βΌ CVE-2021-42771 βΌ
π Read
via "National Vulnerability Database".
Babel.Locale in Babel before 2.9.1 allows attackers to load arbitrary locale .dat files (containing serialized Python objects) via directory traversal, leading to code execution.π Read
via "National Vulnerability Database".
βΌ CVE-2021-42765 βΌ
π Read
via "National Vulnerability Database".
The Proof-of-Stake (PoS) Ethereum consensus protocol through 2021-10-19 allows an adversary to leverage network delay to cause a denial of service (indefinite stalling of consensus decisions).π Read
via "National Vulnerability Database".
βΌ CVE-2021-42766 βΌ
π Read
via "National Vulnerability Database".
The Proof-of-Stake (PoS) Ethereum consensus protocol through 2021-10-19 allows an adversary to cause a denial of service (long-range consensus chain reorganizations), even when this adversary has little stake and cannot influence network message propagation. This can cause a protocol stall, or an increase in the profits of individual validators.π Read
via "National Vulnerability Database".
βΌ CVE-2021-42764 βΌ
π Read
via "National Vulnerability Database".
The Proof-of-Stake (PoS) Ethereum consensus protocol through 2021-10-19 allows an adversary to cause a denial of service (delayed consensus decisions), and also increase the profits of individual validators, via short-range reorganizations of the underlying consensus chain.π Read
via "National Vulnerability Database".
βΌ CVE-2021-40121 βΌ
π Read
via "National Vulnerability Database".
Multiple vulnerabilities in the web-based management interface of Cisco Identity Services Engine (ISE) Software could allow an attacker to conduct a cross-site scripting (XSS) attack against a user of the interface. For more information about these vulnerabilities, see the Details section of this advisory.π Read
via "National Vulnerability Database".
βΌ CVE-2021-34736 βΌ
π Read
via "National Vulnerability Database".
A vulnerability in the web-based management interface of Cisco Integrated Management Controller (IMC) Software could allow an unauthenticated, remote attacker to cause the web-based management interface to unexpectedly restart. The vulnerability is due to insufficient input validation on the web-based management interface. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device. A successful exploit could allow the attacker to cause the interface to restart, resulting in a denial of service (DoS) condition.π Read
via "National Vulnerability Database".
βΌ CVE-2021-39126 βΌ
π Read
via "National Vulnerability Database".
Affected versions of Atlassian Jira Server and Data Center allow remote attackers to modify various resources via a Cross-Site Request Forgery (CSRF) vulnerability, following an Information Disclosure vulnerability in the referrer headers which discloses a user's CSRF token. The affected versions are before version 8.5.10, and from version 8.6.0 before 8.13.2.π Read
via "National Vulnerability Database".
βΌ CVE-2021-42096 βΌ
π Read
via "National Vulnerability Database".
GNU Mailman before 2.1.35 may allow remote Privilege Escalation. A certain csrf_token value is derived from the admin password, and may be useful in conducting a brute-force attack against that password.π Read
via "National Vulnerability Database".
βΌ CVE-2021-34760 βΌ
π Read
via "National Vulnerability Database".
A vulnerability in the web-based management interface of Cisco TelePresence Management Suite (TMS) Software could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface. This vulnerability is due to insufficient input validation by the web-based management interface. An attacker could exploit this vulnerability by inserting malicious data in a specific data field in the interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information.π Read
via "National Vulnerability Database".
βΌ CVE-2021-34789 βΌ
π Read
via "National Vulnerability Database".
A vulnerability in the web-based management interface of Cisco Tetration could allow an authenticated, remote attacker to perform a stored cross-site scripting (XSS) attack on an affected system. This vulnerability exists because the web-based management interface does not sufficiently validate user-supplied input. An attacker could exploit this vulnerability by injecting malicious code into specific pages of the interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. To exploit this vulnerability, the attacker would need valid administrative credentials.π Read
via "National Vulnerability Database".
βΌ CVE-2021-39127 βΌ
π Read
via "National Vulnerability Database".
Affected versions of Atlassian Jira Server and Data Center allow anonymous remote attackers to the query component JQL endpoint via a Broken Access Control vulnerability (BAC) vulnerability. The affected versions are before version 8.5.10, and from version 8.6.0 before 8.13.1.π Read
via "National Vulnerability Database".
βΌ CVE-2021-40122 βΌ
π Read
via "National Vulnerability Database".
