βΌ CVE-2021-39313 βΌ
π Read
via "National Vulnerability Database".
The Simple Image Gallery WordPress plugin is vulnerable to Reflected Cross-Site Scripting via the msg parameter found in the ~/simple-image-gallery.php file which allows attackers to inject arbitrary web scripts, in versions up to and including 1.0.6.π Read
via "National Vulnerability Database".
βΌ CVE-2021-42069 βΌ
π Read
via "National Vulnerability Database".
When a user opens manipulated Tagged Image File Format (.tif) file received from untrusted sources in SAP 3D Visual Enterprise Viewer - version 9.0, the application crashes and becomes temporarily unavailable to the user until restart of the applicationπ Read
via "National Vulnerability Database".
β How to Buy Precious Patching Time as Log4j Exploits Fly β
π Read
via "Threat Post".
Podcast: Cybereason shares details about its vaccine: a fast shot in the arm released within hours of the Apache Log4j zero-day horror show being disclosed.π Read
via "Threat Post".
β What the Log4Shell Bug Means for SMBs: Experts Weigh In β
π Read
via "Threat Post".
An exclusive roundtable of security researchers discuss the specific implications of CVE-2021-44228 for smaller businesses, including what's vulnerable, what an attack looks like and to how to remediate.π Read
via "Threat Post".
Threat Post
What the Log4Shell Bug Means for SMBs: Experts Weigh In
An exclusive roundtable of security researchers discuss the specific implications of CVE-2021-44228 for smaller businesses, including what's vulnerable, what an attack looks like and to how to remediate.
π¦Ώ The 10 worst password snafus of 2021 π¦Ώ
π Read
via "Tech Republic".
Dashlane's sixth annual list of the year's worst password offenders reveals the biggest password security mishaps for 2021.π Read
via "Tech Republic".
TechRepublic
The 10 worst password snafus of 2021
Dashlane's sixth annual list of the year's worst password offenders reveals the biggest password security mishaps for 2021.
π¦Ώ E-commerce: How to build customer trust without sacrificing security π¦Ώ
π Read
via "Tech Republic".
Companies must attempt to divert cybercriminals without inconveniencing or possibly exposing customers and their data. One expert explains how it's possible.π Read
via "Tech Republic".
TechRepublic
E-commerce: How to build customer trust without sacrificing security
Companies must attempt to divert cybercriminals without inconveniencing or possibly exposing customers and their data. One expert explains how it's possible.
π΄ Source Code Leaks: The Real Problem Nobody Is Paying Attention To π΄
π Read
via "Dark Reading".
Source code is a corporate asset like any other, which makes it an attractive target for hackers.π Read
via "Dark Reading".
Dark Reading
Source Code Leaks: The Real Problem Nobody Is Paying Attention To
Source code is a corporate asset like any other, which makes it an attractive target for hackers.
βΌ CVE-2021-44041 βΌ
π Read
via "National Vulnerability Database".
UiPath Assistant 21.4.4 will load and execute attacker controlled data from the file path supplied to the --dev-widget argument of the URI handler for uipath-assistant://. This allows an attacker to execute code on a victim's machine or capture NTLM credentials by supplying a networked or WebDAV file path.π Read
via "National Vulnerability Database".
βΌ CVE-2021-38950 βΌ
π Read
via "National Vulnerability Database".
IBM MQ on HPE NonStop 8.0.4 and 8.1.0 is vulnerable to a privilege escalation attack when SharedBindingsUserId is set to effective. IBM X-ForceID: 211404.π Read
via "National Vulnerability Database".
βΌ CVE-2021-43388 βΌ
π Read
via "National Vulnerability Database".
Unisys Cargo Mobile Application before 1.2.29 uses cleartext to store sensitive information, which might be revealed in a backup. The issue is addressed by ensuring that the allowBackup flag (in the manifest) is False.π Read
via "National Vulnerability Database".
βΌ CVE-2021-40882 βΌ
π Read
via "National Vulnerability Database".
A Cross Site Scripting (XSS) vulnerability exists in Piwigo 11.5.0 via the system album name and description of the location.π Read
via "National Vulnerability Database".
βΌ CVE-2021-44042 βΌ
π Read
via "National Vulnerability Database".
An issue was discovered in UiPath Assistant 21.4.4. User-controlled data supplied to the --process-start argument of the URI handler for uipath-assistant:// is not correctly encoded, resulting in attacker-controlled content being injected into the error message displayed (when the injected content does not match an existing process). A determined attacker could leverage this to execute JavaScript in the context of the Electron application.π Read
via "National Vulnerability Database".
βΌ CVE-2021-44043 βΌ
π Read
via "National Vulnerability Database".
An issue was discovered in UiPath App Studio 21.4.4. There is a persistent XSS vulnerability in the file-upload functionality for uploading icons when attempting to create new Apps. An attacker with minimal privileges in the application can build their own App and upload a malicious file containing an XSS payload, by uploading an arbitrary file and modifying the MIME type in a subsequent HTTP request. This then allows the file to be stored and retrieved from the server by other users in the same organization.π Read
via "National Vulnerability Database".
