‼ CVE-2021-33430 ‼
📖 Read
via "National Vulnerability Database".
A Buffer Overflow vulnerability exists in NumPy 1.9.x in the PyArray_NewFromDescr_int function of ctors.c when specifying arrays of large dimensions (over 32) from Python code, which could let a malicious user cause a Denial of Service.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-23814 ‼
📖 Read
via "National Vulnerability Database".
This affects the package unisharp/laravel-filemanager from 0.0.0. The upload() function does not sufficiently validate the file type when uploading. An attacker may be able to reproduce the following steps: - Install a package with a web Laravel application. - Navigate to the Upload window - Upload an image file, then capture the request - Edit the request contents with a malicious file (webshell) - Enter the path of file uploaded on URL - Remote Code Execution **Note: Prevention for bad extensions can be done by using a whitelist in the config file(lfm.php). Corresponding document can be found in the [here](https://unisharp.github.io/laravel-filemanager/configfolder-categories).📖 Read
via "National Vulnerability Database".
‼ CVE-2021-43840 ‼
📖 Read
via "National Vulnerability Database".
message_bus is a messaging bus for Ruby processes and web clients. In versions prior to 3.3.7 users who deployed message bus with diagnostics features enabled (default off) are vulnerable to a path traversal bug, which could lead to disclosure of secret information on a machine if an unintended user were to gain access to the diagnostic route. The impact is also greater if there is no proxy for your web application as the number of steps up the directories is not bounded. For deployments which uses a proxy, the impact varies. For example, If a request goes through a proxy like Nginx with `merge_slashes` enabled, the number of steps up the directories that can be read is limited to 3 levels. This issue has been patched in version 3.3.7. Users unable to upgrade should ensure that MessageBus::Diagnostics is disabled.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-34141 ‼
📖 Read
via "National Vulnerability Database".
Incomplete string comparison in the numpy.core component in NumPy1.9.x, which allows attackers to fail the APIs via constructing specific string objects.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-43838 ‼
📖 Read
via "National Vulnerability Database".
jsx-slack is a library for building JSON objects for Slack Block Kit surfaces from JSX. In versions prior to 4.5.1 users are vulnerable to a regular expression denial-of-service (ReDoS) attack. If attacker can put a lot of JSX elements into `<blockquote>` tag, an internal regular expression for escaping characters may consume an excessive amount of computing resources. jsx-slack v4.5.1 has patched to a regex for escaping blockquote characters. Users are advised to upgrade as soon as possible.📖 Read
via "National Vulnerability Database".
🕴 How Risky Is the Log4J Vulnerability? 🕴
📖 Read
via "Dark Reading".
Security teams around the world are on high alert dealing with the Log4j vulnerability, but how risky is it, really?📖 Read
via "Dark Reading".
Dark Reading
How Risky Is the Log4J Vulnerability?
Security teams around the world are on high alert dealing with the Log4j vulnerability, but how risky is it, really?
‼ CVE-2021-41498 ‼
📖 Read
via "National Vulnerability Database".
Buffer overflow in ajaxsoundstudio.com Pyo < and 1.03 in the Server_jack_init function. which allows attackers to conduct Denial of Service attacks by arbitrary constructing a overlong server name.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-41499 ‼
📖 Read
via "National Vulnerability Database".
Buffer Overflow Vulnerability exists in ajaxsoundstudio.com n Pyo < 1.03 in the Server_debug function, which allows remote attackers to conduct DoS attacks by deliberately passing on an overlong audio file name.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-41500 ‼
📖 Read
via "National Vulnerability Database".
Incomplete string comparison vulnerability exits in cvxopt.org cvxop <= 1.2.6 in APIs (cvxopt.cholmod.diag, cvxopt.cholmod.getfactor, cvxopt.cholmod.solve, cvxopt.cholmod.spsolve), which allows attackers to conduct Denial of Service attacks by construct fake Capsule objects.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-41497 ‼
📖 Read
via "National Vulnerability Database".
