π DG Insights to Help Leaders Assess DLP Effectiveness π
π Read
via "".
Digital Guardian's Managed Security Program customers can now receive a weekly email that gives further insight into their organization's data movement.π Read
via "".
Digital Guardian
DG Insights to Help Leaders Assess DLP Effectiveness
Digital Guardian's Managed Security Program customers can now receive a weekly email that gives further insight into their organization's data movement.
π¦Ώ Apple needs to un-Mac-ify security and privacy in Safari π¦Ώ
π Read
via "Tech Republic".
Safari is a good browser, but it could be better. Unfortunately, one area that requires improvement is the un-Mac-ifying of the privacy settings. Find out what Jack Wallen means by this.π Read
via "Tech Republic".
TechRepublic
Apple needs to un-Mac-ify security and privacy in Safari
Safari is a good browser, but it could be better. Unfortunately, one area that requires improvement is the un-Mac-ifying of the privacy settings. Find out what Jack Wallen means by this.
ποΈ Decrypting diversity: One in five UK infosec professionals say theyβve experienced discrimination at work ποΈ
π Read
via "The Daily Swig".
Report states diversity and inclusion within the industry is lagging behindπ Read
via "The Daily Swig".
The Daily Swig | Cybersecurity news and views
Decrypting diversity: One in five UK infosec professionals say theyβve experienced discrimination at work
Report states diversity and inclusion within the industry is lagging behind
β Appleβs NSO Group Lawsuit Amps Up Pressure on Pegasus Spyware-Maker β
π Read
via "Threat Post".
Just weeks after a judge ruled that NSO Group did not have immunity in a suit brought by Facebook subsidiary WhatsApp, Apple is adding significant weight to the company's woes.π Read
via "Threat Post".
Threat Post
Appleβs NSO Group Lawsuit Amps Up Pressure on Pegasus Spyware-Maker
Just weeks after a judge ruled that NSO Group did not have immunity in a suit brought by Facebook subsidiary WhatsApp, Apple is adding significant weight to the company's woes.
β GoDaddy Breach Widens to Include Reseller Subsidiaries β
π Read
via "Threat Post".
Customers of several brands that resell GoDaddy Managed WordPress have also been caught up in the big breach, in which millions of emails, passwords and more were stolen.π Read
via "Threat Post".
Threat Post
GoDaddy Breach Widens to Include Reseller Subsidiaries
Customers of several brands that resell GoDaddy Managed WordPress have also been caught up in the big breach, in which millions of emails, passwords and more were stolen.
π GNU Privacy Guard 2.2.33 π
π Read
via "Packet Storm Security".
GnuPG (the GNU Privacy Guard or GPG) is GNU's tool for secure communication and data storage. It can be used to encrypt data and to create digital signatures. It includes an advanced key management facility and is compliant with the proposed OpenPGP Internet standard as described in RFC2440. As such, it is meant to be compatible with PGP from NAI, Inc. Because it does not use any patented algorithms, it can be used without any restrictions. This is the LTS release.π Read
via "Packet Storm Security".
Packetstormsecurity
GNU Privacy Guard 2.2.33 β Packet Storm
Information Security Services, News, Files, Tools, Exploits, Advisories and Whitepapers
β GoDaddy admits to password breach: check your Managed WordPress site! β
π Read
via "Naked Security".
GoDaddy found crooks in its network, and kicked them out - but not before they'd been in there for six weeks.π Read
via "Naked Security".
Naked Security
GoDaddy admits to password breach: check your Managed WordPress site!
GoDaddy found crooks in its network, and kicked them out β but not before theyβd been in there for six weeks.
β Check your patches β public exploit now out for critical Exchange bug β
π Read
via "Naked Security".
It was a zero-day bug until Patch Tuesday, now there's an anyone-can-use-it exploit. Don't be the one who hasn't patched.π Read
via "Naked Security".
Sophos News
Naked Security β Sophos News
βΌ CVE-2021-20840 βΌ
π Read
via "National Vulnerability Database".
Cross-site scripting vulnerability in Booking Package - Appointment Booking Calendar System versions prior to 1.5.11 allows a remote attacker to inject an arbitrary script via unspecified vectors.π Read
via "National Vulnerability Database".
βΌ CVE-2021-20843 βΌ
π Read
via "National Vulnerability Database".
Cross-site script inclusion vulnerability in the Web GUI of RTX830 Rev.15.02.17 and earlier, NVR510 Rev.15.01.18 and earlier, NVR700W Rev.15.00.19 and earlier, and RTX1210 Rev.14.01.38 and earlier allows a remote authenticated attacker to alter the settings of the product via a specially crafted web page.π Read
via "National Vulnerability Database".
βΌ CVE-2021-3554 βΌ
π Read
via "National Vulnerability Database".
Improper Access Control vulnerability in the patchesUpdate API as implemented in Bitdefender Endpoint Security Tools for Linux as a relay role allows an attacker to manipulate the remote address used for pulling patches. This issue affects: Bitdefender Endpoint Security Tools for Linux versions prior to 6.6.27.390; versions prior to 7.1.2.33. Bitdefender Unified Endpoint versions prior to 6.2.21.160. Bitdefender GravityZone versions prior to 6.24.1-1.π Read
via "National Vulnerability Database".
βΌ CVE-2021-20845 βΌ
π Read
via "National Vulnerability Database".
