‼ CVE-2021-41145 ‼
📖 Read
via "National Vulnerability Database".
Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. FreeSWITCH prior to version 1.10.7 is susceptible to Denial of Service via SIP flooding. When flooding FreeSWITCH with SIP messages, it was observed that after a number of seconds the process was killed by the operating system due to memory exhaustion. By abusing this vulnerability, an attacker is able to crash any FreeSWITCH instance by flooding it with SIP messages, leading to Denial of Service. The attack does not require authentication and can be carried out over UDP, TCP or TLS. This issue was patched in version 1.10.7.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-39225 ‼
📖 Read
via "National Vulnerability Database".
Nextcloud is an open-source, self-hosted productivity platform. A missing permission check in Nextcloud Deck before 1.2.9, 1.4.5 and 1.5.3 allows another authenticated users to access Deck cards of another user. It is recommended that the Nextcloud Deck App is upgraded to 1.2.9, 1.4.5 or 1.5.3. There are no known workarounds aside from upgrading.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-38260 ‼
📖 Read
via "National Vulnerability Database".
NXP MCUXpresso SDK v2.7.0 was discovered to contain a buffer overflow in the function USB_HostParseDeviceConfigurationDescriptor().📖 Read
via "National Vulnerability Database".
‼ CVE-2021-41178 ‼
📖 Read
via "National Vulnerability Database".
Nextcloud is an open-source, self-hosted productivity platform. Prior to versions 20.0.13, 21.0.5, and 22.2.0, a file traversal vulnerability makes an attacker able to download arbitrary SVG images from the host system, including user provided files. This could also be leveraged into a XSS/phishing attack, an attacker could upload a malicious SVG file that mimics the Nextcloud login form and send a specially crafted link to victims. The XSS risk here is mitigated due to the fact that Nextcloud employs a strict Content-Security-Policy disallowing execution of arbitrary JavaScript. It is recommended that the Nextcloud Server be upgraded to 20.0.13, 21.0.5 or 22.2.0. There are no known workarounds aside from upgrading.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-39223 ‼
📖 Read
via "National Vulnerability Database".
Nextcloud is an open-source, self-hosted productivity platform. The Nextcloud Richdocuments application prior to versions 3.8.6 and 4.2.3 returned verbatim exception messages to the user. This could result in a full path disclosure on shared files. (e.g. an attacker could see that the file `shared.txt` is located within `/files/$username/Myfolder/Mysubfolder/shared.txt`). It is recommended that the Richdocuments application is upgraded to 3.8.6 or 4.2.3. As a workaround, disable the Richdocuments application in the app settings.📖 Read
via "National Vulnerability Database".
🕴 Forcepoint Completes Acquisition of Bitglass 🕴
📖 Read
via "Dark Reading".
The acquisition of Bitglass will be the third technology acquisition for Forcepoint this year.📖 Read
via "Dark Reading".
Dark Reading
Forcepoint Completes Acquisition of Bitglass
The acquisition of Bitglass will be the third technology acquisition for Forcepoint this year.
🕴 Jumio Launches End-to-end Orchestration for its KYX Platform 🕴
📖 Read
via "Dark Reading".
Platform combines digital identity proofing, compliance verification and anti-money laundering checks.📖 Read
via "Dark Reading".
Dark Reading
Jumio Launches End-to-end Orchestration for its KYX Platform
Platform combines digital identity proofing, compliance verification and anti-money laundering checks.
🕴 OpenText Strengthens Ransomware Resilience 🕴
📖 Read
via "Dark Reading".
New detection and alert functions within Carbonite Server increase data protection against ransomware.📖 Read
via "Dark Reading".
Dark Reading
OpenText Strengthens Ransomware Resilience
New detection and alert functions within Carbonite Server increase data protection against ransomware.
🕴 Wardrivers Can Still Easily Crack 70% of WiFi Passwords 🕴
📖 Read
via "Dark Reading".
