โผ CVE-2021-25985 โผ
๐ Read
via "National Vulnerability Database".
In Factor (App Framework & Headless CMS) v1.0.4 to v1.8.30, improperly invalidate a userรขโฌโขs session even after the user logs out of the application. In addition, user sessions are stored in the browserรขโฌโขs local storage, which by default does not have an expiration time. This makes it possible for an attacker to steal and reuse the cookies using techniques such as XSS attacks, followed by a local account takeover.๐ Read
via "National Vulnerability Database".
โผ CVE-2021-29861 โผ
๐ Read
via "National Vulnerability Database".
IBM AIX 7.1, 7.2, and VIOS 3.1 could allow a non-privileged local user to exploit a vulnerability in EFS to expose sensitive information. IBM X-Force ID: 206085.๐ Read
via "National Vulnerability Database".
โผ CVE-2021-26323 โผ
๐ Read
via "National Vulnerability Database".
Failure to validate SEV Commands while SNP is active may result in a potential impact to memory integrity.๐ Read
via "National Vulnerability Database".
โผ CVE-2021-24802 โผ
๐ Read
via "National Vulnerability Database".
The Colorful Categories WordPress plugin before 2.0.15 does not enforce nonce checks which could allow attackers to make a logged in admin or editor change taxonomy colors via a CSRF attack๐ Read
via "National Vulnerability Database".
โผ CVE-2021-41266 โผ
๐ Read
via "National Vulnerability Database".
Minio console is a graphical user interface for the for MinIO operator. Minio itself is a multi-cloud object storage project. Affected versions are subject to an authentication bypass issue in the Operator Console when an external IDP is enabled. All users on release v0.12.2 and before are affected and are advised to update to 0.12.3 or newer. Users unable to upgrade should add automountServiceAccountToken: false to the operator-console deployment in Kubernetes so no service account token will get mounted inside the pod, then disable the external identity provider authentication by unset the CONSOLE_IDP_URL, CONSOLE_IDP_CLIENT_ID, CONSOLE_IDP_SECRET and CONSOLE_IDP_CALLBACK environment variable and instead use the Kubernetes service account token.๐ Read
via "National Vulnerability Database".
โผ CVE-2021-42373 โผ
๐ Read
via "National Vulnerability Database".
A NULL pointer dereference in Busybox's man applet leads to denial of service when a section name is supplied but no page argument is given๐ Read
via "National Vulnerability Database".
โผ CVE-2021-42721 โผ
๐ Read
via "National Vulnerability Database".
Adobe Media Encoder version 15.4 (and earlier) are affected by a memory corruption vulnerability. An unauthenticated attacker could leverage this vulnerability to achieve arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious M4A file.๐ Read
via "National Vulnerability Database".
โผ CVE-2021-42374 โผ
๐ Read
via "National Vulnerability Database".
An out-of-bounds heap read in Busybox's unlzma applet leads to information leak and denial of service when crafted LZMA-compressed input is decompressed. This can be triggered by any applet/format that๐ Read
via "National Vulnerability Database".
โผ CVE-2020-12902 โผ
๐ Read
via "National Vulnerability Database".
Arbitrary Decrement Privilege Escalation in AMD Graphics Driver for Windows 10 may lead to escalation of privilege or denial of service.๐ Read
via "National Vulnerability Database".
โผ CVE-2021-42377 โผ
๐ Read
via "National Vulnerability Database".
An attacker-controlled pointer free in Busybox's hush applet leads to denial of service and possible code execution when processing a crafted shell command, due to the shell mishandling the &&& string. This may be used for remote code execution under rare conditions of filtered command input.๐ Read
via "National Vulnerability Database".
โ Emotet malware: โThe report of my death was an exaggerationโ โ
๐ Read
via "Naked Security".
"Old malware rarely dies." The best way to predict the future is to look at the past... if it worked before, it will probably work again.๐ Read
via "Naked Security".
Naked Security
Emotet malware: โThe report of my death was an exaggerationโ
โOld malware rarely dies.โ The best way to predict the future is to look at the pastโฆ if it worked before, it will probably work again.
โ The self-driving smart suitcaseโฆ that the person behind you can hijack! โ
๐ Read
via "Naked Security".
