βΌ CVE-2021-3950 βΌ
π Read
via "National Vulnerability Database".
django-helpdesk is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')π Read
via "National Vulnerability Database".
βΌ CVE-2021-3974 βΌ
π Read
via "National Vulnerability Database".
vim is vulnerable to Use After Freeπ Read
via "National Vulnerability Database".
βΌ CVE-2021-3968 βΌ
π Read
via "National Vulnerability Database".
vim is vulnerable to Heap-based Buffer Overflowπ Read
via "National Vulnerability Database".
β California Pizza Kitchen Serves Up Employee SSNs in Data Breach β
π Read
via "Threat Post".
A hefty slice of data β that of 100K+ current and former employees β was spilled in an βexternal system breach,β the pizza chain said. π Read
via "Threat Post".
Threat Post
California Pizza Kitchen Serves Up Employee SSNs in Data Breach
A huge slice of data β that of 100K+ current and former employees β was spilled in an βexternal system breach,β the pizza chain said.
π Friday Five 11/18 π
π Read
via "".
The U.K shares some new ransomware statistics, the FBI warns about a new VPN zero day, and more - catch up on the infosec news of the week with the Friday Five!π Read
via "".
Digital Guardian
Friday Five 11/18
The U.K shares some new ransomware statistics, the FBI warns about a new VPN zero day, and more - catch up on the infosec news of the week with the Friday Five!
ποΈ CKEditor vulnerabilities pose XSS threat to Drupal and other downstream applications ποΈ
π Read
via "The Daily Swig".
Attackers could bypass content sanitization with malformed HTMLπ Read
via "The Daily Swig".
The Daily Swig | Cybersecurity news and views
CKEditor vulnerabilities pose XSS threat to Drupal and other downstream applications
Attackers could bypass content sanitization with malformed HTML
π΄ Zero Trust: An Answer to the Ransomware Menace? π΄
π Read
via "Dark Reading".
Zero trust isn't a silver bullet, but if implemented well it can help create a much more robust security defense.π Read
via "Dark Reading".
Dark Reading
Zero Trust: An Answer to the Ransomware Menace?
Zero trust isn't a silver bullet, but if implemented well it can help create a much more robust security defense.
βΌ CVE-2021-3920 βΌ
π Read
via "National Vulnerability Database".
grav-plugin-admin is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')π Read
via "National Vulnerability Database".
π¦Ώ Policymakers want to regulate AI but lack consensus on how π¦Ώ
π Read
via "Tech Republic".
Commentary: AI is considered "world changing" by policymakers, but it's unclear how to ensure positive outcomes.π Read
via "Tech Republic".
TechRepublic
Policymakers want to regulate AI but lack consensus on how
Commentary: AI is considered "world changing" by policymakers, but it's unclear how to ensure positive outcomes.
π΄ To Beat Ransomware, Apply Zero Trust to Servers Too π΄
π Read
via "Dark Reading".
The path out of the ransomware crisis is full inspection and protection of all traffic flows. That means zero trust everywhere β even between servers.π Read
via "Dark Reading".
Dark Reading
To Beat Ransomware, Apply Zero Trust to Servers Too
The path out of the ransomware crisis is full inspection and protection of all traffic flows. That means zero trust everywhere β even between servers.
ποΈ Researcher finds SSRF bug in internal Google Cloud project, nabs $10,000 bug bounty ποΈ
π Read
via "The Daily Swig".
Now-patched API vulnerability allowed attacker to access sensitive resourcesπ Read
via "The Daily Swig".
The Daily Swig | Cybersecurity news and views
Researcher finds SSRF bug in internal Google Cloud project, nabs $10,000 bounty
Now-patched API vulnerability allowed attacker to access sensitive resources
βΌ CVE-2021-36003 βΌ
π Read
via "National Vulnerability Database".
Adobe Audition version 14.2 (and earlier) is affected by an out-of-bounds read vulnerability when parsing a specially crafted file. An unauthenticated attacker could leverage this vulnerability to disclose arbitrary memory information in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.π Read
via "National Vulnerability Database".
βΌ CVE-2021-39353 βΌ
π Read
via "National Vulnerability Database".
The Easy Registration Forms WordPress plugin is vulnerable to Cross-Site Request Forgery due to missing nonce validation via the ajax_add_form function found in the ~/includes/class-form.php file which made it possible for attackers to inject arbitrary web scripts in versions up to, and including 2.1.1.π Read
via "National Vulnerability Database".