Null pointer reference in CMS_Conservative_increment_obj in RaRe-Technologies bounter version 1.01 and 1.10, allows attackers to conduct Denial of Service attacks by inputting a huge width of hash bucket.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-4130 ‼
📖 Read
via "National Vulnerability Database".
snipe-it is vulnerable to Cross-Site Request Forgery (CSRF)📖 Read
via "National Vulnerability Database".
‼ CVE-2021-4131 ‼
📖 Read
via "National Vulnerability Database".
livehelperchat is vulnerable to Cross-Site Request Forgery (CSRF)📖 Read
via "National Vulnerability Database".
‼ CVE-2021-45105 ‼
📖 Read
via "National Vulnerability Database".
Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3) did not protect from uncontrolled recursion from self-referential lookups. This allows an attacker with control over Thread Context Map data to cause a denial of service when a crafted string is interpreted. This issue was fixed in Log4j 2.17.0 and 2.12.3.📖 Read
via "National Vulnerability Database".
📢 Industry working group aims to standardize blockchain 'Identity of Things' 📢
📖 Read
via "ITPro".
Universal standards for blockchain-based identities aims to help promote interoperability and communication between IoT devices📖 Read
via "ITPro".
IT PRO
Industry working group aims to standardize blockchain 'Identity of Things' | IT PRO
Universal standards for blockchain-based identities aims to help promote interoperability and communication between IoT devices
📢 Sennheiser exposed personal data of 28,000 customers with leaky S3 bucket 📢
📖 Read
via "ITPro".
Server containing full names, email addresses, phone numbers, and supplier information was left open to the public for three years📖 Read
via "ITPro".
IT PRO
Sennheiser exposed personal data of 28,000 customers with leaky S3 bucket | IT PRO
Server containing full names, email addresses, phone numbers, and supplier information was left open to the public for three years
📢 Kronos services knocked offline by ransomware attack 📢
📖 Read
via "ITPro".
The popular human resources solutions provider has admitted that it may take "several weeks" to recover📖 Read
via "ITPro".
IT PRO
Kronos services knocked offline by ransomware attack | IT PRO
The popular human resources solutions provider has admitted that it may take "several weeks" to recover
📢 Gumtree site code made personal data of users and sellers publicly accessible 📢
📖 Read
via "ITPro".
Anyone could scan the website's HTML code to reveal personal information belonging to users of the popular second-hand classified adverts website📖 Read
via "ITPro".
IT PRO
Gumtree site code made personal data of users and sellers publicly accessible | IT PRO
Anyone could scan the website's HTML code to reveal personal information belonging to users of the popular second-hand classified adverts website
👍1
📢 Ransomware groups will target smaller businesses in 2022 - report 📢
📖 Read
via "ITPro".
Scrutiny from law enforcement is causing groups to change tack, says analyst📖 Read
via "ITPro".
IT PRO
Ransomware groups will target smaller businesses in 2022 - report | IT PRO
Scrutiny from law enforcement is causing groups to change tack, says analyst
📢 Meta expands bug bounty programme to cover data scraping 📢
📖 Read
via "ITPro".
The move comes two years after a massive scraping incident on Facebook that resulted in data leaking online📖 Read
via "ITPro".
IT PRO
Meta expands bug bounty programme to cover data scraping | IT PRO
The move comes two years after a massive scraping incident on Facebook that resulted in data leaking online
📢 What is the Log4Shell vulnerability? 📢
📖 Read
via "ITPro".
The critical flaw affecting products built using Java is set to cause headaches in the enterprise for months to come📖 Read
via "ITPro".
ITPro
What is the Log4Shell vulnerability?
The critical flaw affecting products built using Java is set to cause headaches in the enterprise for months to come
📢 Australia and US sign CLOUD Act data-sharing deal to support criminal investigations 📢
📖 Read
via "ITPro".
The legislation allows law enforcement to simplify the process of obtaining electronic data from another country📖 Read
via "ITPro".
IT PRO
Australia and US sign CLOUD Act data-sharing deal to support criminal investigations | IT PRO
The legislation allows law enforcement to simplify the process of obtaining electronic data from another country