‼ CVE-2021-41179 ‼
📖 Read
via "National Vulnerability Database".
Nextcloud is an open-source, self-hosted productivity platform. Prior to Nextcloud Server versions 20.0.13, 21.0.5, and 22.2.0, the Two-Factor Authentication wasn't enforced for pages marked as public. Any page marked as `@PublicPage` could thus be accessed with a valid user session that isn't authenticated. This particularly affects the Nextcloud Talk application, as this could be leveraged to gain access to any private chat channel without going through the Two-Factor flow. It is recommended that the Nextcloud Server be upgraded to 20.0.13, 21.0.5 or 22.2.0. There are no known workarounds aside from upgrading.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-39224 ‼
📖 Read
via "National Vulnerability Database".
Nextcloud is an open-source, self-hosted productivity platform. The Nextcloud OfficeOnline application prior to version 1.1.1 returned verbatim exception messages to the user. This could result in a full path disclosure on shared files. (e.g. an attacker could see that the file `shared.txt` is located within `/files/$username/Myfolder/Mysubfolder/shared.txt`). It is recommended that the OfficeOnline application is upgraded to 1.1.1. As a workaround, one may disable the OfficeOnline application in the app settings.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-41105 ‼
📖 Read
via "National Vulnerability Database".
FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. When handling SRTP calls, FreeSWITCH prior to version 1.10.7 is susceptible to a DoS where calls can be terminated by remote attackers. This attack can be done continuously, thus denying encrypted calls during the attack. When a media port that is handling SRTP traffic is flooded with a specially crafted SRTP packet, the call is terminated leading to denial of service. This issue was reproduced when using the SDES key exchange mechanism in a SIP environment as well as when using the DTLS key exchange mechanism in a WebRTC environment. The call disconnection occurs due to line 6331 in the source file `switch_rtp.c`, which disconnects the call when the total number of SRTP errors reach a hard-coded threshold (100). By abusing this vulnerability, an attacker is able to disconnect any ongoing calls that are using SRTP. The attack does not require authentication or any special foothold in the caller's or the callee's network. This issue is patched in version 1.10.7.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-38258 ‼
📖 Read
via "National Vulnerability Database".
NXP MCUXpresso SDK v2.7.0 was discovered to contain a buffer overflow in the function USB_HostProcessCallback().📖 Read
via "National Vulnerability Database".
‼ CVE-2021-41145 ‼
📖 Read
via "National Vulnerability Database".
Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. FreeSWITCH prior to version 1.10.7 is susceptible to Denial of Service via SIP flooding. When flooding FreeSWITCH with SIP messages, it was observed that after a number of seconds the process was killed by the operating system due to memory exhaustion. By abusing this vulnerability, an attacker is able to crash any FreeSWITCH instance by flooding it with SIP messages, leading to Denial of Service. The attack does not require authentication and can be carried out over UDP, TCP or TLS. This issue was patched in version 1.10.7.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-39225 ‼
📖 Read
via "National Vulnerability Database".
Nextcloud is an open-source, self-hosted productivity platform. A missing permission check in Nextcloud Deck before 1.2.9, 1.4.5 and 1.5.3 allows another authenticated users to access Deck cards of another user. It is recommended that the Nextcloud Deck App is upgraded to 1.2.9, 1.4.5 or 1.5.3. There are no known workarounds aside from upgrading.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-38260 ‼
📖 Read
via "National Vulnerability Database".
NXP MCUXpresso SDK v2.7.0 was discovered to contain a buffer overflow in the function USB_HostParseDeviceConfigurationDescriptor().📖 Read
via "National Vulnerability Database".
‼ CVE-2021-41178 ‼
📖 Read
via "National Vulnerability Database".
Nextcloud is an open-source, self-hosted productivity platform. Prior to versions 20.0.13, 21.0.5, and 22.2.0, a file traversal vulnerability makes an attacker able to download arbitrary SVG images from the host system, including user provided files. This could also be leveraged into a XSS/phishing attack, an attacker could upload a malicious SVG file that mimics the Nextcloud login form and send a specially crafted link to victims. The XSS risk here is mitigated due to the fact that Nextcloud employs a strict Content-Security-Policy disallowing execution of arbitrary JavaScript. It is recommended that the Nextcloud Server be upgraded to 20.0.13, 21.0.5 or 22.2.0. There are no known workarounds aside from upgrading.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-39223 ‼
📖 Read
via "National Vulnerability Database".
