βΌ CVE-2021-25971 βΌ
π Read
via "National Vulnerability Database".
In Camaleon CMS, versions 2.0.1 to 2.6.0 are vulnerable to an Uncaught Exception. The app's media upload feature crashes permanently when an attacker with a low privileged access uploads a specially crafted .svg fileπ Read
via "National Vulnerability Database".
ποΈ Historic scientific notation bug foils WAF defenses ποΈ
π Read
via "The Daily Swig".
AWS WAF and ModSecurity get βblinded by scienceβπ Read
via "The Daily Swig".
The Daily Swig | Cybersecurity news and views
Historic scientific notation bug foils WAF defenses
AWS WAF and ModSecurity get βblinded by scienceβ
β βTo the moon!β Cryptocurrency hamster Mr Goxx trades online 24/7 β
π Read
via "Naked Security".
Here's a happy cryptocurrency story for once, with not a cybercrook in sight.π Read
via "Naked Security".
Naked Security
βTo the moon!β Cryptocurrency hamster Mr Goxx trades online 24/7
Hereβs a happy cryptocurrency story for once, with not a cybercrook in sight.
βΌ CVE-2021-21747 βΌ
π Read
via "National Vulnerability Database".
ZTE MF971R product has reflective XSS vulnerability. An attacker could use the vulnerability to obtain cookie information.π Read
via "National Vulnerability Database".
βΌ CVE-2021-3542 βΌ
π Read
via "National Vulnerability Database".
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2021-42739. Reason: This candidate is a reservation duplicate of CVE-2021-42739. Notes: All CVE users should reference CVE-2021-42739 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.π Read
via "National Vulnerability Database".
βΌ CVE-2021-21746 βΌ
π Read
via "National Vulnerability Database".
ZTE MF971R product has reflective XSS vulnerability. An attacker could use the vulnerability to obtain cookie information.π Read
via "National Vulnerability Database".
π΄ Passwordless Is the Future β¦ but What About the Present? π΄
π Read
via "Dark Reading".
Password managers, single sign-on, and multifactor authentication each offers its own methodology and unique set of benefits β and drawbacks β to users.π Read
via "Dark Reading".
Dark Reading
Passwordless Is the Future β¦ but What About the Present?
Password managers, single sign-on, and multifactor authentication each offers its own methodology and unique set of benefits β and drawbacks β to users.
β VPN Exposes Data for 1M Users, Leading to Researcher Questioning β
π Read
via "Threat Post".
Experts warn that virtual private networks are increasingly vulnerable to leaks and attack.π Read
via "Threat Post".
Threat Post
VPN Exposes Data for 1M Users, Leading to Researcher Questioning
Experts warn that virtual private networks are increasingly vulnerable to leaks and attack.
βΌ CVE-2021-21749 βΌ
π Read
via "National Vulnerability Database".
ZTE MF971R product has two stack-based buffer overflow vulnerabilities. An attacker could exploit the vulnerabilities to execute arbitrary code.π Read
via "National Vulnerability Database".
βΌ CVE-2021-21743 βΌ
π Read
via "National Vulnerability Database".
ZTE MF971R product has a CRLF injection vulnerability. An attacker could exploit the vulnerability to modify the HTTP response header information through a specially crafted HTTP request.π Read
via "National Vulnerability Database".
βΌ CVE-2021-21744 βΌ
π Read
via "National Vulnerability Database".
ZTE MF971R product has a configuration file control vulnerability. An attacker could use this vulnerability to modify the configuration parameters of the device, causing some security functions of the device to be disabled.π Read
via "National Vulnerability Database".
βΌ CVE-2021-21745 βΌ
π Read
via "National Vulnerability Database".
ZTE MF971R product has a Referer authentication bypass vulnerability. Without CSRF verification, an attackercould use this vulnerability to perform illegal authorization operations by sending a request to the user to click.π Read
via "National Vulnerability Database".
βΌ CVE-2021-21748 βΌ
π Read
via "National Vulnerability Database".
