βΌ CVE-2021-41646 βΌ
π Read
via "National Vulnerability Database".
Remote Code Execution (RCE) vulnerability exists in Sourcecodester Online Reviewer System 1.0 by uploading a maliciously crafted PHP file that bypasses the image upload filters..π Read
via "National Vulnerability Database".
βΌ CVE-2021-41746 βΌ
π Read
via "National Vulnerability Database".
SQL Injection vulnerability exists in all versions of Yonyou TurboCRM.via the orgcode parameter in changepswd.php. Attackers can use the vulnerabilities to obtain sensitive database information.π Read
via "National Vulnerability Database".
βΌ CVE-2021-41874 βΌ
π Read
via "National Vulnerability Database".
An unauthorized access vulnerabiitly exists in all versions of Portainer, which could let a malicious user obtain sensitive information.π Read
via "National Vulnerability Database".
βΌ CVE-2021-41189 βΌ
π Read
via "National Vulnerability Database".
DSpace is an open source turnkey repository application. In version 7.0, any community or collection administrator can escalate their permission up to become system administrator. This vulnerability only exists in 7.0 and does not impact 6.x or below. This issue is patched in version 7.1. As a workaround, users of 7.0 may temporarily disable the ability for community or collection administrators to manage permissions or workflows settings.π Read
via "National Vulnerability Database".
π¦Ώ Cybercrime: Europol arrests 12 people for ransomware activities possibly affecting 1,800 victims in 71 countries π¦Ώ
π Read
via "Tech Republic".
The European police force stated the ransomware activities targeted critical infrastructures and mostly large corporations.π Read
via "Tech Republic".
TechRepublic
Cybercrime: Europol arrests 12 people for ransomware activities possibly affecting 1,800 victims in 71 countries
The European police force stated the ransomware activities targeted critical infrastructures and mostly large corporations.
π΄ APTs, Teleworking, and Advanced VPN Exploits: The Perfect Storm π΄
π Read
via "Dark Reading".
A Mandiant researcher shares the details of an investigation into the misuse of Pulse Secure VPN devices by suspected state-sponsored threat actors.π Read
via "Dark Reading".
Darkreading
APTs, Teleworking, and Advanced VPN Exploits: The Perfect Storm
A Mandiant researcher shares the details of an investigation into the misuse of Pulse Secure VPN devices by suspected state-sponsored threat actors.
π΄ Snyk Agrees to Acquire CloudSkiff, Creators of driftctl π΄
π Read
via "Dark Reading".
New capabilities allow Snyk Infrastructure as Code customers to more effectively detect infrastructure drift.π Read
via "Dark Reading".
Darkreading
Snyk Agrees to Acquire CloudSkiff, Creators of driftctl
New capabilities allow Snyk Infrastructure as Code customers to more effectively detect infrastructure drift.
βΌ CVE-2021-1121 βΌ
π Read
via "National Vulnerability Database".
NVIDIA vGPU software contains a vulnerability in the Virtual GPU Manager kernel driver, where a vGPU can cause resource starvation among other vGPUs hosted on the same GPU, which may lead to denial of service.π Read
via "National Vulnerability Database".
βΌ CVE-2020-25881 βΌ
π Read
via "National Vulnerability Database".
A vulnerability was discovered in the filename parameter in pathindex.php?r=cms-backend/attachment/delete&sub=&filename=../../../../111.txt&filetype=image/jpeg of the master version of RKCMS. This vulnerability allows for an attacker to perform a directory traversal via a crafted .txt file.π Read
via "National Vulnerability Database".
βΌ CVE-2021-1120 βΌ
π Read
via "National Vulnerability Database".
NVIDIA vGPU software contains a vulnerability in the Virtual GPU Manager (vGPU plugin), where a string provided by the guest OS may not be properly null terminated. The guest OS or attacker has no ability to push content to the plugin through this vulnerability, which may lead to information disclosure, data tampering, unauthorized code execution, and denial of service.π Read
via "National Vulnerability Database".
βΌ CVE-2020-25872 βΌ
π Read
via "National Vulnerability Database".
