βΌ CVE-2021-36372 βΌ
π Read
via "National Vulnerability Database".
In Apache Ozone versions prior to 1.2.0, Initially generated block tokens are persisted to the metadata database and can be retrieved with authenticated users with permission to the key. Authenticated users may use them even after access is revoked.π Read
via "National Vulnerability Database".
βΌ CVE-2021-41532 βΌ
π Read
via "National Vulnerability Database".
In Apache Ozone before 1.2.0, Recon HTTP endpoints provide access to OM, SCM and Datanode metadata. Due to a bug, any unauthenticated user can access the data from these endpoints.π Read
via "National Vulnerability Database".
βΌ CVE-2021-39235 βΌ
π Read
via "National Vulnerability Database".
In Apache Ozone before 1.2.0, Ozone Datanode doesn't check the access mode parameter of the block token. Authenticated users with valid READ block token can do any write operation on the same block.π Read
via "National Vulnerability Database".
βΌ CVE-2021-39231 βΌ
π Read
via "National Vulnerability Database".
In Apache Ozone versions prior to 1.2.0, Various internal server-to-server RPC endpoints are available for connections, making it possible for an attacker to download raw data from Datanode and Ozone manager and modify Ratis replication configuration.π Read
via "National Vulnerability Database".
βΌ CVE-2021-42338 βΌ
π Read
via "National Vulnerability Database".
4MOSAn GCB DoctorΓ’β¬β’s login page has improper validation of Cookie, which allows an unauthenticated remote attacker to bypass authentication by code injection in cookie, and arbitrarily manipulate the system or interrupt services by upload and execution of arbitrary files.π Read
via "National Vulnerability Database".
βΌ CVE-2021-39234 βΌ
π Read
via "National Vulnerability Database".
In Apache Ozone versions prior to 1.2.0, Authenticated users knowing the ID of an existing block can craft specific request allowing access those blocks, bypassing other security checks like ACL.π Read
via "National Vulnerability Database".
ποΈ Iranian hackers charged with cybercrimes in connection with attempts to influence 2020 US Presidential Election ποΈ
π Read
via "The Daily Swig".
Pair were affiliated with group that tried to secure a win for Donald Trumpπ Read
via "The Daily Swig".
The Daily Swig | Cybersecurity news and views
Iranian hackers charged with cybercrimes in connection with attempts to influence 2020 US Presidential Election
Pair were affiliated with group that tried to secure a win for Donald Trump
βΌ CVE-2021-41436 βΌ
π Read
via "National Vulnerability Database".
An HTTP request smuggling in web application in ASUS ROG Rapture GT-AX11000, RT-AX3000, RT-AX55, RT-AX56U, RT-AX56U_V2, RT-AX58U, RT-AX82U, RT-AX82U GUNDAM EDITION, RT-AX86 Series(RT-AX86U/RT-AX86S), RT-AX86U ZAKU II EDITION, RT-AX88U, RT-AX92U, TUF Gaming AX3000, TUF Gaming AX5400 (TUF-AX5400), ASUS ZenWiFi XD6, ASUS ZenWiFi AX (XT8) before 3.0.0.4.386.45898, and RT-AX68U before 3.0.0.4.386.45911, allows a remote unauthenticated attacker to DoS via sending a specially crafted HTTP packet.π Read
via "National Vulnerability Database".
βΌ CVE-2021-3950 βΌ
π Read
via "National Vulnerability Database".
django-helpdesk is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')π Read
via "National Vulnerability Database".
βΌ CVE-2021-3974 βΌ
π Read
via "National Vulnerability Database".
vim is vulnerable to Use After Freeπ Read
via "National Vulnerability Database".
βΌ CVE-2021-3968 βΌ
π Read
via "National Vulnerability Database".
vim is vulnerable to Heap-based Buffer Overflowπ Read
via "National Vulnerability Database".