A vulnerability in an API of the Call Bridge feature of Cisco Meeting Server could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition. This vulnerability is due to improper handling of large series of message requests. An attacker could exploit this vulnerability by sending a series of messages to the vulnerable API. A successful exploit could allow the attacker to cause the affected device to reload, dropping all ongoing calls and resulting in a DoS condition.π Read
via "National Vulnerability Database".
βΌ CVE-2021-34743 βΌ
π Read
via "National Vulnerability Database".
A vulnerability in the application integration feature of Cisco Webex Software could allow an unauthenticated, remote attacker to authorize an external application to integrate with and access a user's account without that user's express consent. This vulnerability is due to improper validation of cross-site request forgery (CSRF) tokens. An attacker could exploit this vulnerability by convincing a targeted user who is currently authenticated to Cisco Webex Software to follow a link designed to pass malicious input to the Cisco Webex Software application authorization interface. A successful exploit could allow the attacker to cause Cisco Webex Software to authorize an application on the user's behalf without the express consent of the user, possibly allowing external applications to read data from that user's profile.π Read
via "National Vulnerability Database".
βΌ CVE-2021-1529 βΌ
π Read
via "National Vulnerability Database".
A vulnerability in the CLI of Cisco IOS XE SD-WAN Software could allow an authenticated, local attacker to execute arbitrary commands with root privileges. The vulnerability is due to insufficient input validation by the system CLI. An attacker could exploit this vulnerability by authenticating to an affected device and submitting crafted input to the system CLI. A successful exploit could allow the attacker to execute commands on the underlying operating system with root privileges.π Read
via "National Vulnerability Database".
βΌ CVE-2021-34738 βΌ
π Read
via "National Vulnerability Database".
Multiple vulnerabilities in the web-based management interface of Cisco Identity Services Engine (ISE) Software could allow an attacker to conduct a cross-site scripting (XSS) attack against a user of the interface. For more information about these vulnerabilities, see the Details section of this advisory.π Read
via "National Vulnerability Database".
βΌ CVE-2021-42097 βΌ
π Read
via "National Vulnerability Database".
GNU Mailman before 2.1.35 may allow remote Privilege Escalation. A csrf_token value is not specific to a single user account. An attacker can obtain a value within the context of an unprivileged user account, and then use that value in a CSRF attack against an admin (e.g., for account takeover).π Read
via "National Vulnerability Database".
βΌ CVE-2021-40123 βΌ
π Read
via "National Vulnerability Database".
A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker with administrative read-only privileges to download files that should be restricted. This vulnerability is due to incorrect permissions settings on an affected device. An attacker could exploit this vulnerability by sending a crafted HTTP request to the device. A successful exploit could allow the attacker to download files that should be restricted.π Read
via "National Vulnerability Database".
ποΈ Security pre-advisories: A simple way to improve the patch management process ποΈ
π Read
via "The Daily Swig".
Improving enterprise security, one patch at a timeπ Read
via "The Daily Swig".
The Daily Swig | Cybersecurity news and views
Security pre-advisories: A simple way to improve the patch management process
Improving enterprise security, one patch at a time
π΄ Proposed HTTPA Protocol Uses TEEs to Secure the Web π΄
π Read
via "Dark Reading".
Intel researchers describe how Trusted Execution Environments can enhance HTTPS and boost web security.π Read
via "Dark Reading".
Dark Reading
Proposed HTTPA Protocol Uses TEEs to Secure the Web
Intel researchers describe how Trusted Execution Environments can enhance HTTPS and boost Web security.
β Why is Cybersecurity Failing Against Ransomware? β
π Read
via "Threat Post".
Hardly a week goes by without another major company falling victim to a ransomware attack. Nate Warfield, CTO at Prevailion, discusses the immense challenges in changing that status quo.π Read
via "Threat Post".
Threat Post
Why is Cybersecurity Failing Against Ransomware?
Hardly a week goes by without another major company falling victim to a ransomware attack. Nate Warfield, CTO at Prevailion, discusses the immense challenges in changing that status quo.
ποΈ Bulletproof hosting duo jailed over support of cyber-attacks against US targets ποΈ
π Read
via "The Daily Swig".
Attacks leveraging defendantsβ infrastructure inflicted heavy financial losses on victimsπ Read
via "The Daily Swig".
The Daily Swig | Cybersecurity news and views
Bulletproof hosting duo jailed over support of cyber-attacks against US targets
Attacks leveraging defendantsβ infrastructure inflicted heavy financial losses on victims