🦿 Cybersecurity, the pandemic and the 2021 holiday shopping season: A perfect storm 🦿
📖 Read
via "Tech Republic".
Ping Identity executive advisor Aubrey Turner warns that eager cybercriminals are ready to exploit the current chaotic state of the world, and preparation is essential going into the holidays.📖 Read
via "Tech Republic".
TechRepublic
Cybersecurity, the pandemic and the 2021 holiday shopping season: A perfect storm
Ping Identity executive advisor Aubrey Turner warns that eager cybercriminals are ready to exploit the current chaotic state of the world, and preparation is essential going into the holidays.
‼ CVE-2021-41247 ‼
📖 Read
via "National Vulnerability Database".
JupyterHub is an open source multi-user server for Jupyter notebooks. In affected versions users who have multiple JupyterLab tabs open in the same browser session, may see incomplete logout from the single-user server, as fresh credentials (for the single-user server only, not the Hub) reinstated after logout, if another active JupyterLab session is open while the logout takes place. Upgrade to JupyterHub 1.5. For distributed deployments, it is jupyterhub in the _user_ environment that needs patching. There are no patches necessary in the Hub environment. The only workaround is to make sure that only one JupyterLab tab is open when you log out.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-43281 ‼
📖 Read
via "National Vulnerability Database".
MyBB before 1.8.29 allows Remote Code Injection by an admin with the "Can manage settings?" permission. The Admin CP's Settings management module does not validate setting types correctly on insertion and update, making it possible to add settings of supported type "php" with PHP code, executed on Change Settings pages.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-43293 ‼
📖 Read
via "National Vulnerability Database".
Sonatype Nexus Repository Manager 3.x before 3.36.0 allows a remote authenticated attacker to potentially perform network enumeration via Server Side Request Forgery (SSRF).📖 Read
via "National Vulnerability Database".
‼ CVE-2021-43389 ‼
📖 Read
via "National Vulnerability Database".
An issue was discovered in the Linux kernel before 5.14.15. There is an array-index-out-of-bounds flaw in the detach_capi_ctr function in drivers/isdn/capi/kcapi.c.📖 Read
via "National Vulnerability Database".
🕴 Phishing Attack Blends Spoofed Amazon Order and Fraudulent Customer Service Agents 🕴
📖 Read
via "Dark Reading".
It's the latest in a series of clever brand impersonation scams that use multiple vectors to lure victims.📖 Read
via "Dark Reading".
Dark Reading
Phishing Attack Blends Spoofed Amazon Order and Fraudulent Customer Service Agents
It's the latest in a series of clever brand impersonation scams that use multiple vectors to lure victims.
🕴 Ripping Off the Blindfold: Illuminating OT Environments 🕴
📖 Read
via "Dark Reading".
A security tool monitoring OT devices needs to do so without disrupting operations, which is why the Self-Learning AI acts only on information obtained by passive monitoring of the network.📖 Read
via "Dark Reading".
Dark Reading
Ripping Off the Blindfold: Illuminating OT Environments
A security tool that monitors OT devices can't disrupt operations. This is why the Self-Learning AI acts only on information obtained by passive monitoring of the network.
🕴 US Offers $10M Reward For ID, Location of DarkSide Leadership 🕴
📖 Read
via "Dark Reading".
The State Department offers multimillion-dollar rewards for information related to the leaders and members involved in DarkSide ransomware.📖 Read
via "Dark Reading".
Darkreading
US Offers $10M Reward For ID, Location of DarkSide Leadership
The State Department offers multimillion-dollar rewards for information related to the leaders and members involved in DarkSide ransomware.
🕴 API Security Issues Hinder Application Delivery 🕴
📖 Read
via "Dark Reading".
A new survey explains why nearly all organizations experience API security problems to varying degrees.📖 Read
via "Dark Reading".
Darkreading
API Security Issues Hinder Application Delivery
A new survey explains why nearly all organizations experience API security problems to varying degrees.
🕴 How Is Zero Trust Different From Traditional Security? 🕴
📖 Read
via "Dark Reading".
Unlike traditional security approaches, the zero-trust security model verifies a user's identity each and every time they need specific system access.📖 Read
via "Dark Reading".
Dark Reading
How Is Zero Trust Different From Traditional Security?
Unlike traditional security approaches, the zero-trust security model verifies a user's identity each and every time they need specific system access.
‼ CVE-2021-43398 ‼
📖 Read
via "National Vulnerability Database".
