βΌ CVE-2021-41134 βΌ
π Read
via "National Vulnerability Database".
nbdime provides tools for diffing and merging of Jupyter Notebooks. In affected versions a stored cross-site scripting (XSS) issue exists within the Jupyter-owned nbdime project. It appears that when reading the file name and path from disk, the extension does not sanitize the string it constructs before returning it to be displayed. The diffNotebookCheckpoint function within nbdime causes this issue. When attempting to display the name of the local notebook (diffNotebookCheckpoint), nbdime appears to simply append .ipynb to the name of the input file. The NbdimeWidget is then created, and the base string is passed through to the request API function. From there, the frontend simply renders the HTML tag and anything along with it. Users are advised to patch to the most recent version of the affected product.π Read
via "National Vulnerability Database".
βΌ CVE-2021-43141 βΌ
π Read
via "National Vulnerability Database".
Cross Site Scripting (XSS) vulnerability exists in Sourcecodester Simple Subscription Website 1.0 via the id parameter in plan_application.π Read
via "National Vulnerability Database".
βΌ CVE-2021-41174 βΌ
π Read
via "National Vulnerability Database".
Grafana is an open-source platform for monitoring and observability. In affected versions if an attacker is able to convince a victim to visit a URL referencing a vulnerable page, arbitrary JavaScript content may be executed within the context of the victim's browser. The user visiting the malicious link must be unauthenticated and the link must be for a page that contains the login button in the menu bar. The url has to be crafted to exploit AngularJS rendering and contain the interpolation binding for AngularJS expressions. AngularJS uses double curly braces for interpolation binding: {{ }} ex: {{constructor.constructor(ΓΒ’Γ’βΒ¬ΓΕalert(1)ΓΒ’Γ’β¬ÒβΒ’)()}}. When the user follows the link and the page renders, the login button will contain the original link with a query parameter to force a redirect to the login page. The URL is not validated and the AngularJS rendering engine will execute the JavaScript expression contained in the URL. Users are advised to upgrade as soon as possible. If for some reason you cannot upgrade, you can use a reverse proxy or similar to block access to block the literal string {{ in the path.π Read
via "National Vulnerability Database".
βΌ CVE-2021-23784 βΌ
π Read
via "National Vulnerability Database".
This affects the package tempura before 0.4.0. If the input to the esc function is of type object (i.e an array) it is returned without being escaped/sanitized, leading to a potential Cross-Site Scripting vulnerability.π Read
via "National Vulnerability Database".
π΄ Cloud Data Security Startup Launches π΄
π Read
via "Dark Reading".
TrustLogix aims to streamline and simplify data governance in the cloud.π Read
via "Dark Reading".
Dark Reading
Cloud Data Security Startup Launches
TrustLogix aims to streamline and simplify data governance in the cloud.
π¦Ώ Cisco Talos reports new variant of Babuk ransomware targeting Exchange servers π¦Ώ
π Read
via "Tech Republic".
A new bad actor called Tortilla is running the campaign, and most affected users are in the U.S.π Read
via "Tech Republic".
TechRepublic
Cisco Talos reports new variant of Babuk ransomware targeting Exchange servers
A new bad actor called Tortilla is running the campaign, and most affected users are in the U.S.
π΄ 5 MITRE ATT&CK Tactics Most Frequently Detected by Cisco Secure Firewalls π΄
π Read
via "Dark Reading".
Cisco Security examines the most frequently encountered MITRE ATT&CK tactics and techniques.π Read
via "Dark Reading".
Dark Reading
5 MITRE ATT&CK Tactics Most Frequently Detected by Cisco Secure Firewalls
Cisco Security examines the most frequently encountered MITRE ATT&CK tactics and techniques.
π΄ CISA Issues New Directive for Patching Known Exploited Vulnerabilities π΄
π Read
via "Dark Reading".
The goal is to reduce civilian federal agency exposure to attacks that threat actors are actively using in campaigns, agency says.π Read
via "Dark Reading".
Dark Reading
CISA Issues New Directive for Patching Known Exploited Vulnerabilities
The goal is to reduce civilian federal agency exposure to attacks that threat actors are actively using in campaigns, agency says.
π΄ Researchers Scan the Web to Uncover Malware Infections π΄
π Read
via "Dark Reading".
