‼ CVE-2021-42754 ‼
📖 Read
via "National Vulnerability Database".
An improper control of generation of code vulnerability [CWE-94] in FortiClientMacOS versions 7.0.0 and below and 6.4.5 and below may allow an authenticated attacker to hijack the MacOS camera without the user permission via the malicious dylib file.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-18439 ‼
📖 Read
via "National Vulnerability Database".
An issue was discoverered in in function edit_save_f in framework/admin/tpl_control.php in qinggan phpok 5.1, allows attackers to write arbitrary files or get a shell.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-36172 ‼
📖 Read
via "National Vulnerability Database".
An improper restriction of XML external entity reference vulnerability in the parser of XML responses of FortiPortal before 6.0.6 may allow an attacker who controls the producer of XML reports consumed by FortiPortal to trigger a denial of service or read arbitrary files from the underlying file system by means of specifically crafted XML documents.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-36176 ‼
📖 Read
via "National Vulnerability Database".
Multiple uncontrolled resource consumption vulnerabilities in the web interface of FortiPortal before 6.0.6 may allow a single low-privileged user to induce a denial of service via multiple HTTP requests.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-23754 ‼
📖 Read
via "National Vulnerability Database".
Cross Site Scripting (XSS) vulnerability in infusions/member_poll_panel/poll_admin.php in PHP-Fusion 9.03.50, allows attackers to execute arbitrary code, via the polls feature.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-26107 ‼
📖 Read
via "National Vulnerability Database".
An improper access control vulnerability [CWE-284] in FortiManager versions 6.4.4 and 6.4.5 may allow an authenticated attacker with a restricted user profile to modify the VPN tunnel status of other VDOMs using VPN Manager.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-36183 ‼
📖 Read
via "National Vulnerability Database".
An improper authorization vulnerability [CWE-285] in FortiClient for Windows versions 7.0.1 and below and 6.4.2 and below may allow a local unprivileged attacker to escalate their privileges to SYSTEM via the named pipe responsible for Forticlient updates.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-21574 ‼
📖 Read
via "National Vulnerability Database".
Buffer overflow vulnerability in YotsuyaNight c-http v0.1.0, allows attackers to cause a denial of service via a long url request which is passed to the delimitedread function.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-21572 ‼
📖 Read
via "National Vulnerability Database".
Buffer overflow vulnerability in function src_parser_trans_stage_1_2_3 trgil gilcc before commit 803969389ca9c06237075a7f8eeb1a19e6651759, allows attackers to cause a denial of service.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-41238 ‼
📖 Read
via "National Vulnerability Database".
Hangfire is an open source system to perform background job processing in a .NET or .NET Core applications. No Windows Service or separate process required. Dashboard UI in Hangfire.Core uses authorization filters to protect it from showing sensitive data to unauthorized users. By default when no custom authorization filters specified, `LocalRequestsOnlyAuthorizationFilter` filter is being used to allow only local requests and prohibit all the remote requests to provide sensible, protected by default settings. However due to the recent changes, in version 1.7.25 no authorization filters are used by default, allowing remote requests to succeed. If you are using `UseHangfireDashboard` method with default `DashboardOptions.Authorization` property value, then your installation is impacted. If any other authorization filter is specified in the `DashboardOptions.Authorization` property, the you are not impacted. Patched versions (1.7.26) are available both on Nuget.org and as a tagged release on the github repo. Default authorization rules now prohibit remote requests by default again by including the `LocalRequestsOnlyAuthorizationFilter` filter to the default settings. Please upgrade to the newest version in order to mitigate the issue. For users who are unable to upgrade it is possible to mitigate the issue by using the `LocalRequestsOnlyAuthorizationFilter` explicitly when configuring the Dashboard UI.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-23719 ‼
📖 Read
via "National Vulnerability Database".
Cross site scripting (XSS) vulnerability in application/controllers/AdminController.php in xujinliang zibbs 1.0, allows attackers to execute arbitrary code via the bbsmeta parameter.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-12814 ‼
📖 Read
via "National Vulnerability Database".
A improper neutralization of input during web page generation ('cross-site scripting') in Fortinet FortiAnalyzer version 6.0.6 and below, version 6.4.4 allows attacker to execute unauthorized code or commands via specifically crafted requests to the web GUI.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-41019 ‼
📖 Read
via "National Vulnerability Database".
An improper validation of certificate with host mismatch [CWE-297] vulnerability in FortiOS versions 6.4.6 and below may allow the connection to a malicious LDAP server via options in GUI, leading to disclosure of sensitive information, such as AD credentials.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-41023 ‼
📖 Read
via "National Vulnerability Database".
A unprotected storage of credentials in Fortinet FortiSIEM Windows Agent version 4.1.4 and below allows an authenticated user to disclosure agent password due to plaintext credential storage in log files📖 Read
via "National Vulnerability Database".
‼ CVE-2021-41022 ‼
📖 Read
via "National Vulnerability Database".
A improper privilege management in Fortinet FortiSIEM Windows Agent version 4.1.4 and below allows attacker to execute privileged code or commands via powershell scripts📖 Read
via "National Vulnerability Database".
‼ CVE-2020-15940 ‼
📖 Read
via "National Vulnerability Database".
An improper neutralization of input vulnerability [CWE-79] in FortiClientEMS versions 6.4.1 and below and 6.2.9 and below may allow a remote authenticated attacker to inject malicious script/tags via the name parameter of various sections of the server.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-36186 ‼
📖 Read
via "National Vulnerability Database".
A stack-based buffer overflow in Fortinet FortiWeb version 6.4.0, version 6.3.15 and below, 6.2.5 and below allows attacker to execute unauthorized code or commands via crafted HTTP requests📖 Read
via "National Vulnerability Database".
‼ CVE-2021-36184 ‼
📖 Read
via "National Vulnerability Database".
A improper neutralization of Special Elements used in an SQL Command ('SQL Injection') in Fortinet FortiWLM version 8.6.1 and below allows attacker to disclosure device, users and database information via crafted HTTP requests.📖 Read
via "National Vulnerability Database".
❌ Ransomware Gangs Target Corporate Financial Activities ❌
📖 Read
via "Threat Post".
The FBI is warning about a fresh extortion tactic: threatening to tank share prices for publicly held companies.📖 Read
via "Threat Post".
Threat Post
Ransomware Gangs Target Corporate Financial Activities
The FBI is warning about a fresh extortion tactic: threatening to tank share prices for publicly held companies.
🕴 Female-Founded Cybersecurity Startup Wabbi Raises Over $2M in Seed Funding 🕴
📖 Read
via "Dark Reading".
Wabbi enables companies to assimilate application security processes into development pipelines to produce and scale application security across enterprises.📖 Read
via "Dark Reading".
Dark Reading
Female-Founded Cybersecurity Startup Wabbi Raises Over $2M in Seed Funding
Wabbi enables companies to assimilate application security processes into development pipelines to produce and scale application security across enterprises.
🕴 FBI: Ransomware Actors Use Financial Events to Extort Victims 🕴
📖 Read
via "Dark Reading".
Attackers research financial information about an organization and threaten to disclose it if they don't receive ransom quickly.📖 Read
via "Dark Reading".
Dark Reading
FBI: Ransomware Actors Use Financial Events to Extort Victims
Attackers research financial information about an organization and threaten to disclose it if they don't receive ransom quickly.