βΌ CVE-2021-45099 βΌ
π Read
via "National Vulnerability Database".
** DISPUTED ** The addon.stdin service in addon-ssh (aka Home Assistant Community Add-on: SSH & Web Terminal) before 10.0.0 has an attack surface that requires social engineering. NOTE: the vendor does not agree that this is a vulnerability; however, addon.stdin was removed as a defense-in-depth measure against complex social engineering situations.π Read
via "National Vulnerability Database".
βΌ CVE-2021-45088 βΌ
π Read
via "National Vulnerability Database".
XSS can occur in GNOME Web (aka Epiphany) before 40.4 and 41.x before 41.1 via an error page.π Read
via "National Vulnerability Database".
βΌ CVE-2021-45098 βΌ
π Read
via "National Vulnerability Database".
An issue was discovered in Suricata before 6.0.4. It is possible to bypass/evade any HTTP-based signature by faking an RST TCP packet with random TCP options of the md5header from the client side. After the three-way handshake, it's possible to inject an RST ACK with a random TCP md5header option. Then, the client can send an HTTP GET request with a forbidden URL. The server will ignore the RST ACK and send the response HTTP packet for the client's request. These packets will not trigger a Suricata reject action.π Read
via "National Vulnerability Database".
βΌ CVE-2021-45092 βΌ
π Read
via "National Vulnerability Database".
Thinfinity VirtualUI before 3.0 has functionality in /lab.html reachable by default that could allow IFRAME injection via the vpath parameter.π Read
via "National Vulnerability Database".
βΌ CVE-2021-45097 βΌ
π Read
via "National Vulnerability Database".
KNIME Server before 4.12.6 and 4.13.x before 4.13.4 (when installed in unattended mode) keeps the administrator's password in a file without appropriate file access controls, allowing all local users to read its content.π Read
via "National Vulnerability Database".
π΄ Rise in API-Based Attacks Underscore Investments in New Tools π΄
π Read
via "Dark Reading".
Noname Security's Series C fundraising tips the startup to over $1 billion in valuation, a sign that organizations are beginning to look for API security tools and investor are looking for innovation in the space.π Read
via "Dark Reading".
Dark Reading
Rise in API-Based Attacks Underscore Investments in New Tools
Noname Security's Series C fundraising tips the startup to over $1 billion in valuation -- a sign that organizations are beginning to look for API security tools and investors are looking for innovation in the space.
βΌ CVE-2021-4121 βΌ
π Read
via "National Vulnerability Database".
yetiforcecrm is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')π Read
via "National Vulnerability Database".
βΌ CVE-2021-4123 βΌ
π Read
via "National Vulnerability Database".
livehelperchat is vulnerable to Cross-Site Request Forgery (CSRF)π Read
via "National Vulnerability Database".
ποΈ How expired web domains help criminal hackers unlock enterprise defenses ποΈ
π Read
via "The Daily Swig".
Allow domains to βdropβ and youβre increasing the effectiveness of a variety of attacksπ Read
via "The Daily Swig".
The Daily Swig | Cybersecurity news and views
How expired web domains help criminal hackers unlock enterprise defenses
Allow domains to βdropβ and youβre increasing the effectiveness of a variety of attacks
βΌ CVE-2021-40835 βΌ
π Read
via "National Vulnerability Database".
An URL Address bar spoofing vulnerability was discovered in Safe Browser for iOS. When user clicks on a specially crafted a malicious URL, if user does not carefully pay attention to url, user may be tricked to think content may be coming from a valid domain, while it comes from another. This is performed by using a very long username part of the url so that user cannot see the domain name. A remote attacker can leverage this to perform url address bar spoofing attack. The fix is, browser no longer shows the user name part in address bar.π Read
via "National Vulnerability Database".
β βDarkWatchmanβ RAT Shows Evolution in Fileless Malware β
π Read
via "Threat Post".
The new tool manipulates Windows Registry in unique ways to evade security detections and is likely being used by ransomware groups for initial network access.π Read
via "Threat Post".
Threat Post
βDarkWatchmanβ RAT Shows Evolution in Fileless Malware
The new tool manipulates Windows Registry in unique ways to evade security detections and is likely being used by ransomware groups for initial network access.
