βΌ CVE-2021-35228 βΌ
π Read
via "National Vulnerability Database".
This vulnerability occurred due to missing input sanitization for one of the output fields that is extracted from headers on specific section of page causing a reflective cross site scripting attack. An attacker would need to perform a Man in the Middle attack in order to change header for a remote victim.π Read
via "National Vulnerability Database".
βΌ CVE-2021-35227 βΌ
π Read
via "National Vulnerability Database".
The HTTP interface was enabled for RabbitMQ Plugin in ARM 2020.2.6 and the ability to configure HTTPS was not available.π Read
via "National Vulnerability Database".
π΄ Akamai Technologies Completes Acquisition of Guardicore to Extend Its Zero Trust Solutions to Help Stop Ransomware π΄
π Read
via "Dark Reading".
Guardicore's micro-segmentation products will be added to Akamai's portfolio of Zero Trust solutions.π Read
via "Dark Reading".
Dark Reading
Akamai Technologies Completes Acquisition of Guardicore to Extend Its Zero Trust Solutions to Help Stop Ransomware
Guardicore's micro-segmentation products will be added to Akamai's portfolio of Zero Trust solutions.
π΄ Malware Abuses Core Features of Discord π΄
π Read
via "Dark Reading".
Researchers warn that Discord's bot framework can be easily weaponized.π Read
via "Dark Reading".
Dark Reading
Malware Abuses Core Features of Discord
Researchers warn that Discord's bot framework can be easily weaponized.
π΄ Cybrary Launches New Partnership with Check Point Software to Make Cybersecurity Training Accessible to All π΄
π Read
via "Dark Reading".
Online cybersecurity professional development platform bolsters the Check Point Education Initiative.π Read
via "Dark Reading".
Dark Reading
Cybrary Launches New Partnership with Check Point Software to Make Cybersecurity Training Accessible to All
Online cybersecurity professional development platform bolsters the Check Point Education Initiative.
π΄ Google Buckles Down on Android Enterprise Security π΄
π Read
via "Dark Reading".
The launch of Android 12 brings several new default security features, along with new security efforts for Android Enterprise.π Read
via "Dark Reading".
Dark Reading
Google Buckles Down on Android Enterprise Security
The launch of Android 12 brings several new default security features, along with new security efforts for Android Enterprise.
βΌ CVE-2021-40719 βΌ
π Read
via "National Vulnerability Database".
Adobe Connect version 11.2.2 (and earlier) is affected by a Deserialization of Untrusted Data vulnerability to achieve arbitrary method invocation when AMF messages are deserialized on an Adobe Connect server. An attacker can leverage this to execute remote code execution on the server.π Read
via "National Vulnerability Database".
βΌ CVE-2021-39321 βΌ
π Read
via "National Vulnerability Database".
Version 3.3.23 of the Sassy Social Share WordPress plugin is vulnerable to PHP Object Injection via the wp_ajax_heateor_sss_import_config AJAX action due to deserialization of unvalidated user supplied inputs via the import_config function found in the ~/admin/class-sassy-social-share-admin.php file. This can be exploited by underprivileged authenticated users due to a missing capability check on the import_config function.π Read
via "National Vulnerability Database".
βΌ CVE-2021-39357 βΌ
π Read
via "National Vulnerability Database".
The Leaky Paywall WordPress plugin is vulnerable to Stored Cross-Site Scripting due to insufficient input validation and sanitization via the ~/class.php file which allowed attackers with administrative user access to inject arbitrary web scripts, in versions up to and including 4.16.5. This affects multi-site installations where unfiltered_html is disabled for administrators, and sites where unfiltered_html is disabled.π Read
via "National Vulnerability Database".
βΌ CVE-2021-41168 βΌ
π Read
via "National Vulnerability Database".
Snudown is a reddit-specific fork of the Sundown Markdown parser used by GitHub, with Python integration added. In affected versions snudown was found to be vulnerable to denial of service attacks to its reference table implementation. References written in markdown ` [reference_name]: https://www.example.com` are inserted into a hash table which was found to have a weak hash function, meaning that an attacker can reliably generate a large number of collisions for it. This makes the hash table vulnerable to a hash-collision DoS attack, a type of algorithmic complexity attack. Further the hash table allowed for duplicate entries resulting in long retrieval times. Proofs of concept and further discussion of the hash collision issue are discussed on the snudown GHSA(https://github.com/reddit/snudown/security/advisories/GHSA-6gvv-9q92-w5f6). Users are advised to update to version 1.7.0.π Read
via "National Vulnerability Database".