Dozens of companies and universities regularly scan the Internet to gather data on connected devices, but some firms are looking deeper to uncover the extent of detectable malware infections.π Read
via "Dark Reading".
Dark Reading
Researchers Scan the Web to Uncover Malware Infections
Dozens of companies and universities regularly scan the Internet to gather data on connected devices, but some firms are looking deeper to uncover the extent of detectable malware infections.
βΌ CVE-2021-38411 βΌ
π Read
via "National Vulnerability Database".
Delta Electronics DIALink versions 1.2.4.0 and prior is vulnerable to cross-site scripting because an authenticated attacker can inject arbitrary JavaScript code into the parameter deviceName of the API modbusWriter-Reader, which may allow an attacker to remotely execute code.π Read
via "National Vulnerability Database".
βΌ CVE-2021-22960 βΌ
π Read
via "National Vulnerability Database".
The parse function in llhttp < 2.1.4 and < 6.0.6. ignores chunk extensions when parsing the body of chunked requests. This leads to HTTP Request Smuggling (HRS) under certain conditions.π Read
via "National Vulnerability Database".
βΌ CVE-2021-43338 βΌ
π Read
via "National Vulnerability Database".
In Ericsson Network Location MPS GMPC21, it is possible to creates a new admin user with a SQL Query for file_name in the export functionality.π Read
via "National Vulnerability Database".
βΌ CVE-2021-38420 βΌ
π Read
via "National Vulnerability Database".
Delta Electronics DIALink versions 1.2.4.0 and prior default permissions give extensive permissions to low-privileged user accounts, which may allow an attacker to modify the installation directory and upload malicious files.π Read
via "National Vulnerability Database".
βΌ CVE-2021-38422 βΌ
π Read
via "National Vulnerability Database".
Delta Electronics DIALink versions 1.2.4.0 and prior stores sensitive information in cleartext, which may allow an attacker to have extensive access to the application directory and escalate privileges.π Read
via "National Vulnerability Database".
βΌ CVE-2021-41562 βΌ
π Read
via "National Vulnerability Database".
A vulnerability in Snow Snow Agent for Windows allows a non-admin user to cause arbitrary deletion of files. This issue affects: Snow Snow Agent for Windows version 5.0.0 to 6.7.1 on Windows.π Read
via "National Vulnerability Database".
βΌ CVE-2021-38407 βΌ
π Read
via "National Vulnerability Database".
Delta Electronics DIALink versions 1.2.4.0 and prior is vulnerable to cross-site scripting because an authenticated attacker can inject arbitrary JavaScript code into the parameter name of the API devices, which may allow an attacker to remotely execute code.π Read
via "National Vulnerability Database".
βΌ CVE-2021-38416 βΌ
π Read
via "National Vulnerability Database".
Delta Electronics DIALink versions 1.2.4.0 and prior insecurely loads libraries, which may allow an attacker to use DLL hijacking and takeover the system where the software is installed.π Read
via "National Vulnerability Database".
βΌ CVE-2020-28416 βΌ
π Read
via "National Vulnerability Database".
HP has identified a security vulnerability with the I.R.I.S. OCR (Optical Character Recognition) software available with HP PageWide and OfficeJet printer software installations that could potentially allow unauthorized local code execution.π Read
via "National Vulnerability Database".
βΌ CVE-2021-38488 βΌ
π Read
via "National Vulnerability Database".
Delta Electronics DIALink versions 1.2.4.0 and prior is vulnerable to cross-site scripting because an authenticated attacker can inject arbitrary JavaScript code into the parameter comment of the API events, which may allow an attacker to remotely execute code.π Read
via "National Vulnerability Database".
βΌ CVE-2021-38403 βΌ
π Read
via "National Vulnerability Database".
Delta Electronics DIALink versions 1.2.4.0 and prior is vulnerable to cross-site scripting because an authenticated attacker can inject arbitrary JavaScript code into the parameter supplier of the API maintenance, which may allow an attacker to remotely execute code.π Read
via "National Vulnerability Database".
βΌ CVE-2021-41492 βΌ
π Read
via "National Vulnerability Database".
Multiple SQL Injection vulnerabilities exist in Sourcecodester Simple Cashiering System (POS) 1.0 via the (1) Product Code in the pos page in cashiering. (2) id parameter in manage_products and the (3) t paramater in actions.php.π Read
via "National Vulnerability Database".