βΌ CVE-2021-44150 βΌ
π Read
via "National Vulnerability Database".
The client in tusdotnet through 2.5.0 relies on SHA-1 to prevent spoofing of file content.π Read
via "National Vulnerability Database".
βΌ CVE-2021-32004 βΌ
π Read
via "National Vulnerability Database".
This issue affects: Secomea GateManager All versions prior to 9.6. Improper Check of host header in web server of Secomea GateManager allows attacker to cause browser cache poisoning.π Read
via "National Vulnerability Database".
π΄ GoDaddy Breach Exposes SSL Keys of Managed WordPress Hosting Customers π΄
π Read
via "Dark Reading".
The incident, which affected 1.2 million users, raises concerns about domain impersonation attacks and other malicious activities.π Read
via "Dark Reading".
Dark Reading
GoDaddy Breach Exposes SSL Keys of Managed WordPress Hosting Customers
The incident, which affected 1.2 million users, raises concerns about domain impersonation attacks and other malicious activities.
β GoDaddy admits to password breach: check your Managed WordPress site! β
π Read
via "Naked Security".
GoDaddy found crooks in its network, and kicked them out - but not before they'd been in there for six weeks.π Read
via "Naked Security".
Naked Security
GoDaddy admits to password breach: check your Managed WordPress site!
GoDaddy found crooks in its network, and kicked them out β but not before theyβd been in there for six weeks.
β Black Friday and Cyber Monday β hereβs what you REALLY need to do! β
π Read
via "Naked Security".
The world fills up with cybersecurity tips every year when Black Friday comes round. But what about the rest of the year?π Read
via "Naked Security".
Naked Security
Black Friday and Cyber Monday β hereβs what you REALLY need to do!
The world fills up with cybersecurity tips every year when Black Friday comes round. But what about the rest of the year?
βΌ CVE-2021-40830 βΌ
π Read
via "National Vulnerability Database".
The AWS IoT Device SDK v2 for Java, Python, C++ and Node.js appends a user supplied Certificate Authority (CA) to the root CAs instead of overriding it on Unix systems. TLS handshakes will thus succeed if the peer can be verified either from the user-supplied CA or the systemΓ’β¬β’s default trust-store. Attackers with access to a hostΓ’β¬β’s trust stores or are able to compromise a certificate authority already in the host's trust store (note: the attacker must also be able to spoof DNS in this case) may be able to use this issue to bypass CA pinning. An attacker could then spoof the MQTT broker, and either drop traffic and/or respond with the attacker's data, but they would not be able to forward this data on to the MQTT broker because the attacker would still need the user's private keys to authenticate against the MQTT broker. The 'aws_tls_ctx_options_override_default_trust_store_*' function within the aws-c-io submodule has been updated to override the default trust store. This corrects this issue. This issue affects: Amazon Web Services AWS IoT Device SDK v2 for Java versions prior to 1.5.0 on Linux/Unix. Amazon Web Services AWS IoT Device SDK v2 for Python versions prior to 1.6.1 on Linux/Unix. Amazon Web Services AWS IoT Device SDK v2 for C++ versions prior to 1.12.7 on Linux/Unix. Amazon Web Services AWS IoT Device SDK v2 for Node.js versions prior to 1.5.3 on Linux/Unix. Amazon Web Services AWS-C-IO 0.10.4 on Linux/Unix.π Read
via "National Vulnerability Database".
βΌ CVE-2021-40828 βΌ
π Read
via "National Vulnerability Database".
