βΌ CVE-2021-44143 βΌ
π Read
via "National Vulnerability Database".
A flaw was found in mbsync in isync 1.4.0 through 1.4.3. Due to an unchecked condition, a malicious or compromised IMAP server could use a crafted mail message that lacks headers (i.e., one that starts with an empty line) to provoke a heap overflow, which could conceivably be exploited for remote code execution.π Read
via "National Vulnerability Database".
π¦Ώ GoDaddy security breach impacts more than 1 million WordPress users π¦Ώ
π Read
via "Tech Republic".
The hosting company has revealed a security incident that exposed the email addresses and customer numbers of 1.2 million Managed WordPress customers.π Read
via "Tech Republic".
TechRepublic
GoDaddy security breach impacts more than 1 million WordPress users
The hosting company has revealed a security incident that exposed the email addresses and customer numbers of 1.2 million Managed WordPress customers.
βοΈ Arrest in βRansom Your Employerβ Email Scheme βοΈ
π Read
via "Krebs on Security".
In August, KrebsOnSecurity warned that scammers were contacting people and asking them to unleash ransomware inside their employer's network, in exchange for a percentage of any ransom amount paid by the victim company. This week, authorities in Nigeria arrested a suspect in connection with the scheme -- a young man who said he was trying to save up money to help fund a new social network.π Read
via "Krebs on Security".
Krebsonsecurity
Arrest in βRansom Your Employerβ Email Scheme
In August, KrebsOnSecurity warned that scammers were contacting people and asking them to unleash ransomware inside their employer's network, in exchange for a percentage of any ransom amount paid by the victim company. This week, authorities in Nigeria arrestedβ¦
β GoDaddyβs Latest Breach Affects 1.2M Customers β
π Read
via "Threat Post".
The kingpin domain registrar has logged its fifth cyber-incident since 2018, after an attacker with a compromised password stole email addresses, SSH keys and database logins.π Read
via "Threat Post".
Threat Post
GoDaddyβs Latest Breach Affects 1.2M Customers
The kingpin domain registrar has logged its fifth cyber-incident since 2018, after an attacker with a compromised password stole email addresses, SSH keys and database logins.
π¦Ώ How to install and use InVID, a plugin to debunk fake news and verify videos and images π¦Ώ
π Read
via "Tech Republic".
You can make sure you aren't seeing fake news, edited photos or deepfakes with this software. Here's how to install and use it.π Read
via "Tech Republic".
TechRepublic
How to install and use InVID, a plugin to debunk fake news and verify videos and images
You can make sure you aren't seeing fake news, edited photos or deepfakes with this software. Here's how to install and use it.
π΄ Bug Bounties Surge as Firms Compete for Talent π΄
π Read
via "Dark Reading".
Companies such as GItLab, which today increased its payment for critical bugs by 75%, are raising bounties and bonuses to attract top-notch researchers.π Read
via "Dark Reading".
Dark Reading
Bug Bounties Surge as Firms Compete for Talent
Companies such as GItLab, which today increased its payment for critical bugs by 75%, are raising bounties and bonuses to attract top-notch researchers.
π΄ CISA Urges Critical Infrastructure to Be Alert for Holiday Threats π΄
π Read
via "Dark Reading".
CISA and the FBI share steps organizations should take to better protect against security threats during holidays and weekends.π Read
via "Dark Reading".
Dark Reading
CISA Urges Critical Infrastructure to Be Alert for Holiday Threats
CISA and the FBI share steps organizations should take to better protect against security threats during holidays and weekends.
βΌ CVE-2021-44147 βΌ
π Read
via "National Vulnerability Database".
An XML External Entity issue in Claris FileMaker Pro and Server (including WebDirect) before 19.4.1 allows a remote attacker to disclose local files via a crafted XML/Excel document and perform server-side request forgery attacks.π Read
via "National Vulnerability Database".
βΌ CVE-2021-44144 βΌ
π Read
via "National Vulnerability Database".
Croatia Control Asterix 2.8.1 has a heap-based buffer over-read, with additional details to be disclosed at a later date.π Read
via "National Vulnerability Database".
