‼ CVE-2021-29753 ‼
📖 Read
via "National Vulnerability Database".
IBM Business Automation Workflow 18. 19, 20, 21, and IBM Business Process Manager 8.5 and d8.6 transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-42837 ‼
📖 Read
via "National Vulnerability Database".
An issue was discovered in Talend Data Catalog before 7.3-20210930. After setting up SAML/OAuth, authentication is not correctly enforced on the native login page. Any valid user from the SAML/OAuth provider can be used as the username with an arbitrary password, and login will succeed.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-35368 ‼
📖 Read
via "National Vulnerability Database".
OWASP ModSecurity Core Rule Set 3.1.x before 3.1.2, 3.2.x before 3.2.1, and 3.3.x before 3.3.2 is affected by a Request Body Bypass via a trailing pathname.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-43405 ‼
📖 Read
via "National Vulnerability Database".
An issue was discovered in FusionPBX before 4.5.30. The fax_extension may have risky characters (it is not constrained to be numeric).📖 Read
via "National Vulnerability Database".
‼ CVE-2021-43406 ‼
📖 Read
via "National Vulnerability Database".
An issue was discovered in FusionPBX before 4.5.30. The fax_post_size may have risky characters (it is not constrained to preset values).📖 Read
via "National Vulnerability Database".
🦿 Track data activity before "unusual" becomes "dangerous" 🦿
📖 Read
via "Tech Republic".
A security expert raises concerns that a lack of identifying and tracking unusual data activity can have dangerous consequences.📖 Read
via "Tech Republic".
TechRepublic
Cybersecurity: Track data activity before "unusual" becomes dangerous
A security expert raises concerns that a lack of identifying and tracking unusual data activity can have dangerous consequences.
🕴 US Defense Contractor Discloses Data Breach 🕴
📖 Read
via "Dark Reading".
Electronic Warfare Associates says an attackers infiltrated EWA email in August, which led to the exfiltration of files with personal data.📖 Read
via "Dark Reading".
Dark Reading
US Defense Contractor Discloses Data Breach
Electronic Warfare Associates says an attackers infiltrated EWA email in August, which led to the exfiltration of files with personal data.
🕴 Who's Minding Your Company's Crypto Decisions? 🕴
📖 Read
via "Dark Reading".
Security teams must first evaluate security protocols and the reputation of the cryptocurrency payment platform before their companies can proceed to accept the alternative currency as payment.📖 Read
via "Dark Reading".
Dark Reading
Who's Minding Your Company's Crypto Decisions?
Security teams must first evaluate security protocols and the reputation of the cryptocurrency payment platform before their companies can proceed to accept the alternative currency as payment.
‼ CVE-2021-41230 ‼
📖 Read
via "National Vulnerability Database".
Pomerium is an open source identity-aware access proxy. In affected versions changes to the OIDC claims of a user after initial login are not reflected in policy evaluation when using `allowed_idp_claims` as part of policy. If using `allowed_idp_claims` and a user's claims are changed, Pomerium can make incorrect authorization decisions. This issue has been resolved in v0.15.6. For users unable to upgrade clear data on `databroker` service by clearing redis or restarting the in-memory databroker to force claims to be updated.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-41216 ‼
📖 Read
via "National Vulnerability Database".
TensorFlow is an open source platform for machine learning. In affected versions the shape inference function for `Transpose` is vulnerable to a heap buffer overflow. This occurs whenever `perm` contains negative elements. The shape inference function does not validate that the indices in `perm` are all valid. The fix will be included in TensorFlow 2.7.0. We will also cherrypick this commit on TensorFlow 2.6.1, TensorFlow 2.5.2, and TensorFlow 2.4.4, as these are also affected and still in supported range.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-41221 ‼
📖 Read
via "National Vulnerability Database".
TensorFlow is an open source platform for machine learning. In affected versions the shape inference code for the `Cudnn*` operations in TensorFlow can be tricked into accessing invalid memory, via a heap buffer overflow. This occurs because the ranks of the `input`, `input_h` and `input_c` parameters are not validated, but code assumes they have certain values. The fix will be included in TensorFlow 2.7.0. We will also cherrypick this commit on TensorFlow 2.6.1, TensorFlow 2.5.2, and TensorFlow 2.4.4, as these are also affected and still in supported range.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-22222 ‼
📖 Read
via "National Vulnerability Database".