β California Pizza Kitchen Serves Up Employee SSNs in Data Breach β
π Read
via "Threat Post".
A hefty slice of data β that of 100K+ current and former employees β was spilled in an βexternal system breach,β the pizza chain said. π Read
via "Threat Post".
Threat Post
California Pizza Kitchen Serves Up Employee SSNs in Data Breach
A huge slice of data β that of 100K+ current and former employees β was spilled in an βexternal system breach,β the pizza chain said.
π Friday Five 11/18 π
π Read
via "".
The U.K shares some new ransomware statistics, the FBI warns about a new VPN zero day, and more - catch up on the infosec news of the week with the Friday Five!π Read
via "".
Digital Guardian
Friday Five 11/18
The U.K shares some new ransomware statistics, the FBI warns about a new VPN zero day, and more - catch up on the infosec news of the week with the Friday Five!
ποΈ CKEditor vulnerabilities pose XSS threat to Drupal and other downstream applications ποΈ
π Read
via "The Daily Swig".
Attackers could bypass content sanitization with malformed HTMLπ Read
via "The Daily Swig".
The Daily Swig | Cybersecurity news and views
CKEditor vulnerabilities pose XSS threat to Drupal and other downstream applications
Attackers could bypass content sanitization with malformed HTML
π΄ Zero Trust: An Answer to the Ransomware Menace? π΄
π Read
via "Dark Reading".
Zero trust isn't a silver bullet, but if implemented well it can help create a much more robust security defense.π Read
via "Dark Reading".
Dark Reading
Zero Trust: An Answer to the Ransomware Menace?
Zero trust isn't a silver bullet, but if implemented well it can help create a much more robust security defense.
βΌ CVE-2021-3920 βΌ
π Read
via "National Vulnerability Database".
grav-plugin-admin is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')π Read
via "National Vulnerability Database".
π¦Ώ Policymakers want to regulate AI but lack consensus on how π¦Ώ
π Read
via "Tech Republic".
Commentary: AI is considered "world changing" by policymakers, but it's unclear how to ensure positive outcomes.π Read
via "Tech Republic".
TechRepublic
Policymakers want to regulate AI but lack consensus on how
Commentary: AI is considered "world changing" by policymakers, but it's unclear how to ensure positive outcomes.
π΄ To Beat Ransomware, Apply Zero Trust to Servers Too π΄
π Read
via "Dark Reading".
The path out of the ransomware crisis is full inspection and protection of all traffic flows. That means zero trust everywhere β even between servers.π Read
via "Dark Reading".
Dark Reading
To Beat Ransomware, Apply Zero Trust to Servers Too
The path out of the ransomware crisis is full inspection and protection of all traffic flows. That means zero trust everywhere β even between servers.
ποΈ Researcher finds SSRF bug in internal Google Cloud project, nabs $10,000 bug bounty ποΈ
π Read
via "The Daily Swig".
Now-patched API vulnerability allowed attacker to access sensitive resourcesπ Read
via "The Daily Swig".
The Daily Swig | Cybersecurity news and views
Researcher finds SSRF bug in internal Google Cloud project, nabs $10,000 bounty
Now-patched API vulnerability allowed attacker to access sensitive resources
βΌ CVE-2021-36003 βΌ
π Read
via "National Vulnerability Database".
Adobe Audition version 14.2 (and earlier) is affected by an out-of-bounds read vulnerability when parsing a specially crafted file. An unauthenticated attacker could leverage this vulnerability to disclose arbitrary memory information in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.π Read
via "National Vulnerability Database".
βΌ CVE-2021-39353 βΌ
π Read
via "National Vulnerability Database".
The Easy Registration Forms WordPress plugin is vulnerable to Cross-Site Request Forgery due to missing nonce validation via the ajax_add_form function found in the ~/includes/class-form.php file which made it possible for attackers to inject arbitrary web scripts in versions up to, and including 2.1.1.π Read
via "National Vulnerability Database".