βΌ CVE-2021-44150 βΌ
π Read
via "National Vulnerability Database".
The client in tusdotnet through 2.5.0 relies on SHA-1 to prevent spoofing of file content.π Read
via "National Vulnerability Database".
βΌ CVE-2021-32004 βΌ
π Read
via "National Vulnerability Database".
This issue affects: Secomea GateManager All versions prior to 9.6. Improper Check of host header in web server of Secomea GateManager allows attacker to cause browser cache poisoning.π Read
via "National Vulnerability Database".
π΄ GoDaddy Breach Exposes SSL Keys of Managed WordPress Hosting Customers π΄
π Read
via "Dark Reading".
The incident, which affected 1.2 million users, raises concerns about domain impersonation attacks and other malicious activities.π Read
via "Dark Reading".
Dark Reading
GoDaddy Breach Exposes SSL Keys of Managed WordPress Hosting Customers
The incident, which affected 1.2 million users, raises concerns about domain impersonation attacks and other malicious activities.
β GoDaddy admits to password breach: check your Managed WordPress site! β
π Read
via "Naked Security".
GoDaddy found crooks in its network, and kicked them out - but not before they'd been in there for six weeks.π Read
via "Naked Security".
Naked Security
GoDaddy admits to password breach: check your Managed WordPress site!
GoDaddy found crooks in its network, and kicked them out β but not before theyβd been in there for six weeks.
β Black Friday and Cyber Monday β hereβs what you REALLY need to do! β
π Read
via "Naked Security".
The world fills up with cybersecurity tips every year when Black Friday comes round. But what about the rest of the year?π Read
via "Naked Security".
Naked Security
Black Friday and Cyber Monday β hereβs what you REALLY need to do!
The world fills up with cybersecurity tips every year when Black Friday comes round. But what about the rest of the year?
βΌ CVE-2021-40830 βΌ
π Read
via "National Vulnerability Database".
The AWS IoT Device SDK v2 for Java, Python, C++ and Node.js appends a user supplied Certificate Authority (CA) to the root CAs instead of overriding it on Unix systems. TLS handshakes will thus succeed if the peer can be verified either from the user-supplied CA or the systemΓ’β¬β’s default trust-store. Attackers with access to a hostΓ’β¬β’s trust stores or are able to compromise a certificate authority already in the host's trust store (note: the attacker must also be able to spoof DNS in this case) may be able to use this issue to bypass CA pinning. An attacker could then spoof the MQTT broker, and either drop traffic and/or respond with the attacker's data, but they would not be able to forward this data on to the MQTT broker because the attacker would still need the user's private keys to authenticate against the MQTT broker. The 'aws_tls_ctx_options_override_default_trust_store_*' function within the aws-c-io submodule has been updated to override the default trust store. This corrects this issue. This issue affects: Amazon Web Services AWS IoT Device SDK v2 for Java versions prior to 1.5.0 on Linux/Unix. Amazon Web Services AWS IoT Device SDK v2 for Python versions prior to 1.6.1 on Linux/Unix. Amazon Web Services AWS IoT Device SDK v2 for C++ versions prior to 1.12.7 on Linux/Unix. Amazon Web Services AWS IoT Device SDK v2 for Node.js versions prior to 1.5.3 on Linux/Unix. Amazon Web Services AWS-C-IO 0.10.4 on Linux/Unix.π Read
via "National Vulnerability Database".
βΌ CVE-2021-40828 βΌ
π Read
via "National Vulnerability Database".
Connections initialized by the AWS IoT Device SDK v2 for Java (versions prior to 1.3.3), Python (versions prior to 1.5.18), C++ (versions prior to 1.12.7) and Node.js (versions prior to 1.5.1) did not verify server certificate hostname during TLS handshake when overriding Certificate Authorities (CA) in their trust stores on Windows. This issue has been addressed in aws-c-io submodule versions 0.9.13 onward. This issue affects: Amazon Web Services AWS IoT Device SDK v2 for Java versions prior to 1.3.3 on Microsoft Windows. Amazon Web Services AWS IoT Device SDK v2 for Python versions prior to 1.5.18 on Microsoft Windows. Amazon Web Services AWS IoT Device SDK v2 for C++ versions prior to 1.12.7 on Microsoft Windows. Amazon Web Services AWS IoT Device SDK v2 for Node.js versions prior to 1.5.3 on Microsoft Windows.π Read
via "National Vulnerability Database".
