βΌ CVE-2021-41183 βΌ
π Read
via "National Vulnerability Database".
jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of various `*Text` options of the Datepicker widget from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. The values passed to various `*Text` options are now always treated as pure text, not HTML. A workaround is to not accept the value of the `*Text` options from untrusted sources.π Read
via "National Vulnerability Database".
βΌ CVE-2021-41175 βΌ
π Read
via "National Vulnerability Database".
Pi-hole's Web interface (based on AdminLTE) provides a central location to manage one's Pi-hole and review the statistics generated by FTLDNS. Prior to version 5.8, cross-site scripting is possible when adding a client via the groups-clients management page. This issue was patched in version 5.8.π Read
via "National Vulnerability Database".
βΌ CVE-2021-37364 βΌ
π Read
via "National Vulnerability Database".
OpenClinic GA 5.194.18 is affected by Insecure Permissions. By default the Authenticated Users group has the modify permission to openclinic folders/files. A low privilege account is able to rename mysqld.exe or tomcat8.exe files located in bin folders and replace with a malicious file that would connect back to an attacking computer giving system level privileges (nt authority\system) due to the service running as Local System. While a low privilege user is unable to restart the service through the application, a restart of the computer triggers the execution of the malicious file. The application also have unquoted service path issues.π Read
via "National Vulnerability Database".
βΌ CVE-2021-41188 βΌ
π Read
via "National Vulnerability Database".
Shopware is open source e-commerce software. Versions prior to 5.7.6 contain a cross-site scripting vulnerability. This issue is patched in version 5.7.6. Two workarounds are available. Using the security plugin or adding a particular following config to the `.htaccess` file will protect against cross-site scripting in this case. There is also a config for those using nginx as a server. The plugin and the configs can be found on the GitHub Security Advisory page for this vulnerability.π Read
via "National Vulnerability Database".
βΌ CVE-2021-41158 βΌ
π Read
via "National Vulnerability Database".
FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Prior to version 1.10.7, an attacker can perform a SIP digest leak attack against FreeSWITCH and receive the challenge response of a gateway configured on the FreeSWITCH server. This is done by challenging FreeSWITCH's SIP requests with the realm set to that of the gateway, thus forcing FreeSWITCH to respond with the challenge response which is based on the password of that targeted gateway. Abuse of this vulnerability allows attackers to potentially recover gateway passwords by performing a fast offline password cracking attack on the challenge response. The attacker does not require special network privileges, such as the ability to sniff the FreeSWITCH's network traffic, to exploit this issue. Instead, what is required for this attack to work is the ability to cause the victim server to send SIP request messages to the malicious party. Additionally, to exploit this issue, the attacker needs to specify the correct realm which might in some cases be considered secret. However, because many gateways are actually public, this information can easily be retrieved. The vulnerability appears to be due to the code which handles challenges in `sofia_reg.c`, `sofia_reg_handle_sip_r_challenge()` which does not check if the challenge is originating from the actual gateway. The lack of these checks allows arbitrary UACs (and gateways) to challenge any request sent by FreeSWITCH with the realm of the gateway being targeted. This issue is patched in version 10.10.7. Maintainers recommend that one should create an association between a SIP session for each gateway and its realm to make a check be put into place for this association when responding to challenges.π Read
via "National Vulnerability Database".
βΌ CVE-2021-41172 βΌ
π Read
via "National Vulnerability Database".
AS_Redis is an AntSword plugin for Redis. The Redis Manage plugin for AntSword prior to version 0.5 is vulnerable to Self-XSS due to due to insufficient input validation and sanitization via redis server configuration. Self-XSS in the plugin configuration leads to code execution. This issue is patched in version 0.5.π Read
via "National Vulnerability Database".
βΌ CVE-2021-37363 βΌ
π Read
via "National Vulnerability Database".
An Insecure Permissions issue exists in Gestionale Open 11.00.00. A low privilege account is able to rename the mysqld.exe file located in bin folder and replace with a malicious file that would connect back to an attacking computer giving system level privileges (nt authority\system) due to the service running as Local System. While a low privilege user is unable to restart the service through the application, a restart of the computer triggers the execution of the malicious file. The application also have unquoted service path issues.π Read
via "National Vulnerability Database".
βΌ CVE-2021-41182 βΌ
π Read
via "National Vulnerability Database".
jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of the `altField` option of the Datepicker widget from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. Any string value passed to the `altField` option is now treated as a CSS selector. A workaround is to not accept the value of the `altField` option from untrusted sources.π Read
via "National Vulnerability Database".
π¦Ώ 9 key security threats that organizations will face in 2022 π¦Ώ
π Read
via "Tech Republic".
Supply chain attacks, misinformation campaigns, mobile malware and larger scale data breaches are just some of the threats to watch for next year, Check Point Software says.π Read
via "Tech Republic".
TechRepublic
9 key security threats that organizations will face in 2022 | TechRepublic
Supply chain attacks, misinformation campaigns, mobile malware and larger scale data breaches are just some of the threats to watch for next year, Check Point Software says.
π¦Ώ Phishing attack exploits Craigslist and Microsoft OneDrive π¦Ώ
π Read
via "Tech Republic".
A phishing campaign took advantage of the mail relay function on Craigslist, which allows attackers to remain anonymous, Inky says.π Read
via "Tech Republic".
β Attackers Hijack Craigslist Emails to Deliver Malware β
π Read
via "Threat Post".
Fake Craigslist emails that abuse Microsoft OneDrive warn users that their ads contain βinappropriate content.βπ Read
via "Threat Post".