Nextcloud is an open-source, self-hosted productivity platform. The Nextcloud Richdocuments application prior to versions 3.8.6 and 4.2.3 returned verbatim exception messages to the user. This could result in a full path disclosure on shared files. (e.g. an attacker could see that the file `shared.txt` is located within `/files/$username/Myfolder/Mysubfolder/shared.txt`). It is recommended that the Richdocuments application is upgraded to 3.8.6 or 4.2.3. As a workaround, disable the Richdocuments application in the app settings.📖 Read
via "National Vulnerability Database".
🕴 Forcepoint Completes Acquisition of Bitglass 🕴
📖 Read
via "Dark Reading".
The acquisition of Bitglass will be the third technology acquisition for Forcepoint this year.📖 Read
via "Dark Reading".
Dark Reading
Forcepoint Completes Acquisition of Bitglass
The acquisition of Bitglass will be the third technology acquisition for Forcepoint this year.
🕴 Jumio Launches End-to-end Orchestration for its KYX Platform 🕴
📖 Read
via "Dark Reading".
Platform combines digital identity proofing, compliance verification and anti-money laundering checks.📖 Read
via "Dark Reading".
Dark Reading
Jumio Launches End-to-end Orchestration for its KYX Platform
Platform combines digital identity proofing, compliance verification and anti-money laundering checks.
🕴 OpenText Strengthens Ransomware Resilience 🕴
📖 Read
via "Dark Reading".
New detection and alert functions within Carbonite Server increase data protection against ransomware.📖 Read
via "Dark Reading".
Dark Reading
OpenText Strengthens Ransomware Resilience
New detection and alert functions within Carbonite Server increase data protection against ransomware.
🕴 Wardrivers Can Still Easily Crack 70% of WiFi Passwords 🕴
📖 Read
via "Dark Reading".
Weaknesses in the current WiFi standard and poorly chosen passwords allowed one wardriver to recover 70% of wireless network passwords.📖 Read
via "Dark Reading".
Dark Reading
Wardrivers Can Still Easily Crack 70% of Wi-Fi Passwords
Weaknesses in the current Wi-Fi standard and poorly chosen passwords allowed one wardriver to recover 70% of wireless network passwords.
‼ CVE-2020-5669 ‼
📖 Read
via "National Vulnerability Database".
Cross-site scripting vulnerability in Movable Type Movable Type Premium 1.37 and earlier and Movable Type Premium Advanced 1.37 and earlier allows a remote authenticated attacker to inject an arbitrary script via unspecified vectors.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-40344 ‼
📖 Read
via "National Vulnerability Database".
An issue was discovered in Nagios XI 5.8.5. In the Custom Includes section of the Admin panel, an administrator can upload files with arbitrary extensions as long as the MIME type corresponds to an image. Therefore it is possible to upload a crafted PHP script to achieve remote command execution.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-34583 ‼
📖 Read
via "National Vulnerability Database".
Crafted web server requests may cause a heap-based buffer overflow and could therefore trigger a denial-of- service condition due to a crash in the CODESYS V2 web server prior to V1.1.9.22.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-34585 ‼
📖 Read
via "National Vulnerability Database".
In the CODESYS V2 web server prior to V1.1.9.22 crafted web server requests can trigger a parser error. Since the parser result is not checked under all conditions, a pointer dereference with an invalid address can occur. This leads to a denial of service situation.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-34595 ‼
📖 Read
via "National Vulnerability Database".
A crafted request with invalid offsets may cause an out-of-bounds read or write access in CODESYS V2 Runtime Toolkit 32 Bit full and PLCWinNT prior to versions V2.4.7.56, resulting in a denial-of-service condition or local memory overwrite.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-34584 ‼
📖 Read
via "National Vulnerability Database".
Crafted web server requests can be utilised to read partial stack or heap memory or may trigger a denial-of- service condition due to a crash in the CODESYS V2 web server prior to V1.1.9.22.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-40345 ‼
📖 Read
via "National Vulnerability Database".
An issue was discovered in Nagios XI 5.8.5. In the Manage Dashlets section of the Admin panel, an administrator can upload ZIP files. A command injection (within the name of the first file in the archive) allows an attacker to execute system commands.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-34596 ‼
📖 Read
via "National Vulnerability Database".
A crafted request may cause a read access to an uninitialized pointer in CODESYS V2 Runtime Toolkit 32 Bit full and PLCWinNT prior to versions V2.4.7.56, resulting in a denial-of-service condition.📖 Read
via "National Vulnerability Database".