βΌ CVE-2021-42363 βΌ
π Read
via "National Vulnerability Database".
The Preview E-Mails for WooCommerce WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the search_order parameter found in the ~/views/form.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 1.6.8.π Read
via "National Vulnerability Database".
βΌ CVE-2021-33850 βΌ
π Read
via "National Vulnerability Database".
There is a Cross-Site Scripting vulnerability in Microsoft Clarity version 0.3. The XSS payload executes whenever the user changes the clarity configuration in Microsoft Clarity version 0.3. The payload is stored on the configuring project Id page.π Read
via "National Vulnerability Database".
βΌ CVE-2021-22053 βΌ
π Read
via "National Vulnerability Database".
Applications using both `spring-cloud-netflix-hystrix-dashboard` and `spring-boot-starter-thymeleaf` expose a way to execute code submitted within the request URI path during the resolution of view templates. When a request is made at `/hystrix/monitor;[user-provided data]`, the path elements following `hystrix/monitor` are being evaluated as SpringEL expressions, which can lead to code execution.π Read
via "National Vulnerability Database".
βΌ CVE-2021-37592 βΌ
π Read
via "National Vulnerability Database".
Suricata before 5.0.8 and 6.x before 6.0.4 allows TCP evasion via a client with a crafted TCP/IP stack that can send a certain sequence of segments.π Read
via "National Vulnerability Database".
βΌ CVE-2021-43408 βΌ
π Read
via "National Vulnerability Database".
The Duplicate Post WordPress plugin up to and including version 1.1.9 is vulnerable to SQL Injection. SQL injection vulnerabilities occur when client supplied data is included within an SQL Query insecurely. SQL Injection can typically be exploited to read, modify and delete SQL table data. In many cases it also possible to exploit features of SQL server to execute system commands and/or access the local file system. This particular vulnerability can be exploited by any authenticated user who has been granted access to use the Duplicate Post plugin. By default, this is limited to Administrators, however the plugin presents the option to permit access to the Editor, Author, Contributor and Subscriber roles.π Read
via "National Vulnerability Database".
βΌ CVE-2021-43409 βΌ
π Read
via "National Vulnerability Database".
The "WPO365 | LOGIN" WordPress plugin (up to and including version 15.3) by wpo365.com is vulnerable to a persistent Cross-Site Scripting (XSS) vulnerability (also known as Stored or Second-Order XSS). Persistent XSS vulnerabilities occur when the application stores and retrieves client supplied data without proper handling of dangerous content. This type of XSS vulnerability is exploited by submitting malicious script content to the application which is then retrieved and executed by other application users. The attacker could exploit this to conduct a range of attacks against users of the affected application such as session hijacking, account take over and accessing sensitive data. In this case, the XSS payload can be submitted by any anonymous user, the payload then renders and executes when a WordPress administrator authenticates and accesses the WordPress Dashboard. The injected payload can carry out actions on behalf of the administrator including adding other administrative users and changing application settings. This flaw could be exploited to ultimately provide full control of the affected system to the attacker.π Read
via "National Vulnerability Database".
π Packet Fence 11.1.0 π
π Read
via "Packet Storm Security".
PacketFence is a network access control (NAC) system. It is actively maintained and has been deployed in numerous large-scale institutions. It can be used to effectively secure networks, from small to very large heterogeneous networks. PacketFence provides NAC-oriented features such as registration of new network devices, detection of abnormal network activities including from remote snort sensors, isolation of problematic devices, remediation through a captive portal, and registration-based and scheduled vulnerability scans.π Read
via "Packet Storm Security".
Packetstormsecurity
Packet Fence 11.1.0 β Packet Storm
Information Security Services, News, Files, Tools, Exploits, Advisories and Whitepapers
β 6M Sky Routers Left Exposed to Attack for Nearly 1.5 Years β
π Read
via "Threat Post".
Pen Test Partners didn't disclose the vulnerability after 90 days because it knew ISPs were struggling with a pandemic-increased network load as work from home became the new norm.π Read
via "Threat Post".
Threat Post
6M Sky Routers Left Exposed to Attack for Nearly 1.5 Years
Pen Test Partners didn't disclose the vulnerability after 90 days because it knew ISPs were struggling with a pandemic-increased network load as work from home became the new norm.