Stivasoft (Phpjabbers) Fundraising Script v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the pjActionLoadCss function.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-41225 ‼
📖 Read
via "National Vulnerability Database".
TensorFlow is an open source platform for machine learning. In affected versions TensorFlow's Grappler optimizer has a use of unitialized variable. If the `train_nodes` vector (obtained from the saved model that gets optimized) does not contain a `Dequeue` node, then `dequeue_node` is left unitialized. The fix will be included in TensorFlow 2.7.0. We will also cherrypick this commit on TensorFlow 2.6.1, TensorFlow 2.5.2, and TensorFlow 2.4.4, as these are also affected and still in supported range.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-22225 ‼
📖 Read
via "National Vulnerability Database".
Stivasoft (Phpjabbers) Fundraising Script v1.0 was discovered to contain a SQL injection vulnerability via the pjActionLoadForm function.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-41222 ‼
📖 Read
via "National Vulnerability Database".
TensorFlow is an open source platform for machine learning. In affected versions the implementation of `SplitV` can trigger a segfault is an attacker supplies negative arguments. This occurs whenever `size_splits` contains more than one value and at least one value is negative. The fix will be included in TensorFlow 2.7.0. We will also cherrypick this commit on TensorFlow 2.6.1, TensorFlow 2.5.2, and TensorFlow 2.4.4, as these are also affected and still in supported range.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-22224 ‼
📖 Read
via "National Vulnerability Database".
Stivasoft (Phpjabbers) Fundraising Script v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the pjActionPreview function.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-41250 ‼
📖 Read
via "National Vulnerability Database".
Python discord bot is the community bot for the Python Discord community. In affected versions when a non-blacklisted URL and an otherwise triggering filter token is included in the same message the token filter does not trigger. This means that by including any non-blacklisted URL moderation filters can be bypassed. This issue has been resolved in commit 67390298852513d13e0213870e50fb3cff1424e0📖 Read
via "National Vulnerability Database".
‼ CVE-2021-41228 ‼
📖 Read
via "National Vulnerability Database".
TensorFlow is an open source platform for machine learning. In affected versions TensorFlow's `saved_model_cli` tool is vulnerable to a code injection as it calls `eval` on user supplied strings. This can be used by attackers to run arbitrary code on the plaform where the CLI tool runs. However, given that the tool is always run manually, the impact of this is not severe. We have patched this by adding a `safe` flag which defaults to `True` and an explicit warning for users. The fix will be included in TensorFlow 2.7.0. We will also cherrypick this commit on TensorFlow 2.6.1, TensorFlow 2.5.2, and TensorFlow 2.4.4, as these are also affected and still in supported range.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-41208 ‼
📖 Read
via "National Vulnerability Database".
TensorFlow is an open source platform for machine learning. In affected versions the code for boosted trees in TensorFlow is still missing validation. As a result, attackers can trigger denial of service (via dereferencing `nullptr`s or via `CHECK`-failures) as well as abuse undefined behavior (binding references to `nullptr`s). An attacker can also read and write from heap buffers, depending on the API that gets used and the arguments that are passed to the call. Given that the boosted trees implementation in TensorFlow is unmaintained, it is recommend to no longer use these APIs. We will deprecate TensorFlow's boosted trees APIs in subsequent releases. The fix will be included in TensorFlow 2.7.0. We will also cherrypick this commit on TensorFlow 2.6.1, TensorFlow 2.5.2, and TensorFlow 2.4.4, as these are also affected and still in supported range.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-41218 ‼
📖 Read
via "National Vulnerability Database".
TensorFlow is an open source platform for machine learning. In affected versions the shape inference code for `AllToAll` can be made to execute a division by 0. This occurs whenever the `split_count` argument is 0. The fix will be included in TensorFlow 2.7.0. We will also cherrypick this commit on TensorFlow 2.6.1, TensorFlow 2.5.2, and TensorFlow 2.4.4, as these are also affected and still in supported range.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-41209 ‼
📖 Read
via "National Vulnerability Database".
TensorFlow is an open source platform for machine learning. In affected versions the implementations for convolution operators trigger a division by 0 if passed empty filter tensor arguments. The fix will be included in TensorFlow 2.7.0. We will also cherrypick this commit on TensorFlow 2.6.1, TensorFlow 2.5.2, and TensorFlow 2.4.4, as these are also affected and still in supported range.📖 Read
via "National Vulnerability Database".