of Ethereum Virtual Machine. In `evm` crate `< 0.31.0`, `JUMPI` opcode's condition is checked after the destination validity check. However, according to Geth and OpenEthereum, the condition check should happen before the destination validity check. This is a **high** severity security advisory if you use `evm` crate for Ethereum mainnet. In this case, you should update your library dependency immediately to on or after `0.31.0`. This is a **low** severity security advisory if you use `evm` crate in Frontier or in a standalone blockchain, because there's no security exploit possible with this advisory. It is **not** recommended to update to on or after `0.31.0` until all the normal chain upgrade preparations have been done. If you use Frontier or other `pallet-evm` based Substrate blockchain, please ensure to update your `spec_version` before updating this. For other blockchains, please make sure to follow a hard-fork process before you update this.π Read
via "National Vulnerability Database".
π΄ Group With Potential Links to Iranian Threat Actor Resurfaces π΄
π Read
via "Dark Reading".
The Lyceum group has previously been linked to attacks on targets in the Middle East.π Read
via "Dark Reading".
Dark Reading
Group With Potential Links to Iranian Threat Actor Resurfaces
The Lyceum group has previously been linked to attacks on targets in the Middle East.
π΄ FIDO Alliance Research Tracks Passwordless Authentication as It Moves Mainstream π΄
π Read
via "Dark Reading".
New Online Authentication Barometer from the FIDO Alliance reveals consumer habits, trends and adoption of authentication technologies.π Read
via "Dark Reading".
Dark Reading
FIDO Alliance Research Tracks Passwordless Authentication as It Moves Mainstream
New Online Authentication Barometer from the FIDO Alliance reveals consumer habits, trends and adoption of authentication technologies.
βΌ CVE-2021-41155 βΌ
π Read
via "National Vulnerability Database".
Tuleap is a Free & Open Source Suite to improve management of software developments and collaboration. In affected versions Tuleap does not sanitize properly user inputs when constructing the SQL query to browse and search revisions in the CVS repositories. The following versions contain the fix: Tuleap Community Edition 11.17.99.146, Tuleap Enterprise Edition 11.17-5, Tuleap Enterprise Edition 11.16-7.π Read
via "National Vulnerability Database".
βΌ CVE-2021-41154 βΌ
π Read
via "National Vulnerability Database".
Tuleap is a Free & Open Source Suite to improve management of software developments and collaboration. In affected versions an attacker with read access to a "SVN core" repository could execute arbitrary SQL queries. The following versions contain the fix: Tuleap Community Edition 11.17.99.144, Tuleap Enterprise Edition 11.17-5, Tuleap Enterprise Edition 11.16-7.π Read
via "National Vulnerability Database".
βΌ CVE-2021-20836 βΌ
π Read
via "National Vulnerability Database".
Out-of-bounds read vulnerability in CX-Supervisor v4.0.0.13 and v4.0.0.16 allows an attacker with administrative privileges to cause information disclosure and/or arbitrary code execution by opening a specially crafted SCS project files.π Read
via "National Vulnerability Database".
π΄ 7 Cross-Industry Technology Trends ο»ΏThat Will Disrupt the World π΄
π Read
via "Dark Reading".
Recent McKinsey & Company analysis examines which technologies will have the most momentum in the next ten years. These are the trends security teams need to be aware of in order to protect the organization effectively.π Read
via "Dark Reading".
Dark Reading
7 Cross-Industry Technology Trends ο»ΏThat Will Disrupt the World
Recent McKinsey analysis examines which technologies will have the most momentum in the next 10 years. These are the trends security teams need to know to protect their organizations effectively.
β TA505 Gang Is Back With Newly Polished FlawedGrace RAT β
π Read
via "Threat Post".
TA505 β cybercrime trailblazers with ever-evolving TTPs β have returned to mass-volume email attacks, flashing retooled malware and exotic scripting languages.π Read
via "Threat Post".
