π’ Top 200 most common passwords of 2021 revealed π’
π Read
via "ITPro".
Unsurprisingly, the vast majority take less than a second to crackπ Read
via "ITPro".
IT PRO
Top 200 most common passwords of 2021 revealed | IT PRO
Unsurprisingly, the vast majority take less than a second to crack
π’ UK and US agree deeper data-sharing partnership π’
π Read
via "ITPro".
The partnership will see the two nations form a comprehensive strategy to share data that aligns with both domestic data sharing and protection frameworksπ Read
via "ITPro".
IT PRO
UK and US agree deeper data-sharing partnership | IT PRO
The partnership will see the two nations form a comprehensive strategy to share data that aligns with both domestic data sharing and protection frameworks
π’ HornetSecurity 365 Total Protection review: Keeping email squeaky clean π’
π Read
via "ITPro".
Tough email protection for Microsoft 365 thatβs simple to deploy, easy to manage and very affordableπ Read
via "ITPro".
ITPro
HornetSecurity 365 Total Protection review: Keeping email squeaky clean
Tough email protection for Microsoft 365 thatβs simple to deploy, easy to manage and very affordable
π’ Android bug prevents users from calling emergency services π’
π Read
via "ITPro".
Google has confirmed that the glitch is affecting devices that have Microsoft Teams installedπ Read
via "ITPro".
ITPro
Android bug prevents users from calling emergency services
Google has confirmed that the glitch is affecting devices that have Microsoft Teams installed
βΌ CVE-2021-44833 βΌ
π Read
via "National Vulnerability Database".
The CLI 1.0.0 for Amazon AWS OpenSearch has weak permissions for the configuration file.π Read
via "National Vulnerability Database".
π1
β Log4Shell explained β how it works, why you need to know, and how to fix it β
π Read
via "Naked Security".
Find out how to deal with the Log2Shell vulnerability right across your estate. Yes, you need to patch, but that helps everyone else along with you!π Read
via "Naked Security".
Sophos News
Naked Security β Sophos News
βΌ CVE-2021-40858 βΌ
π Read
via "National Vulnerability Database".
Auerswald COMpact 5500R devices before 8.2B allow Arbitrary File Disclosure. A sub-admin can read the cleartext Admin password via the fileName=../../etc/passwd substring.π Read
via "National Vulnerability Database".
βΌ CVE-2021-44847 βΌ
π Read
via "National Vulnerability Database".
A stack-based buffer overflow in handle_request function in DHT.c in toxcore 0.1.9 through 0.1.11 and 0.2.0 through 0.2.12 (caused by an improper length calculation during the handling of received network packets) allows remote attackers to crash the process or potentially execute arbitrary code via a network packet.π Read
via "National Vulnerability Database".
βΌ CVE-2021-44154 βΌ
π Read
via "National Vulnerability Database".
An issue was discovered in Reprise RLM 14.2. By using an admin account, an attacker can write a payload to /goform/edit_opt, which will then be triggered when running the diagnostics (via /goform/diagnostics_doit), resulting in a buffer overflow.π Read
via "National Vulnerability Database".
βΌ CVE-2021-44155 βΌ
π Read
via "National Vulnerability Database".
An issue was discovered in /goform/login_process in Reprise RLM 14.2. When an attacker attempts to login, the response if a username is valid includes Login Failed, but does not include this string if the username is invalid. This allows an attacker to enumerate valid users.π Read
via "National Vulnerability Database".
βΌ CVE-2021-44151 βΌ
π Read
via "National Vulnerability Database".
An issue was discovered in Reprise RLM 14.2. As the session cookies are small, an attacker can hijack any existing sessions by bruteforcing the 4 hex-character session cookie on the Windows version (the Linux version appears to have 8 characters). An attacker can obtain the static part of the cookie (cookie name) by first making a request to any page on the application (e.g., /goforms/menu) and saving the name of the cookie sent with the response. The attacker can then use the name of the cookie and try to request that same page, setting a random value for the cookie. If any user has an active session, the page should return with the authorized content, when a valid cookie value is hit.π Read
via "National Vulnerability Database".
π1
βΌ CVE-2021-44848 βΌ
π Read
via "National Vulnerability Database".
In Cibele Thinfinity VirtualUI before 3.0, /changePassword returns different responses for invalid authentication requests depending on whether the username exists.π Read
via "National Vulnerability Database".
π1
βΌ CVE-2018-25022 βΌ
π Read
via "National Vulnerability Database".
The Onion module in toxcore before 0.2.2 doesn't restrict which packets can be onion-routed, which allows a remote attacker to discover a target user's IP address (when knowing only their Tox Id) by positioning themselves close to target's Tox Id in the DHT for the target to establish an onion connection with the attacker, guessing the target's DHT public key and creating a DHT node with public key close to it, and finally onion-routing a NAT Ping Request to the target, requesting it to ping the just created DHT node.π Read
via "National Vulnerability Database".
βΌ CVE-2021-44153 βΌ
π Read
via "National Vulnerability Database".
An issue was discovered in Reprise RLM 14.2. When editing the license file, it is possible for an admin user to enable an option to run arbitrary executables, as demonstrated by an ISV demo "C:\Windows\System32\calc.exe" entry. An attacker can exploit this to run a malicious binary on startup, or when triggering the Reread/Restart Servers function on the webserver. (Exploitation does not require CVE-2018-15573, because the license file is meant to be changed in the application.)π Read
via "National Vulnerability Database".
βΌ CVE-2018-25021 βΌ
π Read
via "National Vulnerability Database".
The TCP Server module in toxcore before 0.2.8 doesn't free the TCP priority queue under certain conditions, which allows a remote attacker to exhaust the system's memory, causing a denial of service (DoS).π Read
via "National Vulnerability Database".
βΌ CVE-2021-44152 βΌ
π Read
via "National Vulnerability Database".
An issue was discovered in Reprise RLM 14.2. Because /goform/change_password_process does not verify authentication or authorization, an unauthenticated user can change the password of any existing user. This allows an attacker to change the password of any known user, thereby preventing valid users from accessing the system and granting the attacker full access to that user's account.π Read
via "National Vulnerability Database".
βΌ CVE-2021-40856 βΌ
π Read
via "National Vulnerability Database".
Auerswald COMfortel 1400 IP and 2600 IP before 2.8G devices allow Authentication Bypass via the /about/../ substring.π Read
via "National Vulnerability Database".
βΌ CVE-2021-40857 βΌ
π Read
via "National Vulnerability Database".
Auerswald COMpact 5500R devices before 8.2B allow Privilege Escalation via the passwd=1 substring.π Read
via "National Vulnerability Database".
βΌ CVE-2021-42549 βΌ
π Read
via "National Vulnerability Database".
Insufficient Input Validation in the search functionality of Wordpress plugin Lets-Box prior to 1.15.3 allows unauthenticated user to craft a reflected Cross-Site Scripting attack.π Read
via "National Vulnerability Database".
βΌ CVE-2021-24782 βΌ
π Read
via "National Vulnerability Database".
The Flex Local Fonts WordPress plugin through 1.0.0 does not escape the Class Name field when adding a font, which could allow hight privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.π Read
via "National Vulnerability Database".
βΌ CVE-2021-24819 βΌ
π Read
via "National Vulnerability Database".
The Page/Post Content Shortcode WordPress plugin through 1.0 does not have proper authorisation in place, allowing users with a role as low as contributor to access draft/private/password protected/trashed posts/pages they should not be allowed to, including posts created by other users such as admins and editors.π Read
via "National Vulnerability Database".
π1