‼ CVE-2021-21694 ‼
📖 Read
via "National Vulnerability Database".
FilePath#toURI, FilePath#hasSymlink, FilePath#absolutize, FilePath#isDescendant, and FilePath#get*DiskSpace do not check any permissions in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier.📖 Read
via "National Vulnerability Database".
🦿 You can configure SSH to use a non-standard port with SELinux set to enforcing 🦿
📖 Read
via "Tech Republic".
Switching the SSH listening port is an easy way to help secure remote login on your Linux servers. Jack Wallen shows you how.📖 Read
via "Tech Republic".
TechRepublic
You can configure SSH to use a non-standard port with SELinux set to enforcing
Switching the SSH listening port is an easy way to help secure remote login on your Linux servers. Jack Wallen shows you how.
🔏 Latest National Data Privacy Legislation Aims to Protect Consumer Data 🔏
📖 Read
via "".
Legislation introduced last week would establish national data privacy standards, mirror elements of the CCPA and require companies to use high-quality data protection standards.📖 Read
via "".
Digital Guardian
Latest National Data Privacy Legislation Aims to Protect Consumer Data
Legislation introduced last week would establish national data privacy standards, mirror elements of the CCPA and require companies to use high-quality data protection standards.
🦿 Cybersecurity, the pandemic and the 2021 holiday shopping season: A perfect storm 🦿
📖 Read
via "Tech Republic".
Ping Identity executive advisor Aubrey Turner warns that eager cybercriminals are ready to exploit the current chaotic state of the world, and preparation is essential going into the holidays.📖 Read
via "Tech Republic".
TechRepublic
Cybersecurity, the pandemic and the 2021 holiday shopping season: A perfect storm
Ping Identity executive advisor Aubrey Turner warns that eager cybercriminals are ready to exploit the current chaotic state of the world, and preparation is essential going into the holidays.
‼ CVE-2021-41247 ‼
📖 Read
via "National Vulnerability Database".
JupyterHub is an open source multi-user server for Jupyter notebooks. In affected versions users who have multiple JupyterLab tabs open in the same browser session, may see incomplete logout from the single-user server, as fresh credentials (for the single-user server only, not the Hub) reinstated after logout, if another active JupyterLab session is open while the logout takes place. Upgrade to JupyterHub 1.5. For distributed deployments, it is jupyterhub in the _user_ environment that needs patching. There are no patches necessary in the Hub environment. The only workaround is to make sure that only one JupyterLab tab is open when you log out.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-43281 ‼
📖 Read
via "National Vulnerability Database".
MyBB before 1.8.29 allows Remote Code Injection by an admin with the "Can manage settings?" permission. The Admin CP's Settings management module does not validate setting types correctly on insertion and update, making it possible to add settings of supported type "php" with PHP code, executed on Change Settings pages.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-43293 ‼
📖 Read
via "National Vulnerability Database".
Sonatype Nexus Repository Manager 3.x before 3.36.0 allows a remote authenticated attacker to potentially perform network enumeration via Server Side Request Forgery (SSRF).📖 Read
via "National Vulnerability Database".
‼ CVE-2021-43389 ‼
📖 Read
via "National Vulnerability Database".
An issue was discovered in the Linux kernel before 5.14.15. There is an array-index-out-of-bounds flaw in the detach_capi_ctr function in drivers/isdn/capi/kcapi.c.📖 Read
via "National Vulnerability Database".
🕴 Phishing Attack Blends Spoofed Amazon Order and Fraudulent Customer Service Agents 🕴
📖 Read
via "Dark Reading".
It's the latest in a series of clever brand impersonation scams that use multiple vectors to lure victims.📖 Read
via "Dark Reading".
Dark Reading
Phishing Attack Blends Spoofed Amazon Order and Fraudulent Customer Service Agents
It's the latest in a series of clever brand impersonation scams that use multiple vectors to lure victims.
🕴 Ripping Off the Blindfold: Illuminating OT Environments 🕴
📖 Read
via "Dark Reading".
A security tool monitoring OT devices needs to do so without disrupting operations, which is why the Self-Learning AI acts only on information obtained by passive monitoring of the network.📖 Read
via "Dark Reading".
Dark Reading
Ripping Off the Blindfold: Illuminating OT Environments
A security tool that monitors OT devices can't disrupt operations. This is why the Self-Learning AI acts only on information obtained by passive monitoring of the network.
🕴 US Offers $10M Reward For ID, Location of DarkSide Leadership 🕴
📖 Read
via "Dark Reading".
The State Department offers multimillion-dollar rewards for information related to the leaders and members involved in DarkSide ransomware.📖 Read
via "Dark Reading".