βΌ CVE-2021-43807 βΌ
π Read
via "National Vulnerability Database".
Opencast is an Open Source Lecture Capture & Video Management for Education. Opencast versions prior to 9.10 allow HTTP method spoofing, allowing to change the assumed HTTP method via URL parameter. This allows attackers to turn HTTP GET requests into PUT requests or an HTTP form to send DELETE requests. This bypasses restrictions otherwise put on these types of requests and aids in cross-site request forgery (CSRF) attacks, which would otherwise not be possible. The vulnerability allows attackers to craft links or forms which may change the server state. This issue is fixed in Opencast 9.10 and 10.0. You can mitigate the problem by setting the `SameSite=Strict` attribute for your cookies. If this is a viable option for you depends on your integrations. We strongly recommend updating in any case.π Read
via "National Vulnerability Database".
π¦Ώ Get a year of PlayStation Plus, a lifetime of learning and maximum VPN protection for $64 π¦Ώ
π Read
via "Tech Republic".
You can send your career soaring by learning highly paid skills online from over 1,000 courses without worrying about security, and enjoy a bit of extra gaming during your breaks.π Read
via "Tech Republic".
TechRepublic
Get a year of PlayStation Plus, a lifetime of learning and maximum VPN protection for $64
You can send your career soaring by learning highly paid skills online from over 1,000 courses without worrying about security, and enjoy a bit of extra gaming during your breaks.
βοΈ Inside Irelandβs Public Healthcare Ransomware Scare βοΈ
π Read
via "Krebs on Security".
The accounting firm PricewatersCoopers recently published lessons learned from the disruptive and costly ransomware attack in May 2021 on Ireland's public health system. The unusually candid post-mortem found that nearly two months elapsed between the initial intrusion and the launching of the ransomware. It also found affected hospitals had tens of thousand of outdated Windows 7 systems, and that the health system's IT administrators failed to respond to multiple warning signs that a massive attack was imminent.π Read
via "Krebs on Security".
Krebsonsecurity
Inside Irelandβs Public Healthcare Ransomware Scare
The accounting firm PricewatersCoopers recently published lessons learned from the disruptive and costly ransomware attack in May 2021 on Ireland's public health system. The unusually candid post-mortem found that nearly two months elapsed between the initialβ¦
β 400 Banksβ Customers Targeted with Anubis Trojan β
π Read
via "Threat Post".
The new campaign masqueraded as an Orange Telecom account management app to deliver the latest iteration of Anubis banking malware.π Read
via "Threat Post".
Threat Post
400 Banksβ Customers Targeted with Anubis Trojan
The new campaign masqueraded as an Orange Telecom account management app to deliver the latest iteration of Anubis banking malware.
π¦Ώ New Microsoft Exchange credential stealing malware could be worse than phishing π¦Ώ
π Read
via "Tech Republic".
While looking for additional Exchange vulnerabilities in the wake of this year's zero-days, Kaspersky found an IIS add-on that harvests credentials from OWA whenever, and wherever, someone logs in.π Read
via "Tech Republic".
βΌ CVE-2021-34426 βΌ
π Read
via "National Vulnerability Database".
A vulnerability was discovered in the Keybase Client for Windows before version 5.6.0 when a user executed the "keybase git lfs-config" command on the command-line. In versions prior to 5.6.0, a malicious actor with write access to a userΓ’β¬β’s Git repository could leverage this vulnerability to potentially execute arbitrary Windows commands on a userΓ’β¬β’s local system.π Read
via "National Vulnerability Database".
βΌ CVE-2021-43821 βΌ
π Read
via "National Vulnerability Database".
Opencast is an Open Source Lecture Capture & Video Management for Education. Opencast before version 9.10 or 10.6 allows references to local file URLs in ingested media packages, allowing attackers to include local files from Opencast's host machines and making them available via the web interface. Before Opencast 9.10 and 10.6, Opencast would open and include local files during ingests. Attackers could exploit this to include most local files the process has read access to, extracting secrets from the host machine. An attacker would need to have the privileges required to add new media to exploit this. But these are often widely given. The issue has been fixed in Opencast 10.6 and 11.0. You can mitigate this issue by narrowing down the read access Opencast has to files on the file system using UNIX permissions or mandatory access control systems like SELinux. This cannot prevent access to files Opencast needs to read though and we highly recommend updating.π Read
via "National Vulnerability Database".
βΌ CVE-2021-39183 βΌ
π Read
via "National Vulnerability Database".
Owncast is an open source, self-hosted live video streaming and chat server. In affected versions inline scripts are executed when Javascript is parsed via a paste action. This issue is patched in 0.0.9 by blocking unsafe-inline Content Security Policy and specifying the script-src. The worker-src is required to be set to blob for the video player.π Read
via "National Vulnerability Database".