‼ CVE-2021-39179 ‼
📖 Read
via "National Vulnerability Database".
DHIS 2 is an information system for data capture, management, validation, analytics and visualization. A SQL Injection vulnerability in the Tracker component in DHIS2 Server allows authenticated remote attackers to execute arbitrary SQL commands via unspecified vectors. This vulnerability affects the `/api/trackedEntityInstances` and `/api/trackedEntityInstances/query` API endpoints in all DHIS2 versions 2.34, 2.35, and 2.36. It also affects versions 2.32 and 2.33 which have reached _end of support_ - exceptional security updates have been added to the latest *end of support* builds for these versions. Versions 2.31 and older are unaffected. The system is vulnerable to attack only from users that are logged in to DHIS2, and there is no known way of exploiting the vulnerability without first being logged in as a DHIS2 user. The vulnerability is not exposed to a non-malicious user - the vulnerability requires a conscious attack to be exploited. A successful exploit of this vulnerability could allow the malicious user to read, edit and delete data in the DHIS2 instance. There are no known exploits of the security vulnerabilities addressed by these patch releases. Security patches are available in DHIS2 versions 2.32-EOS, 2.33-EOS, 2.34.7, 2.35.7, and 2.36.4. There is no straightforward known workaround for DHIS2 instances using the Tracker functionality other than upgrading the affected DHIS2 server to one of the patches in which this vulnerability has been fixed. For implementations which do NOT use Tracker functionality, it may be possible to block all network access to POST to the `/api/trackedEntityInstances`, and `/api/trackedEntityInstances/query` endpoints as a temporary workaround while waiting to upgrade.📖 Read
via "National Vulnerability Database".
🛠 GRAudit Grep Auditing Tool 3.2 🛠
📖 Read
via "Packet Storm Security".
Graudit is a simple script and signature sets that allows you to find potential security flaws in source code using the GNU utility, grep. It's comparable to other static analysis applications like RATS, SWAAT, and flaw-finder while keeping the technical requirements to a minimum and being very flexible.📖 Read
via "Packet Storm Security".
Packetstormsecurity
GRAudit Grep Auditing Tool 3.2 ≈ Packet Storm
Information Security Services, News, Files, Tools, Exploits, Advisories and Whitepapers
🕴 Cybercriminals Take Aim at Connected Car Infrastructure 🕴
📖 Read
via "Dark Reading".
While car makers are paying more attention to cybersecurity, the evolution of automobiles into "software platforms on wheels" and the quick adoption of new features has put connected cars in the crosshairs.📖 Read
via "Dark Reading".
Dark Reading
IoT recent news | Dark Reading
Explore the latest news and expert commentary on IoT, brought to you by the editors of Dark Reading
🔏 Friday Five 10/29 🔏
📖 Read
via "".
Apple fixes a critical SIP bypass and personal data protection becomes a fundamental right in Brazil - catch up on the infosec news of the week with the Friday Five!📖 Read
via "".
Digital Guardian
Friday Five 10/29
Apple fixes a critical SIP bypass and personal data protection becomes a fundamental right in Brazil - catch up on the infosec news of the week with the Friday Five!
‼ CVE-2021-3756 ‼
📖 Read
via "National Vulnerability Database".
libmysofa is vulnerable to Heap-based Buffer Overflow📖 Read
via "National Vulnerability Database".
‼ CVE-2021-41674 ‼
📖 Read
via "National Vulnerability Database".
An SQL Injection vulnerability exists in Sourcecodester E-Negosyo System 1.0 via the user_email parameter in /admin/login.php.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-41643 ‼
📖 Read
via "National Vulnerability Database".
Remote Code Execution (RCE) vulnerability exists in Sourcecodester Church Management System 1.0 via the image upload field.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-41675 ‼
📖 Read
via "National Vulnerability Database".
A Remote Code Execution (RCE) vulnerabilty exists in Sourcecodester E-Negosyo System 1.0 in /admin/produts/controller.php via the doInsert function, which validates images with getImageSizei. .📖 Read
via "National Vulnerability Database".
‼ CVE-2021-41645 ‼
📖 Read
via "National Vulnerability Database".