ποΈ UK government reveals plans to become βglobal cyber powerβ in 2022 ποΈ
π Read
via "The Daily Swig".
National Cyber Security Centre leads scheme to increase capabilitiesπ Read
via "The Daily Swig".
The Daily Swig | Cybersecurity news and views
UK government reveals plans to become βglobal cyber powerβ in 2022
National Cyber Security Centre leads scheme to increase capabilities
π΄ Dear Congress: It's Complicated. Please Consider This When Crafting New Cybersecurity Legislation π΄
π Read
via "Dark Reading".
As mandatory reporting bills work their way through the halls of Congress, what should businesses do to prepare for this pending legislation?π Read
via "Dark Reading".
Dark Reading
Dear Congress: It's Complicated. Please Consider This When Crafting New Cybersecurity Legislation
As mandatory reporting bills work their way through the halls of Congress, what should businesses do to prepare for this pending legislation?
βΌ CVE-2021-4124 βΌ
π Read
via "National Vulnerability Database".
janus-gateway is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')π Read
via "National Vulnerability Database".
π¦Ώ How to install the ConfigServer and Security Firewall combo on Ubuntu Server π¦Ώ
π Read
via "Tech Republic".
If you'd like a powerful firewall for your Ubuntu Server, but one that offers a fairly straightforward configuration, Jack Wallen thinks CSF might be the right tool for the job.π Read
via "Tech Republic".
TechRepublic
How to install the ConfigServer and Security Firewall combo on Ubuntu Server
If you'd like a powerful firewall for your Ubuntu Server, but one that offers a fairly straightforward configuration, Jack Wallen thinks CSF might be the right tool for the job.
ποΈ SAP squashes SQL injection, XSS bugs in December patch round ποΈ
π Read
via "The Daily Swig".
CVSS severity scores range from 2.4 to 9.9π Read
via "The Daily Swig".
The Daily Swig | Cybersecurity news and views
SAP squashes SQL injection, XSS bugs in December patch round
CVSS severity scores range from 2.4 to 9.9
βΌ CVE-2021-3959 βΌ
π Read
via "National Vulnerability Database".
A Server-Side Request Forgery (SSRF) vulnerability in the EPPUpdateService component of Bitdefender Endpoint Security Tools allows an attacker to proxy requests to the relay server. This issue affects: Bitdefender Bitdefender GravityZone versions prior to 3.3.8.272π Read
via "National Vulnerability Database".
βΌ CVE-2021-3960 βΌ
π Read
via "National Vulnerability Database".
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in the UpdateServer component of Bitdefender GravityZone allows an attacker to execute arbitrary code on vulnerable instances. This issue affects Bitdefender GravityZone versions prior to 3.3.8.272π Read
via "National Vulnerability Database".
β Apple security updates are out β and not a Log4Shell mention in sight β
π Read
via "Naked Security".
Get 'em while they're hot!π Read
via "Naked Security".
Naked Security
Apple security updates are out β and not a Log4Shell mention in sight
Get βem while theyβre hot!
βοΈ NY Man Pleads Guilty in $20 Million SIM Swap Theft βοΈ
π Read
via "Krebs on Security".
A 24-year-old New York man who bragged about helping to steal more than $20 million worth of cryptocurrency from a technology executive has pleaded guilty to conspiracy to commit wire fraud. Nicholas Truglia was part of a group alleged to have stolen more than $100 million from cryptocurrency investors using fraudulent "SIM swaps," scams in which identity thieves hijack a targetβs mobile phone number and use that to wrest control over the victimβs online identities.π Read
via "Krebs on Security".
Krebs on Security
NY Man Pleads Guilty in $20 Million SIM Swap Theft
A 24-year-old New York man who bragged about helping to steal more than $20 million worth of cryptocurrency from a technology executive has pleaded guilty to conspiracy to commit wire fraud. Nicholas Truglia was part of a group alleged toβ¦
π΄ Log4Shell: The Big Picture π΄
π Read
via "Dark Reading".
A look at why this is such a tricky vulnerability and why the industry response has been good, but not great.π Read
via "Dark Reading".
Dark Reading
Log4Shell: The Big Picture
A look at why this is such a tricky vulnerability and why the industry response has been good, but not great.