A vulnerability exists within the FileManagerController.php function in FrogCMS 0.9.5 which allows an attacker to perform a directory traversal attack via a GET request urlencode parameter.π Read
via "National Vulnerability Database".
βΌ CVE-2021-1119 βΌ
π Read
via "National Vulnerability Database".
NVIDIA vGPU software contains a vulnerability in the Virtual GPU Manager (vGPU plugin), where it can double-free a pointer, which may lead to denial of service. This flaw may result in a write-what-where condition, allowing an attacker to execute arbitrary code impacting integrity and availability.π Read
via "National Vulnerability Database".
βΌ CVE-2021-1122 βΌ
π Read
via "National Vulnerability Database".
NVIDIA vGPU software contains a vulnerability in the Virtual GPU Manager (vGPU plugin), where it can dereference a NULL pointer, which may lead to denial of service.π Read
via "National Vulnerability Database".
βΌ CVE-2021-1118 βΌ
π Read
via "National Vulnerability Database".
NVIDIA vGPU software contains a vulnerability in the Virtual GPU Manager (vGPU plugin), where there is the potential to execute privileged operations by the guest OS, which may lead to information disclosure, data tampering, escalation of privileges, and denial of serviceπ Read
via "National Vulnerability Database".
βΌ CVE-2021-1123 βΌ
π Read
via "National Vulnerability Database".
NVIDIA vGPU software contains a vulnerability in the Virtual GPU Manager (vGPU plugin), where it can deadlock, which may lead to denial of service.π Read
via "National Vulnerability Database".
βΌ CVE-2020-25873 βΌ
π Read
via "National Vulnerability Database".
A directory traversal vulnerability in the component system/manager/class/web/database.php was discovered in Baijiacms V4 which allows attackers to arbitrarily delete folders on the server via the "id" parameter.π Read
via "National Vulnerability Database".
βοΈ Zales.com Leaked Customer Data, Just Like Sister Firms Jared, Kay Jewelers Did in 2018 βοΈ
π Read
via "Krebs on Security".
In December 2018, bling vendor Signet Jewelers fixed a weakness in their Kay Jewelers and Jared websites that exposed the order information for all of their online customers. This week, Signet subsidiary Zales.com updated its website to remediate a nearly identical customer data exposure.π Read
via "Krebs on Security".
Krebsonsecurity
Zales.com Leaked Customer Data, Just Like Sister Firms Jared, Kay Jewelers Did in 2018
In December 2018, bling vendor Signet Jewelers fixed a weakness in their Kay Jewelers and Jared websites that exposed the order information for all of their online customers. This week, Signet subsidiary Zales.com updated its website to remediate a nearlyβ¦
β Europol announce βtargetingβ of 12 suspects in ransomware attacks β
π Read
via "Naked Security".
More anti-ransomware activity by law enforcement, this time in Switzerland and Ukraine.π Read
via "Naked Security".
Naked Security
Europol announces βtargetingβ of 12 suspects in ransomware attacks
More anti-ransomware activity by law enforcement, this time in Switzerland and Ukraine.
π΄ Enterprises Allocating More IT Dollars on Cybersecurity π΄
π Read
via "Dark Reading".
Enterprises are allocating more IT dollars towards implementing a multilayered approach to securing data and applications against new threats, data shows.π Read
via "Dark Reading".
Dark Reading
Enterprises Allocating More IT Dollars on Cybersecurity
Enterprises are allocating more IT dollars toward implementing a multilayered approach to securing data and applications against new threats, data shows.
βΌ CVE-2021-36808 βΌ
π Read
via "National Vulnerability Database".
A local attacker could bypass the app password using a race condition in Sophos Secure Workspace for Android before version 9.7.3115.π Read
via "National Vulnerability Database".
π’ IT Pro News in Review: SolarWinds cyber attack, AWS deal with MI5, UK VoIP providers under attack π’
π Read
via "ITPro".
Catch up on the biggest headlines of the week in just two minutesπ Read
via "ITPro".
IT PRO
IT Pro News in Review: SolarWinds cyber attack, AWS deal with MI5, UK VoIP providers under attack
Welcome to IT Pro's News in Review, a weekly bite-sized bulletin of the top tech stories of the week, for the week ending 15 October, 2021.