Connections initialized by the AWS IoT Device SDK v2 for Java (versions prior to 1.3.3), Python (versions prior to 1.5.18), C++ (versions prior to 1.12.7) and Node.js (versions prior to 1.5.1) did not verify server certificate hostname during TLS handshake when overriding Certificate Authorities (CA) in their trust stores on Windows. This issue has been addressed in aws-c-io submodule versions 0.9.13 onward. This issue affects: Amazon Web Services AWS IoT Device SDK v2 for Java versions prior to 1.3.3 on Microsoft Windows. Amazon Web Services AWS IoT Device SDK v2 for Python versions prior to 1.5.18 on Microsoft Windows. Amazon Web Services AWS IoT Device SDK v2 for C++ versions prior to 1.12.7 on Microsoft Windows. Amazon Web Services AWS IoT Device SDK v2 for Node.js versions prior to 1.5.3 on Microsoft Windows.π Read
via "National Vulnerability Database".
βΌ CVE-2020-22719 βΌ
π Read
via "National Vulnerability Database".
Shimo Document v2.0.1 contains a cross-site scripting (XSS) vulnerability which allows attackers to execute arbitrary web scripts or HTML via a crafted payload inserted into the table content text field.π Read
via "National Vulnerability Database".
βΌ CVE-2021-40829 βΌ
π Read
via "National Vulnerability Database".
Connections initialized by the AWS IoT Device SDK v2 for Java (versions prior to 1.4.2), Python (versions prior to 1.6.1), C++ (versions prior to 1.12.7) and Node.js (versions prior to 1.5.3) did not verify server certificate hostname during TLS handshake when overriding Certificate Authorities (CA) in their trust stores on MacOS. This issue has been addressed in aws-c-io submodule versions 0.10.5 onward. This issue affects: Amazon Web Services AWS IoT Device SDK v2 for Java versions prior to 1.4.2 on macOS. Amazon Web Services AWS IoT Device SDK v2 for Python versions prior to 1.6.1 on macOS. Amazon Web Services AWS IoT Device SDK v2 for C++ versions prior to 1.12.7 on macOS. Amazon Web Services AWS IoT Device SDK v2 for Node.js versions prior to 1.5.3 on macOS. Amazon Web Services AWS-C-IO 0.10.4 on macOS.π Read
via "National Vulnerability Database".
βΌ CVE-2021-40831 βΌ
π Read
via "National Vulnerability Database".
The AWS IoT Device SDK v2 for Java, Python, C++ and Node.js appends a user supplied Certificate Authority (CA) to the root CAs instead of overriding it on macOS systems. Additionally, SNI validation is also not enabled when the CA has been Γ’β¬ΕoverriddenΓ’β¬οΏ½. TLS handshakes will thus succeed if the peer can be verified either from the user-supplied CA or the systemΓ’β¬β’s default trust-store. Attackers with access to a hostΓ’β¬β’s trust stores or are able to compromise a certificate authority already in the host's trust store (note: the attacker must also be able to spoof DNS in this case) may be able to use this issue to bypass CA pinning. An attacker could then spoof the MQTT broker, and either drop traffic and/or respond with the attacker's data, but they would not be able to forward this data on to the MQTT broker because the attacker would still need the user's private keys to authenticate against the MQTT broker. The 'aws_tls_ctx_options_override_default_trust_store_*' function within the aws-c-io submodule has been updated to address this behavior. This issue affects: Amazon Web Services AWS IoT Device SDK v2 for Java versions prior to 1.5.0 on macOS. Amazon Web Services AWS IoT Device SDK v2 for Python versions prior to 1.7.0 on macOS. Amazon Web Services AWS IoT Device SDK v2 for C++ versions prior to 1.14.0 on macOS. Amazon Web Services AWS IoT Device SDK v2 for Node.js versions prior to 1.6.0 on macOS. Amazon Web Services AWS-C-IO 0.10.7 on macOS.π Read
via "National Vulnerability Database".
ποΈ GoDaddy managed WordPress hosting service breach exposed 1.2m user profiles ποΈ
π Read
via "The Daily Swig".
External investigation finds breach dates back more than two monthsπ Read
via "The Daily Swig".
The Daily Swig | Cybersecurity news and views
GoDaddy managed WordPress hosting service breach exposed 1.2m user profiles
External investigation finds breach dates back more than two months
β Check your patches β public exploit now out for critical Exchange bug β
π Read
via "Naked Security".