βΌ CVE-2021-39356 βΌ
π Read
via "National Vulnerability Database".
The Content Staging WordPress plugin is vulnerable to Stored Cross-Site Scripting due to insufficient input validation and escaping via several parameters that are echo'd out via the ~/templates/settings.php file which allowed attackers with administrative user access to inject arbitrary web scripts, in versions up to and including 2.0.1. This affects multi-site installations where unfiltered_html is disabled for administrators, and sites where unfiltered_html is disabled.π Read
via "National Vulnerability Database".
βΌ CVE-2021-36869 βΌ
π Read
via "National Vulnerability Database".
Reflected Cross-Site Scripting (XSS) vulnerability in WordPress Ivory Search plugin (versions <= 4.6.6). Vulnerable parameter: &post.π Read
via "National Vulnerability Database".
βΌ CVE-2021-39328 βΌ
π Read
via "National Vulnerability Database".
The Simple Job Board WordPress plugin is vulnerable to Stored Cross-Site Scripting due to insufficient escaping on the $job_board_privacy_policy_label variable echo'd out via the ~/admin/settings/class-simple-job-board-settings-privacy.php file which allowed attackers with administrative user access to inject arbitrary web scripts, in versions up to and including 2.9.4. This affects multi-site installations where unfiltered_html is disabled for administrators, and sites where unfiltered_html is disabled.π Read
via "National Vulnerability Database".
βΌ CVE-2021-22034 βΌ
π Read
via "National Vulnerability Database".
Releases prior to VMware vRealize Operations Tenant App 8.6 contain an Information Disclosure Vulnerability.π Read
via "National Vulnerability Database".
βΌ CVE-2021-39354 βΌ
π Read
via "National Vulnerability Database".
The Easy Digital Downloads WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the $start_date and $end_date parameters found in the ~/includes/admin/payments/class-payments-table.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 2.11.2.π Read
via "National Vulnerability Database".
βΌ CVE-2021-41169 βΌ
π Read
via "National Vulnerability Database".
Sulu is an open-source PHP content management system based on the Symfony framework. In versions before 1.6.43 are subject to stored cross site scripting attacks. HTML input into Tag names is not properly sanitized. Only admin users are allowed to create tags. Users are advised to upgrade.π Read
via "National Vulnerability Database".
βΌ CVE-2021-41127 βΌ
π Read
via "National Vulnerability Database".
Rasa is an open source machine learning framework to automate text-and voice-based conversations. In affected versions a vulnerability exists in the functionality that loads a trained model `tar.gz` file which allows a malicious actor to craft a `model.tar.gz` file which can overwrite or replace bot files in the bot directory. The vulnerability is fixed in Rasa 2.8.10. For users unable to update ensure that users do not upload untrusted model files, and restrict CLI or API endpoint access where a malicious actor could target a deployed Rasa instance.π Read
via "National Vulnerability Database".
βΌ CVE-2021-39348 βΌ
π Read
via "National Vulnerability Database".
The LearnPress WordPress plugin is vulnerable to Stored Cross-Site Scripting due to insufficient escaping on the $custom_profile parameter found in the ~/inc/admin/views/backend-user-profile.php file which allowed attackers with administrative user access to inject arbitrary web scripts, in versions up to and including 4.1.3.1. This affects multi-site installations where unfiltered_html is disabled for administrators, and sites where unfiltered_html is disabled. Please note that this is seperate from CVE-2021-24702.π Read
via "National Vulnerability Database".
βΌ CVE-2021-39352 βΌ
π Read
via "National Vulnerability Database".
The Catch Themes Demo Import WordPress plugin is vulnerable to arbitrary file uploads via the import functionality found in the ~/inc/CatchThemesDemoImport.php file, in versions up to and including 1.7, due to insufficient file type validation. This makes it possible for an attacker with administrative privileges to upload malicious files that can be used to achieve remote code execution.π Read
via "National Vulnerability Database".
βΌ CVE-2021-27746 βΌ
π Read
via "National Vulnerability Database".
"HCL Connections Security Update for Reflected Cross-Site Scripting (XSS) Vulnerability"π Read
via "National Vulnerability Database".
ποΈ EU ban on anonymous domain registration welcomed by threat intel firm ποΈ
π Read
via "The Daily Swig".
βThis raises the bar and makes it expensive for easy cyber criminality,β argues DomainToolsπ Read
via "The Daily Swig".
The Daily Swig | Cybersecurity news and views
EU ban on anonymous domain registration welcomed by threat intel firm
βThis raises the bar and makes it expensive for easy cyber criminality,β argues DomainTools