βΌ CVE-2021-41249 βΌ
π Read
via "National Vulnerability Database".
GraphQL Playground is a GraphQL IDE for development of graphQL focused applications. All versions of graphql-playground-react older than graphql-playground-react@1.7.28 are vulnerable to compromised HTTP schema introspection responses or schema prop values with malicious GraphQL type names, exposing a dynamic XSS attack surface that can allow code injection on operation autocomplete. In order for the attack to take place, the user must load a malicious schema in graphql-playground. There are several ways this can occur, including by specifying the URL to a malicious schema in the endpoint query parameter. If a user clicks on a link to a GraphQL Playground installation that specifies a malicious server, arbitrary JavaScript can run in the user's browser, which can be used to exfiltrate user credentials or other harmful goals. If you are using graphql-playground-react directly in your client app, upgrade to version 1.7.28 or later.π Read
via "National Vulnerability Database".
βΌ CVE-2021-43396 βΌ
π Read
via "National Vulnerability Database".
In iconvdata/iso-2022-jp-3.c in the GNU C Library (aka glibc) 2.34, remote attackers can force iconv() to emit a spurious '\0' character via crafted ISO-2022-JP-3 data that is accompanied by an internal state reset. This may affect data integrity in certain iconv() use cases.π Read
via "National Vulnerability Database".
βΌ CVE-2021-41248 βΌ
π Read
via "National Vulnerability Database".
GraphiQL is the reference implementation of this monorepo, GraphQL IDE, an official project under the GraphQL Foundation. All versions of graphiql older than graphiql@1.4.7 are vulnerable to compromised HTTP schema introspection responses or schema prop values with malicious GraphQL type names, exposing a dynamic XSS attack surface that can allow code injection on operation autocomplete. In order for the attack to take place, the user must load a vulnerable schema in graphiql. There are a number of ways that can occur. By default, the schema URL is not attacker-controllable in graphiql or in its suggested implementations or examples, leaving only very complex attack vectors. If a custom implementation of graphiql's fetcher allows the schema URL to be set dynamically, such as a URL query parameter like ?endpoint= in graphql-playground, or a database provided value, then this custom graphiql implementation is vulnerable to phishing attacks, and thus much more readily available, low or no privelege level xss attacks. The URLs could look like any generic looking graphql schema URL. It should be noted that desktop clients such as Altair, Insomnia, Postwoman, do not appear to be impacted by this. This vulnerability does not impact codemirror-graphql, monaco-graphql or other dependents, as it exists in onHasCompletion.ts in graphiql. It does impact all forks of graphiql, and every released version of graphiql.π Read
via "National Vulnerability Database".
βΌ CVE-2021-42057 βΌ
π Read
via "National Vulnerability Database".
Obsidian Dataview through 0.4.12-hotfix1 allows eval injection. The evalInContext function in executes user input, which allows an attacker to craft malicious Markdown files that will execute arbitrary code once opened. NOTE: 0.4.13 provides a mitigation for some use cases.π Read
via "National Vulnerability Database".
βΌ CVE-2020-21139 βΌ
π Read
via "National Vulnerability Database".
EC Cloud E-Commerce System v1.3 was discovered to contain a Cross-Site Request Forgery (CSRF) which allows attackers to arbitrarily add admin accounts via /admin.html?do=user&act=add.π Read
via "National Vulnerability Database".
βΌ CVE-2021-43400 βΌ
π Read
via "National Vulnerability Database".
An issue was discovered in gatt-database.c in BlueZ 5.61. A use-after-free can occur when a client disconnects during D-Bus processing of a WriteValue call.π Read
via "National Vulnerability Database".
βΌ CVE-2021-39914 βΌ
π Read
via "National Vulnerability Database".
A regular expression denial of service issue in GitLab versions 8.13 to 14.2.5, 14.3.0 to 14.3.3 and 14.4.0 could cause excessive usage of resources when a specially crafted username was used when provisioning a new userπ Read
via "National Vulnerability Database".
βΌ CVE-2021-39903 βΌ
π Read
via "National Vulnerability Database".
In all versions of GitLab CE/EE since version 13.0, a privileged user, through an API call, can change the visibility level of a group or a project to a restricted option even after the instance administrator sets that visibility option as restricted in settings.π Read
via "National Vulnerability Database".
βΌ CVE-2021-39902 βΌ
π Read
via "National Vulnerability Database".
Incorrect Authorization in GitLab CE/EE 13.4 or above allows a user with guest membership in a project to modify the severity of an incident.π Read
via "National Vulnerability Database".
π¦Ώ Get the training you need to switch to a cybersecurity career π¦Ώ
π Read
via "Tech Republic".
With cybercrime becoming more frequent and severe, there's no question that the demand for cybersecurity skills will remain high well into the future, and now you can learn them easily.π Read
via "Tech Republic".