Apparently, we need a self-driving IoT Bluetooth robot suitcase. Who knew?๐ Read
via "Naked Security".
Naked Security
The self-driving smart suitcaseโฆ that the person behind you can hijack!
Apparently, we need a self-driving IoT Bluetooth robot suitcase. Who knew?
๐ฆฟ Your weak passwords can be cracked in less than a second ๐ฆฟ
๐ Read
via "Tech Republic".
Easy-to-crack phrases "123456," "123456789," "12345," "qwerty" and "password" are the five most common passwords, says NordPass.๐ Read
via "Tech Republic".
TechRepublic
Your weak passwords can be cracked in less than a second
Easy-to-crack phrases "123456," "123456789," "12345," "qwerty" and "password" are the five most common passwords, says NordPass.
๐ฆฟ How to protect your organization from ransomware attacks during the holiday season ๐ฆฟ
๐ Read
via "Tech Republic".
A quarter of security pros polled by Cybereason said they lack a plan to deal with a ransomware attack during a weekend or holiday.๐ Read
via "Tech Republic".
TechRepublic
How to protect your organization from ransomware attacks during the holiday season
A quarter of security pros polled by Cybereason said they lack a plan to deal with a ransomware attack during a weekend or holiday.
โผ CVE-2021-42250 โผ
๐ Read
via "National Vulnerability Database".
Improper output neutralization for Logs. A specific Apache Superset HTTP endpoint allowed for an authenticated user to forge log entries or inject malicious content into logs.๐ Read
via "National Vulnerability Database".
โผ CVE-2021-40745 โผ
๐ Read
via "National Vulnerability Database".
Adobe Campaign version 21.2.1 (and earlier) is affected by a Path Traversal vulnerability that could lead to reading arbitrary server files. By leveraging an exposed XML file, an unauthenticated attacker can enumerate other files on the server.๐ Read
via "National Vulnerability Database".
๐ด Is XDR Overhyped? ๐ด
๐ Read
via "Dark Reading".
Security experts weigh in on the value and pitfalls of extended detection and response (XDR), offering consideration and advice on this growing new category.๐ Read
via "Dark Reading".
Dark Reading
Is XDR Overhyped?
Security experts weigh in on the value and pitfalls of extended detection and response (XDR), offering consideration and advice on this growing new category.
โ Exchange, Fortinet Flaws Being Exploited by Iranian APT, CISA Warns โ
๐ Read
via "Threat Post".
Meanwhile, a Microsoft analysis that followed six Iranian threat actor groups for over a year found them increasingly sophisticated, adapting and thriving.๐ Read
via "Threat Post".
Threat Post
Exchange, Fortinet Flaws Being Exploited by Iranian APT, CISA Warns
Meanwhile, a Microsoft analysis that followed six Iranian threat actor groups for over a year found them increasingly sophisticated, adapting and thriving.
โ Appleโs Privacy Protection feature โ watch out if you have a Watch! โ
๐ Read
via "Naked Security".
Apple's "Protect Mail Activity" is a handy privacy enhancement for your messaging habits. As long as you know its limitations...๐ Read
via "Naked Security".
Naked Security
Appleโs Mail Privacy Protection feature โ watch out if you have a Watch!
Appleโs โProtect Mail Activityโ is a handy privacy enhancement for your messaging habits. As long as you know its limitationsโฆ
๐๏ธ Secure development: New and improved Linux Random Number Generator ready for testing ๐๏ธ
๐ Read
via "The Daily Swig".
Proposed replacement for /dev/random promises to double performance and add flexibility๐ Read
via "The Daily Swig".
The Daily Swig | Cybersecurity news and views
Secure development: New and improved Linux Random Number Generator ready for testing
Proposed replacement for /dev/random promises to double performance and add flexibility
๐ฆฟ How to beef up your multicloud security ๐ฆฟ
๐ Read
via "Tech Republic".
A majority of IT leaders surveyed by Valtix said they realize their employees lack the necessary skills to manage multicloud security.๐ Read
via "Tech Republic".
TechRepublic
How to beef up your multicloud security
A majority of IT leaders surveyed by Valtix said they realize their employees lack the necessary skills to manage multicloud security.