βΌ CVE-2020-22719 βΌ
π Read
via "National Vulnerability Database".
Shimo Document v2.0.1 contains a cross-site scripting (XSS) vulnerability which allows attackers to execute arbitrary web scripts or HTML via a crafted payload inserted into the table content text field.π Read
via "National Vulnerability Database".
βΌ CVE-2021-40829 βΌ
π Read
via "National Vulnerability Database".
Connections initialized by the AWS IoT Device SDK v2 for Java (versions prior to 1.4.2), Python (versions prior to 1.6.1), C++ (versions prior to 1.12.7) and Node.js (versions prior to 1.5.3) did not verify server certificate hostname during TLS handshake when overriding Certificate Authorities (CA) in their trust stores on MacOS. This issue has been addressed in aws-c-io submodule versions 0.10.5 onward. This issue affects: Amazon Web Services AWS IoT Device SDK v2 for Java versions prior to 1.4.2 on macOS. Amazon Web Services AWS IoT Device SDK v2 for Python versions prior to 1.6.1 on macOS. Amazon Web Services AWS IoT Device SDK v2 for C++ versions prior to 1.12.7 on macOS. Amazon Web Services AWS IoT Device SDK v2 for Node.js versions prior to 1.5.3 on macOS. Amazon Web Services AWS-C-IO 0.10.4 on macOS.π Read
via "National Vulnerability Database".
βΌ CVE-2021-40831 βΌ
π Read
via "National Vulnerability Database".
The AWS IoT Device SDK v2 for Java, Python, C++ and Node.js appends a user supplied Certificate Authority (CA) to the root CAs instead of overriding it on macOS systems. Additionally, SNI validation is also not enabled when the CA has been Γ’β¬ΕoverriddenΓ’β¬οΏ½. TLS handshakes will thus succeed if the peer can be verified either from the user-supplied CA or the systemΓ’β¬β’s default trust-store. Attackers with access to a hostΓ’β¬β’s trust stores or are able to compromise a certificate authority already in the host's trust store (note: the attacker must also be able to spoof DNS in this case) may be able to use this issue to bypass CA pinning. An attacker could then spoof the MQTT broker, and either drop traffic and/or respond with the attacker's data, but they would not be able to forward this data on to the MQTT broker because the attacker would still need the user's private keys to authenticate against the MQTT broker. The 'aws_tls_ctx_options_override_default_trust_store_*' function within the aws-c-io submodule has been updated to address this behavior. This issue affects: Amazon Web Services AWS IoT Device SDK v2 for Java versions prior to 1.5.0 on macOS. Amazon Web Services AWS IoT Device SDK v2 for Python versions prior to 1.7.0 on macOS. Amazon Web Services AWS IoT Device SDK v2 for C++ versions prior to 1.14.0 on macOS. Amazon Web Services AWS IoT Device SDK v2 for Node.js versions prior to 1.6.0 on macOS. Amazon Web Services AWS-C-IO 0.10.7 on macOS.π Read
via "National Vulnerability Database".
ποΈ GoDaddy managed WordPress hosting service breach exposed 1.2m user profiles ποΈ
π Read
via "The Daily Swig".
External investigation finds breach dates back more than two monthsπ Read
via "The Daily Swig".
The Daily Swig | Cybersecurity news and views
GoDaddy managed WordPress hosting service breach exposed 1.2m user profiles
External investigation finds breach dates back more than two months
β Check your patches β public exploit now out for critical Exchange bug β
π Read
via "Naked Security".
It was a zero-day bug until Patch Tuesday, now there's an anyone-can-use-it exploit. Don't be the one who hasn't patched.π Read
via "Naked Security".
Sophos News
Naked Security β Sophos News