Threat Post
TA505 Gang Is Back With Newly Polished FlawedGrace RAT
TA505 β cybercrime trailblazers with ever-evolving TTPs β have returned to mass-volume email attacks, flashing retooled malware and exotic scripting languages.
βΌοΈ CVE-2021-25968 βΌοΈ
via "National Vulnerability Database".
In OpenCMS, versions 10.5.0 to 11.0.2 are affected by a stored XSS vulnerability that allows low privileged application users to store malicious scripts in the Sitemap functionality. These scripts are executed in a victimΓ’β¬β’s browser when they open the page containing the vulnerable field.
π Readvia "National Vulnerability Database".
π΄ The Simmering Cybersecurity Risk of Employee Burnout π΄
π Read
via "Dark Reading".
Why understanding human behavior is essential to building resilient security systems.π Read
via "Dark Reading".
Dark Reading
The Simmering Cybersecurity Risk of Employee Burnout
Why understanding human behavior is essential to building resilient security systems.
βΌ CVE-2021-3889 βΌ
π Read
via "National Vulnerability Database".
libmobi is vulnerable to Use of Out-of-range Pointer Offsetπ Read
via "National Vulnerability Database".
βΌ CVE-2021-3846 βΌ
π Read
via "National Vulnerability Database".
firefly-iii is vulnerable to Unrestricted Upload of File with Dangerous Typeπ Read
via "National Vulnerability Database".
βΌ CVE-2021-3888 βΌ
π Read
via "National Vulnerability Database".
libmobi is vulnerable to Use of Out-of-range Pointer Offsetπ Read
via "National Vulnerability Database".
βΌ CVE-2021-38474 βΌ
π Read
via "National Vulnerability Database".
InHand Networks IR615 Router's Versions 2.3.0.r4724 and 2.3.0.r4870 have has no account lockout policy configured for the login page of the product. This may allow an attacker to execute a brute-force password attack with no time limitation and without harming the normal operation of the user. This could allow an attacker to gain valid credentials for the product interface.π Read
via "National Vulnerability Database".
βΌ CVE-2021-3858 βΌ
π Read
via "National Vulnerability Database".
snipe-it is vulnerable to Cross-Site Request Forgery (CSRF)π Read
via "National Vulnerability Database".
βΌ CVE-2021-3869 βΌ
π Read
via "National Vulnerability Database".
corenlp is vulnerable to Improper Restriction of XML External Entity Referenceπ Read
via "National Vulnerability Database".
βΌ CVE-2021-42261 βΌ
π Read
via "National Vulnerability Database".
Revisor Video Management System (VMS) before 2.0.0 has a directory traversal vulnerability. Successful exploitation could allow an attacker to traverse the file system to access files or directories that are outside of restricted directory on the remote server. This could lead to the disclosure of sensitive data on the vulnerable server.π Read
via "National Vulnerability Database".
βΌ CVE-2021-36512 βΌ
π Read
via "National Vulnerability Database".
An issue was discovered in function scanallsubs in src/sbbs3/scansubs.cpp in Synchronet BBS, which may allow attackers to view sensitive information due to an uninitialized value.π Read
via "National Vulnerability Database".
βΌ CVE-2021-38486 βΌ
π Read
via "National Vulnerability Database".
InHand Networks IR615 Router's Versions 2.3.0.r4724 and 2.3.0.r4870 cloud portal allows for self-registration of the affected product without any requirements to create an account, which may allow an attacker to have full control over the product and execute code within the internal network to which the product is connected.π Read
via "National Vulnerability Database".
βΌ CVE-2021-38478 βΌ
π Read
via "National Vulnerability Database".
InHand Networks IR615 Router's Versions 2.3.0.r4724 and 2.3.0.r4870 are vulnerable to an attacker using a traceroute tool to inject commands into the device. This may allow the attacker to remotely run commands on behalf of the device.π Read
via "National Vulnerability Database".