TechRepublic
Get the training you need to switch to a cybersecurity career
With cybercrime becoming more frequent and severe, there's no question that the demand for cybersecurity skills will remain high well into the future, and now you can learn them easily.
ποΈ βFocus on brilliance at the basicsβ β GitHub CSO Mike Hanley on shifting left and securing the software supply chain ποΈ
π Read
via "The Daily Swig".
Security fundamentals often overlooked in favor of eye-catching initiatives, says infosec proπ Read
via "The Daily Swig".
The Daily Swig | Cybersecurity news and views
βFocus on brilliance at the basicsβ β GitHub CSO Mike Hanley on shifting left and securing the software supply chain
Security fundamentals often overlooked in favor of eye-catching initiatives, says infosec pro
βΌ CVE-2021-42237 βΌ
π Read
via "National Vulnerability Database".
Sitecore XP 7.5 Initial Release to Sitecore XP 8.2 Update-7 is vulnerable to an insecure deserialization attack where it is possible to achieve remote command execution on the machine. No authentication or special configuration is required to exploit this vulnerability.π Read
via "National Vulnerability Database".
βΌ CVE-2021-42662 βΌ
π Read
via "National Vulnerability Database".
A Stored Cross Site Scripting (XSS) vulnerability exists in Sourcecodester Online Event Booking and Reservation System in PHP/MySQL via the Holiday reason parameter. An attacker can leverage this vulnerability in order to run javascript commands on the web server surfers behalf, which can lead to cookie stealing and more.π Read
via "National Vulnerability Database".
βΌ CVE-2021-26844 βΌ
π Read
via "National Vulnerability Database".
A cross-site scripting (XSS) vulnerability in Power Admin PA Server Monitor 8.2.1.1 allows remote attackers to inject arbitrary web script or HTML via Console.exe.π Read
via "National Vulnerability Database".
β Feds Offer $10 Million Bounty for DarkSide Info β
π Read
via "Threat Post".
The U.S. State Department ups the ante in its hunt for the ransomware perpetrators by offering a sizeable cash sum for locating and arresting leaders of the cybercriminal group.π Read
via "Threat Post".
Threat Post
Feds Offer $10 Million Bounty for DarkSide Info
The U.S. State Department ups the ante in its hunt for the ransomware perpetrators by offering a sizeable cash sum for locating and arresting leaders of the cybercriminal group.
π΄ 4 Tips on How Small to Midsize Businesses Can Combat Cyberattacks π΄
π Read
via "Dark Reading".
The first step in improving your cybersecurity is understanding your risk of attack.π Read
via "Dark Reading".
Dark Reading
4 Tips on How Small to Midsize Businesses Can Combat Cyberattacks
The first step in improving your cybersecurity is understanding your risk of attack.
βΌ CVE-2021-42669 βΌ
π Read
via "National Vulnerability Database".
A file upload vulnerability exists in Sourcecodester Engineers Online Portal in PHP via dashboard_teacher.php, which allows changing the avatar through teacher_avatar.php. Once an avatar gets uploaded it is getting uploaded to the /admin/uploads/ directory, and is accessible by all users. By uploading a php webshell containing "<?php system($_GET["cmd"]); ?>" the attacker can execute commands on the web server with - /admin/uploads/php-webshell?cmd=id.π Read
via "National Vulnerability Database".
βΌ CVE-2021-42666 βΌ
π Read
via "National Vulnerability Database".
A SQL Injection vulnerability exists in Sourcecodester Engineers Online Portal in PHP via the id parameter to quiz_question.php, which could let a malicious user extract sensitive data from the web server and in some cases use this vulnerability in order to get a remote code execution on the remote web server.π Read
via "National Vulnerability Database".
βΌ CVE-2021-42671 βΌ
π Read
via "National Vulnerability Database".
An incorrect access control vulnerability exists in Sourcecodester Engineers Online Portal in PHP in nia_munoz_monitoring_system/admin/uploads. An attacker can leverage this vulnerability in order to bypass access controls and access all the files uploaded to the web server without the need of authentication or authorization.π Read
via "National Vulnerability Database".
βΌ CVE-2021-42667 βΌ
π Read
via "National Vulnerability Database".
A SQL Injection vulnerability exists in Sourcecodester Online Event Booking and Reservation System in PHP in event-management/views. An attacker can leverage this vulnerability in order to manipulate the sql query performed. As a result he can extract sensitive data from the web server and in some cases he can use this vulnerability in order to get a remote code execution on the remote web server.π Read
via "National Vulnerability Database".
βΌ CVE-2021-42663 βΌ
π Read
via "National Vulnerability Database".
An HTML injection vulnerability exists in Sourcecodester Online Event Booking and Reservation System in PHP/MySQL via the msg parameter to /event-management/index.php. An attacker can leverage this vulnerability in order to change the visibility of the website. Once the target user clicks on a given link he will display the content of the HTML code of the attacker's choice.π Read
via "National Vulnerability Database".