Darkreading
US Offers $10M Reward For ID, Location of DarkSide Leadership
The State Department offers multimillion-dollar rewards for information related to the leaders and members involved in DarkSide ransomware.
🕴 API Security Issues Hinder Application Delivery 🕴
📖 Read
via "Dark Reading".
A new survey explains why nearly all organizations experience API security problems to varying degrees.📖 Read
via "Dark Reading".
Darkreading
API Security Issues Hinder Application Delivery
A new survey explains why nearly all organizations experience API security problems to varying degrees.
🕴 How Is Zero Trust Different From Traditional Security? 🕴
📖 Read
via "Dark Reading".
Unlike traditional security approaches, the zero-trust security model verifies a user's identity each and every time they need specific system access.📖 Read
via "Dark Reading".
Dark Reading
How Is Zero Trust Different From Traditional Security?
Unlike traditional security approaches, the zero-trust security model verifies a user's identity each and every time they need specific system access.
‼ CVE-2021-43398 ‼
📖 Read
via "National Vulnerability Database".
Crypto++ (aka Cryptopp) 8.6.0 and earlier contains a timing leakage in MakePublicKey(). There is a clear correlation between execution time and private key length, which may cause disclosure of the length information of the private key. This might allow attackers to conduct timing attacks.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-3896 ‼
📖 Read
via "National Vulnerability Database".
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2021-43389. Reason: This candidate is a reservation duplicate of CVE-2021-43389. Notes: All CVE users should reference CVE-2021-43389 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-41249 ‼
📖 Read
via "National Vulnerability Database".
GraphQL Playground is a GraphQL IDE for development of graphQL focused applications. All versions of graphql-playground-react older than graphql-playground-react@1.7.28 are vulnerable to compromised HTTP schema introspection responses or schema prop values with malicious GraphQL type names, exposing a dynamic XSS attack surface that can allow code injection on operation autocomplete. In order for the attack to take place, the user must load a malicious schema in graphql-playground. There are several ways this can occur, including by specifying the URL to a malicious schema in the endpoint query parameter. If a user clicks on a link to a GraphQL Playground installation that specifies a malicious server, arbitrary JavaScript can run in the user's browser, which can be used to exfiltrate user credentials or other harmful goals. If you are using graphql-playground-react directly in your client app, upgrade to version 1.7.28 or later.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-43396 ‼
📖 Read
via "National Vulnerability Database".
In iconvdata/iso-2022-jp-3.c in the GNU C Library (aka glibc) 2.34, remote attackers can force iconv() to emit a spurious '\0' character via crafted ISO-2022-JP-3 data that is accompanied by an internal state reset. This may affect data integrity in certain iconv() use cases.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-41248 ‼
📖 Read
via "National Vulnerability Database".
GraphiQL is the reference implementation of this monorepo, GraphQL IDE, an official project under the GraphQL Foundation. All versions of graphiql older than graphiql@1.4.7 are vulnerable to compromised HTTP schema introspection responses or schema prop values with malicious GraphQL type names, exposing a dynamic XSS attack surface that can allow code injection on operation autocomplete. In order for the attack to take place, the user must load a vulnerable schema in graphiql. There are a number of ways that can occur. By default, the schema URL is not attacker-controllable in graphiql or in its suggested implementations or examples, leaving only very complex attack vectors. If a custom implementation of graphiql's fetcher allows the schema URL to be set dynamically, such as a URL query parameter like ?endpoint= in graphql-playground, or a database provided value, then this custom graphiql implementation is vulnerable to phishing attacks, and thus much more readily available, low or no privelege level xss attacks. The URLs could look like any generic looking graphql schema URL. It should be noted that desktop clients such as Altair, Insomnia, Postwoman, do not appear to be impacted by this. This vulnerability does not impact codemirror-graphql, monaco-graphql or other dependents, as it exists in onHasCompletion.ts in graphiql. It does impact all forks of graphiql, and every released version of graphiql.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-42057 ‼
📖 Read
via "National Vulnerability Database".
Obsidian Dataview through 0.4.12-hotfix1 allows eval injection. The evalInContext function in executes user input, which allows an attacker to craft malicious Markdown files that will execute arbitrary code once opened. NOTE: 0.4.13 provides a mitigation for some use cases.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-21139 ‼
📖 Read
via "National Vulnerability Database".
EC Cloud E-Commerce System v1.3 was discovered to contain a Cross-Site Request Forgery (CSRF) which allows attackers to arbitrarily add admin accounts via /admin.html?do=user&act=add.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-43400 ‼
📖 Read
via "National Vulnerability Database".
An issue was discovered in gatt-database.c in BlueZ 5.61. A use-after-free can occur when a client disconnects during D-Bus processing of a WriteValue call.📖 Read
via "National Vulnerability Database".