It was a zero-day bug until Patch Tuesday, now there's an anyone-can-use-it exploit. Don't be the one who hasn't patched.π Read
via "Naked Security".
Sophos News
Naked Security β Sophos News
π¦Ώ US government warns of increased ransomware threats during Thanksgiving π¦Ώ
π Read
via "Tech Republic".
Though the feds haven't identified any specific known threats, criminals are prone to strike when key employees are traveling or spending time with family and friends.π Read
via "Tech Republic".
TechRepublic
US government warns of increased ransomware threats during Thanksgiving
Though the feds haven't identified any specific known threats, criminals are prone to strike when key employees are traveling or spending time with family and friends.
π¦Ώ If you're serious about privacy, it's time to use DuckDuckGo as your default Android browser π¦Ώ
π Read
via "Tech Republic".
Third-party app trackers have become a real problem on Android, and DuckDuckGo is doing something about it. Find out why Jack Wallen believes this is the browser you need to use.π Read
via "Tech Republic".
TechRepublic
If you're serious about privacy, it's time to use DuckDuckGo as your default Android browser
Third-party app trackers have become a real problem on Android, and DuckDuckGo is doing something about it. Find out why Jack Wallen believes this is the browser you need to use.
π΄ How Sun Tzu's Wisdom Can Rewrite the Rules of Cybersecurity π΄
π Read
via "Dark Reading".
The ancient Chinese military strategist Sun Tzu would agree: The best defense is to avoid an attack in the first place.π Read
via "Dark Reading".
Dark Reading
How Sun Tzu's Wisdom Can Rewrite the Rules of Cybersecurity
The ancient Chinese military strategist Sun Tzu would agree: The best defense is to avoid an attack in the first place.
ποΈ Research has come a long way, but gaps remain β security researcher Artur Janc on the state of XS-Leaks ποΈ
π Read
via "The Daily Swig".
βBy focusing on XS-Leaks as a fundamental vulnerability class, we help raise their profile and make it easier for developers to understand their impactβπ Read
via "The Daily Swig".
The Daily Swig | Cybersecurity news and views
Research has come a long way, but gaps remain β security researcher Artur Janc on the state of XS-Leaks
βBy focusing on XS-Leaks as a fundamental vulnerability class, we help raise their profile and make it easier for developers to understand their impactβ
π¦Ώ Dump Chrome as your default browser on Android π¦Ώ
π Read
via "Tech Republic".
Jack Wallen tells us why Android users should switch from Chrome as their default browsers.π Read
via "Tech Republic".
TechRepublic
Dump Chrome as your default browser on Android
Jack Wallen tells us why Android users should switch from Chrome as their default browsers.
βΌ CVE-2021-37004 βΌ
π Read
via "National Vulnerability Database".
There is a Improper Input Validation vulnerability in Huawei Smartphone.Successful exploitation of this vulnerability will cause kernel crash.π Read
via "National Vulnerability Database".
βΌ CVE-2021-37012 βΌ
π Read
via "National Vulnerability Database".
There is a Data Processing Errors vulnerability in Huawei Smartphone.Successful exploitation of this vulnerability will cause kernel crash.π Read
via "National Vulnerability Database".
βΌ CVE-2021-37034 βΌ
π Read
via "National Vulnerability Database".
There is an Unstandardized field names in Huawei Smartphone.Successful exploitation of this vulnerability may affect service confidentiality.π Read
via "National Vulnerability Database".
βΌ CVE-2021-22410 βΌ
π Read
via "National Vulnerability Database".
There is a XSS injection vulnerability in iMaster NCE-Fabric V100R019C10. A module of the client does not verify the input sufficiently. Attackers can exploit this vulnerability by modifying input after logging onto the client. This may compromise the normal service of the client.π Read
via "National Vulnerability Database".