ZTE MF971R product has two stack-based buffer overflow vulnerabilities. An attacker could exploit the vulnerabilities to execute arbitrary code.π Read
via "National Vulnerability Database".
π Government Agencies Warn Against BlackMatter Ransomware π
π Read
via "".
CISA, the FBI, and NSA provided defenders with tips to protect networks and mitigations to prevent the spread of the ransomware.π Read
via "".
Digital Guardian
Government Agencies Warn Against BlackMatter Ransomware
CISA, the FBI, and NSA provided defenders with tips to protect networks and mitigations to prevent the spread of the ransomware.
β Google Crushes YouTube Cookie-Stealing Channel Hijackers β
π Read
via "Threat Post".
Google has caught and brushed off a bunch of cookie-stealing YouTube channel hijackers who were running cryptocurrency scams on, or auctioning off, ripped-off channels. π Read
via "Threat Post".
Threat Post
Google Crushes YouTube Cookie-Stealing Channel Hijackers
Google has caught and brushed off a bunch of cookie-stealing YouTube channel hijackers who were running cryptocurrency scams on, or auctioning off, ripped-off channels.
π΄ Removing Friction for the Enterprise With Trusted Access π΄
π Read
via "Dark Reading".
Our work lives are supposed to be simpler and easier because of technology. At least thatβs the promise.π Read
via "Dark Reading".
Dark Reading
Removing Friction for the Enterprise With Trusted Access
Our work lives are supposed to be simpler and easier because of technology. At least thatβs the promise.
βΌ CVE-2021-42762 βΌ
π Read
via "National Vulnerability Database".
BubblewrapLauncher.cpp in WebKitGTK and WPE WebKit before 2.34.1 allows a limited sandbox bypass that allows a sandboxed process to trick host processes into thinking the sandboxed process is not confined by the sandbox, by abusing VFS syscalls that manipulate its filesystem namespace. The impact is limited to host services that create UNIX sockets that WebKit mounts inside its sandbox, and the sandboxed process remains otherwise confined. NOTE: this is similar to CVE-2021-41133.π Read
via "National Vulnerability Database".
βΌ CVE-2021-41167 βΌ
π Read
via "National Vulnerability Database".
modern-async is an open source JavaScript tooling library for asynchronous operations using async/await and promises. In affected versions a bug affecting two of the functions in this library: forEachSeries and forEachLimit. They should limit the concurrency of some actions but, in practice, they don't. Any code calling these functions will be written thinking they would limit the concurrency but they won't. This could lead to potential security issues in other projects. The problem has been patched in 1.0.4. There is no workaround.π Read
via "National Vulnerability Database".
βΌ CVE-2021-38896 βΌ
π Read
via "National Vulnerability Database".
IBM QRadar Advisor 2.5 through 2.6.1 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 209566.π Read
via "National Vulnerability Database".
βΌ CVE-2021-41135 βΌ
π Read
via "National Vulnerability Database".
The Cosmos-SDK is a framework for building blockchain applications in Golang. Affected versions of the SDK were vulnerable to a consensus halt due to non-deterministic behaviour in a ValidateBasic method in the x/authz module. The MsgGrant of the x/authz module contains a Grant field which includes a user-defined expiration time for when the authorization grant expires. In Grant.ValidateBasic(), that time is compared to the nodeΓΒ’Γ’β¬ÒβΒ’s local clock time. Any chain running an affected version of the SDK with the authz module enabled could be halted by anyone with the ability to send transactions on that chain. Recovery would require applying the patch and rolling back the latest block. Users are advised to update to version 0.44.2.π Read
via "National Vulnerability Database".
π΄ Execs From Now-Defunct GigaTrust Arrested in $50M Fraud Scheme π΄
π Read
via "Dark Reading".
Email endpoint security-as-a-service company founder and two others indicted in an elaborate financial fraud scheme.π Read
via "Dark Reading".
Dark Reading
Execs From Now-Defunct GigaTrust Arrested in $50M Fraud Scheme
Email endpoint security-as-a-service company founder and two others indicted in an elaborate financial fraud scheme.