Weaknesses in the current WiFi standard and poorly chosen passwords allowed one wardriver to recover 70% of wireless network passwords.📖 Read
via "Dark Reading".
Dark Reading
Wardrivers Can Still Easily Crack 70% of Wi-Fi Passwords
Weaknesses in the current Wi-Fi standard and poorly chosen passwords allowed one wardriver to recover 70% of wireless network passwords.
‼ CVE-2020-5669 ‼
📖 Read
via "National Vulnerability Database".
Cross-site scripting vulnerability in Movable Type Movable Type Premium 1.37 and earlier and Movable Type Premium Advanced 1.37 and earlier allows a remote authenticated attacker to inject an arbitrary script via unspecified vectors.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-40344 ‼
📖 Read
via "National Vulnerability Database".
An issue was discovered in Nagios XI 5.8.5. In the Custom Includes section of the Admin panel, an administrator can upload files with arbitrary extensions as long as the MIME type corresponds to an image. Therefore it is possible to upload a crafted PHP script to achieve remote command execution.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-34583 ‼
📖 Read
via "National Vulnerability Database".
Crafted web server requests may cause a heap-based buffer overflow and could therefore trigger a denial-of- service condition due to a crash in the CODESYS V2 web server prior to V1.1.9.22.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-34585 ‼
📖 Read
via "National Vulnerability Database".
In the CODESYS V2 web server prior to V1.1.9.22 crafted web server requests can trigger a parser error. Since the parser result is not checked under all conditions, a pointer dereference with an invalid address can occur. This leads to a denial of service situation.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-34595 ‼
📖 Read
via "National Vulnerability Database".
A crafted request with invalid offsets may cause an out-of-bounds read or write access in CODESYS V2 Runtime Toolkit 32 Bit full and PLCWinNT prior to versions V2.4.7.56, resulting in a denial-of-service condition or local memory overwrite.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-34584 ‼
📖 Read
via "National Vulnerability Database".
Crafted web server requests can be utilised to read partial stack or heap memory or may trigger a denial-of- service condition due to a crash in the CODESYS V2 web server prior to V1.1.9.22.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-40345 ‼
📖 Read
via "National Vulnerability Database".
An issue was discovered in Nagios XI 5.8.5. In the Manage Dashlets section of the Admin panel, an administrator can upload ZIP files. A command injection (within the name of the first file in the archive) allows an attacker to execute system commands.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-34596 ‼
📖 Read
via "National Vulnerability Database".
A crafted request may cause a read access to an uninitialized pointer in CODESYS V2 Runtime Toolkit 32 Bit full and PLCWinNT prior to versions V2.4.7.56, resulting in a denial-of-service condition.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-42343 ‼
📖 Read
via "National Vulnerability Database".
An issue was discovered in Dask (aka python-dask) through 2021.09.1. Single machine Dask clusters started with dask.distributed.LocalCluster or dask.distributed.Client (which defaults to using LocalCluster) would mistakenly configure their respective Dask workers to listen on external interfaces (typically with a randomly selected high port) rather than only on localhost. A Dask cluster created using this method (when running on a machine that has an applicable port exposed) could be used by a sophisticated attacker to achieve remote code execution.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-40343 ‼
📖 Read
via "National Vulnerability Database".
An issue was discovered in Nagios XI 5.8.5. Insecure file permissions on the nagios_unbundler.py file allow the nagios user to elevate their privileges to the root user.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-34593 ‼
📖 Read
via "National Vulnerability Database".
In CODESYS V2 Runtime Toolkit 32 Bit full and PLCWinNT prior to versions V2.4.7.56 unauthenticated crafted invalid requests may result in several denial-of-service conditions. Running PLC programs may be stopped, memory may be leaked, or further communication clients may be blocked from accessing the PLC.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-34586 ‼
📖 Read
via "National Vulnerability Database".
In the CODESYS V2 web server prior to V1.1.9.22 crafted web server requests may cause a Null pointer dereference in the CODESYS web server and may result in a denial-of-service condition.📖 Read
via "National Vulnerability Database".