Crypto++ (aka Cryptopp) 8.6.0 and earlier contains a timing leakage in MakePublicKey(). There is a clear correlation between execution time and private key length, which may cause disclosure of the length information of the private key. This might allow attackers to conduct timing attacks.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-3896 ‼
📖 Read
via "National Vulnerability Database".
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2021-43389. Reason: This candidate is a reservation duplicate of CVE-2021-43389. Notes: All CVE users should reference CVE-2021-43389 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-41249 ‼
📖 Read
via "National Vulnerability Database".
GraphQL Playground is a GraphQL IDE for development of graphQL focused applications. All versions of graphql-playground-react older than graphql-playground-react@1.7.28 are vulnerable to compromised HTTP schema introspection responses or schema prop values with malicious GraphQL type names, exposing a dynamic XSS attack surface that can allow code injection on operation autocomplete. In order for the attack to take place, the user must load a malicious schema in graphql-playground. There are several ways this can occur, including by specifying the URL to a malicious schema in the endpoint query parameter. If a user clicks on a link to a GraphQL Playground installation that specifies a malicious server, arbitrary JavaScript can run in the user's browser, which can be used to exfiltrate user credentials or other harmful goals. If you are using graphql-playground-react directly in your client app, upgrade to version 1.7.28 or later.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-43396 ‼
📖 Read
via "National Vulnerability Database".
In iconvdata/iso-2022-jp-3.c in the GNU C Library (aka glibc) 2.34, remote attackers can force iconv() to emit a spurious '\0' character via crafted ISO-2022-JP-3 data that is accompanied by an internal state reset. This may affect data integrity in certain iconv() use cases.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-41248 ‼
📖 Read
via "National Vulnerability Database".
GraphiQL is the reference implementation of this monorepo, GraphQL IDE, an official project under the GraphQL Foundation. All versions of graphiql older than graphiql@1.4.7 are vulnerable to compromised HTTP schema introspection responses or schema prop values with malicious GraphQL type names, exposing a dynamic XSS attack surface that can allow code injection on operation autocomplete. In order for the attack to take place, the user must load a vulnerable schema in graphiql. There are a number of ways that can occur. By default, the schema URL is not attacker-controllable in graphiql or in its suggested implementations or examples, leaving only very complex attack vectors. If a custom implementation of graphiql's fetcher allows the schema URL to be set dynamically, such as a URL query parameter like ?endpoint= in graphql-playground, or a database provided value, then this custom graphiql implementation is vulnerable to phishing attacks, and thus much more readily available, low or no privelege level xss attacks. The URLs could look like any generic looking graphql schema URL. It should be noted that desktop clients such as Altair, Insomnia, Postwoman, do not appear to be impacted by this. This vulnerability does not impact codemirror-graphql, monaco-graphql or other dependents, as it exists in onHasCompletion.ts in graphiql. It does impact all forks of graphiql, and every released version of graphiql.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-42057 ‼
📖 Read
via "National Vulnerability Database".
Obsidian Dataview through 0.4.12-hotfix1 allows eval injection. The evalInContext function in executes user input, which allows an attacker to craft malicious Markdown files that will execute arbitrary code once opened. NOTE: 0.4.13 provides a mitigation for some use cases.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-21139 ‼
📖 Read
via "National Vulnerability Database".
EC Cloud E-Commerce System v1.3 was discovered to contain a Cross-Site Request Forgery (CSRF) which allows attackers to arbitrarily add admin accounts via /admin.html?do=user&act=add.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-43400 ‼
📖 Read
via "National Vulnerability Database".
An issue was discovered in gatt-database.c in BlueZ 5.61. A use-after-free can occur when a client disconnects during D-Bus processing of a WriteValue call.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-39914 ‼
📖 Read
via "National Vulnerability Database".
A regular expression denial of service issue in GitLab versions 8.13 to 14.2.5, 14.3.0 to 14.3.3 and 14.4.0 could cause excessive usage of resources when a specially crafted username was used when provisioning a new user📖 Read
via "National Vulnerability Database".
‼ CVE-2021-39903 ‼
📖 Read
via "National Vulnerability Database".
In all versions of GitLab CE/EE since version 13.0, a privileged user, through an API call, can change the visibility level of a group or a project to a restricted option even after the instance administrator sets that visibility option as restricted in settings.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-39902 ‼
📖 Read
via "National Vulnerability Database".
Incorrect Authorization in GitLab CE/EE 13.4 or above allows a user with guest membership in a project to modify the severity of an incident.📖 Read
via "National Vulnerability Database".