Remote Code Execution (RCE) vulnerability exists in Sourcecodester Budget and Expense Tracker System 1.0 that allows a remote malicious user to inject arbitrary code via the image upload field. .📖 Read
via "National Vulnerability Database".
‼ CVE-2021-41676 ‼
📖 Read
via "National Vulnerability Database".
An SQL Injection vulnerabilty exists in the oretnom23 Pharmacy Point of Sale System 1.0 in the login function in actions.php.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-41644 ‼
📖 Read
via "National Vulnerability Database".
Remote Code Exection (RCE) vulnerability exists in Sourcecodester Online Food Ordering System 2.0 via a maliciously crafted PHP file that bypasses the image upload filters.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-41748 ‼
📖 Read
via "National Vulnerability Database".
An Incorrect Access Control issue exists in all versions of Portainer.via an unauthorized access vulnerability. The vulnerability is also CNVD-2021-49547📖 Read
via "National Vulnerability Database".
‼ CVE-2021-41646 ‼
📖 Read
via "National Vulnerability Database".
Remote Code Execution (RCE) vulnerability exists in Sourcecodester Online Reviewer System 1.0 by uploading a maliciously crafted PHP file that bypasses the image upload filters..📖 Read
via "National Vulnerability Database".
‼ CVE-2021-41746 ‼
📖 Read
via "National Vulnerability Database".
SQL Injection vulnerability exists in all versions of Yonyou TurboCRM.via the orgcode parameter in changepswd.php. Attackers can use the vulnerabilities to obtain sensitive database information.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-41874 ‼
📖 Read
via "National Vulnerability Database".
An unauthorized access vulnerabiitly exists in all versions of Portainer, which could let a malicious user obtain sensitive information.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-41189 ‼
📖 Read
via "National Vulnerability Database".
DSpace is an open source turnkey repository application. In version 7.0, any community or collection administrator can escalate their permission up to become system administrator. This vulnerability only exists in 7.0 and does not impact 6.x or below. This issue is patched in version 7.1. As a workaround, users of 7.0 may temporarily disable the ability for community or collection administrators to manage permissions or workflows settings.📖 Read
via "National Vulnerability Database".
🦿 Cybercrime: Europol arrests 12 people for ransomware activities possibly affecting 1,800 victims in 71 countries 🦿
📖 Read
via "Tech Republic".
The European police force stated the ransomware activities targeted critical infrastructures and mostly large corporations.📖 Read
via "Tech Republic".
TechRepublic
Cybercrime: Europol arrests 12 people for ransomware activities possibly affecting 1,800 victims in 71 countries
The European police force stated the ransomware activities targeted critical infrastructures and mostly large corporations.
🕴 APTs, Teleworking, and Advanced VPN Exploits: The Perfect Storm 🕴
📖 Read
via "Dark Reading".
A Mandiant researcher shares the details of an investigation into the misuse of Pulse Secure VPN devices by suspected state-sponsored threat actors.📖 Read
via "Dark Reading".
Darkreading
APTs, Teleworking, and Advanced VPN Exploits: The Perfect Storm
A Mandiant researcher shares the details of an investigation into the misuse of Pulse Secure VPN devices by suspected state-sponsored threat actors.
🕴 Snyk Agrees to Acquire CloudSkiff, Creators of driftctl 🕴
📖 Read
via "Dark Reading".
New capabilities allow Snyk Infrastructure as Code customers to more effectively detect infrastructure drift.📖 Read
via "Dark Reading".
Darkreading
Snyk Agrees to Acquire CloudSkiff, Creators of driftctl
New capabilities allow Snyk Infrastructure as Code customers to more effectively detect infrastructure drift.
‼ CVE-2021-1121 ‼
📖 Read
via "National Vulnerability Database".
NVIDIA vGPU software contains a vulnerability in the Virtual GPU Manager kernel driver, where a vGPU can cause resource starvation among other vGPUs hosted on the same GPU, which may lead to denial of service.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-25881 ‼
📖 Read
via "National Vulnerability Database".
A vulnerability was discovered in the filename parameter in pathindex.php?r=cms-backend/attachment/delete&sub=&filename=../../../../111.txt&filetype=image/jpeg of the master version of RKCMS. This vulnerability allows for an attacker to perform a directory traversal via a crafted .txt file.📖 Read
via "National Vulnerability Database".