Cross-site request forgery (CSRF) vulnerability in Unlimited Sitemap Generator versions prior to v8.2 allows a remote attacker to hijack the authentication of an administrator and conduct arbitrary operation via a specially crafted web page.π Read
via "National Vulnerability Database".
βΌ CVE-2021-43780 βΌ
π Read
via "National Vulnerability Database".
Redash is a package for data visualization and sharing. In versions 10.0 and priorm the implementation of URL-loading data sources like JSON, CSV, or Excel is vulnerable to advanced methods of Server Side Request Forgery (SSRF). These vulnerabilities are only exploitable on installations where a URL-loading data source is enabled. As of time of publication, the `master` and `release/10.x.x` branches address this by applying the Advocate library for making http requests instead of the requests library directly. Users should upgrade to version 10.0.1 to receive this patch. There are a few workarounds for mitigating the vulnerability without upgrading. One can disable the vulnerable data sources entirely, by adding the following env variable to one's configuration, making them unavailable inside the webapp. One can switch any data source of certain types (viewable in the GitHub Security Advisory) to be `View Only` for all groups on the Settings > Groups > Data Sources screen. For users unable to update an admin may modify Redash's configuration through environment variables to mitigate this issue. Depending on the version of Redash, an admin may also need to run a CLI command to re-encrypt some fields in the database. The `master` and `release/10.x.x` branches as of time of publication have removed the default value for `REDASH_COOKIE_SECRET`. All future releases will also require this to be set explicitly. For existing installations, one will need to ensure that explicit values are set for the `REDASH_COOKIE_SECRET` and `REDASH_SECRET_KEY `variables.π Read
via "National Vulnerability Database".
βΌ CVE-2021-32037 βΌ
π Read
via "National Vulnerability Database".
An authorized user may trigger an invariant which may result in denial of service or server exit if a relevant aggregation request is sent to a shard. Usually, the requests are sent via mongos and special privileges are required in order to know the address of the shards and to log in to the shards of an auth enabled environment.π Read
via "National Vulnerability Database".
βΌ CVE-2021-20848 βΌ
π Read
via "National Vulnerability Database".
Cross-site scripting vulnerability in rwtxt versions prior to v1.8.6 allows a remote attacker to inject an arbitrary script via unspecified vectors.π Read
via "National Vulnerability Database".
βΌ CVE-2021-20844 βΌ
π Read
via "National Vulnerability Database".
Improper neutralization of HTTP request headers for scripting syntax vulnerability in the Web GUI of RTX830 Rev.15.02.17 and earlier, NVR510 Rev.15.01.18 and earlier, NVR700W Rev.15.00.19 and earlier, and RTX1210 Rev.14.01.38 and earlier allows a remote authenticated attacker to obtain sensitive information via a specially crafted web page.π Read
via "National Vulnerability Database".
βΌ CVE-2021-20841 βΌ
π Read
via "National Vulnerability Database".
Improper access control in Management screen of EC-CUBE 2 series 2.11.2 to 2.17.1 allows a remote authenticated attacker to bypass access restriction and to alter System settings via unspecified vectors.π Read
via "National Vulnerability Database".
βΌ CVE-2021-20846 βΌ
π Read
via "National Vulnerability Database".
Cross-site request forgery (CSRF) vulnerability in Push Notifications for WordPress (Lite) versions prior to 6.0.1 allows a remote attacker to hijack the authentication of an administrator and conduct an arbitrary operation via a specially crafted web page.π Read
via "National Vulnerability Database".
βΌ CVE-2021-20835 βΌ
π Read
via "National Vulnerability Database".
Improper authorization in handler for custom URL scheme vulnerability in Android App 'Mercari (Merpay) - Marketplace and Mobile Payments App' (Japan version) versions prior to 4.49.1 allows a remote attacker to lead a user to access an arbitrary website and the website launches an arbitrary Activity of the app via the vulnerable App, which may result in Mercari account's access token being obtained.π Read
via "National Vulnerability Database".
βΌ CVE-2021-31822 βΌ
π Read
via "National Vulnerability Database".
When Octopus Tentacle is installed on a Linux operating system, the systemd service file permissions are misconfigured. This could lead to a local unprivileged user modifying the contents of the systemd service file to gain privileged access.π Read
via "National Vulnerability Database".
βΌ CVE-2021-41192 βΌ
π Read
via "National Vulnerability Database".
Redash is a package for data visualization and sharing. If an admin sets up Redash versions 10.0.0 and prior without explicitly specifying the `REDASH_COOKIE_SECRET` or `REDASH_SECRET_KEY` environment variables, a default value is used for both that is the same across all installations. In such cases, the instance is vulnerable to attackers being able to forge sessions using the known default value. This issue only affects installations where the `REDASH_COOKIE_SECRET or REDASH_SECRET_KEY` environment variables have not been explicitly set. This issue does not affect users of the official Redash cloud images, Redash's Digital Ocean marketplace droplets, or the scripts in the `getredash/setup` repository. These instances automatically generate unique secret keys during installation. One can verify whether one's instance is affected by checking the value of the `REDASH_COOKIE_SECRET` environment variable. If it is `c292a0a3aa32397cdb050e233733900f`, should follow the steps to secure the instance, outlined in the GitHub Security Advisory.π Read
via "National Vulnerability Database".