Threat Post
Attackers Hijack Craigslist Emails to Bypass Security, Deliver Malware
Manipulated Craigslist emails that abuse Microsoft OneDrive warn users that their ads contain "inappropriate content.β
β Listen up 4 β CYBERSECURITY FIRST! Purple teaming β learning to think like your adversaries β
π Read
via "Naked Security".
Michelle Farenci knows her stuff, because she's a cybersecurity practitioner inside a cybersecurity company! Learn why thinking like an attacker makes you a better defender.π Read
via "Naked Security".
Naked Security
Listen up 4 β CYBERSECURITY FIRST! Purple teaming β learning to think like your adversaries
Michelle Farenci knows her stuff, because sheβs a cybersecurity practitioner inside a cybersecurity company! Learn why thinking like an attacker makes you a better defender.
β Cybersecurity Awareness Month: Listen up β CYBERΒSECURITY FIRST! β
π Read
via "Naked Security".
Fraser Howard of SophosLabs is truly a world expert in fighting malware. Read now, and learn from the best!π Read
via "Naked Security".
Naked Security
Cybersecurity Awareness Month: Listen up β CYBERΒSECURITY FIRST!
Fraser Howard of SophosLabs is truly a world expert in fighting malware. Read now, and learn from the best!
β Banking scam uses Docusign phish to thieve 2FA codes β
π Read
via "Naked Security".
This scam is obviously inapplicable to 999 people in every 1000... but there are LOTS of 1-in-1000 people in the world!π Read
via "Naked Security".
Naked Security
Banking scam uses Docusign phish to thieve 2FA codes
999 people in 1000 will know this is a phish straight off the bat. But for 1 in 1000 it will be plausible at first sightβ¦
β Listen up 2 β CYBERSECURITY FIRST! How to protect yourself from supply chain attacks β
π Read
via "Naked Security".
Everyone remembers this year's big-news supply chain attacks on Kaseya and SolarWinds. Sophos expert Chester Wisniewski explains how to control the risk.π Read
via "Naked Security".
Naked Security
Listen up 2 β CYBERSECURITY FIRST! How to protect yourself from supply chain attacks
Everyone remembers this yearβs big-news supply chain attacks on Kaseya and SolarWinds. Sophos expert Chester Wisniewski explains how to control the risk.
β Listen up 3 β CYBERSECURITY FIRST! Cyberinsurance, help or hindrance? β
π Read
via "Naked Security".
Dr Jason Nurse, Associate Professor in Cybersecurity at the University of Kent, takes on the controversial topic of cyberinsurance.π Read
via "Naked Security".
Naked Security
Listen up 3 β CYBERSECURITY FIRST! Cyberinsurance, help or hindrance?
Dr Jason Nurse, Associate Professor in Cybersecurity at the University of Kent, takes on the controversial topic of cyberinsurance.
βοΈ FBI Raids Chinese Point-of-Sale Giant PAX Technology βοΈ
π Read
via "Krebs on Security".
U.S. federal investigators today raided the U.S. offices of PAX Technology, a Chinese provider of point-of-sale devices used by millions of businesses and retailers globally. KrebsOnSecurity has learned the raid is tied to reports that PAX's systems may have been involved in cyberattacks on U.S. and E.U. organizations.π Read
via "Krebs on Security".
Krebs on Security
FBI Raids Chinese Point-of-Sale Giant PAX Technology
U.S. federal investigators today raided the U.S. offices of PAX Technology, a Chinese provider of point-of-sale devices used by millions of businesses and retailers globally. KrebsOnSecurity has learned the raid is tied to reports that PAX's systems may haveβ¦
βΌ CVE-2021-35499 βΌ
π Read
via "National Vulnerability Database".
The Web Reporting component of TIBCO Software Inc.'s TIBCO Nimbus contains easily exploitable Stored Cross Site Scripting (XSS) vulnerabilities that allow a low privileged attacker to social engineer a legitimate user with network access to execute scripts targeting the affected system or the victim's local system. A successful attack using this vulnerability requires human interaction from a person other than the attacker. Affected releases are TIBCO Software Inc.'s TIBCO Nimbus: versions 10.4.0 and below.π Read
via "National Vulnerability Database".
π΄ DoJ & Europol Arrest 150 in Disruption of DarkNet Drug Operation π΄
π Read
via "Dark Reading".
Operation Dark HunTor targeted opioid traffickers on the DarkNet, leading to the seizure of weapons, drugs, and $31 million.π Read
via "Dark Reading".
Dark Reading
DoJ & Europol Arrest 150 in Disruption of DarkNet Drug Operation
Operation Dark HunTor targeted opioid traffickers on the DarkNet, leading to the seizure of weapons, drugs, and $31 million.
π΄ Are Baby Boomers More Vulnerable Online Than Younger Generations? You Might Be Surprised π΄
π Read
via "Dark Reading".
Growing up with computers and the Internet doesn't necessarily convey all the advantages often attributed to younger users.π Read
via "Dark Reading".
Dark Reading
Are Baby Boomers More Vulnerable Online Than Younger Generations? You Might Be Surprised
Growing up with computers and the Internet doesn't necessarily convey all the advantages often attributed to younger users.
β Why the Next-Generation of Application Security Is Needed β
π Read
via "Threat Post".
New software and code stand at the core of everything we do, but how well is all of this new code tested? Luckily, autonomous application security is here.π Read
via "Threat Post".
Threat Post
Why the Next-Generation of Application Security Is Needed
New software and code stand at the core of everything we do, but how well is all of this new code tested? Luckily, autonomous application security is here.