βΌ CVE-2020-20600 βΌ
π Read
via "National Vulnerability Database".
MetInfo 7.0 beta contains a stored cross-site scripting (XSS) vulnerability in the $name parameter of admin/?n=column&c=index&a=doAddColumn.π Read
via "National Vulnerability Database".
βΌ CVE-2020-20595 βΌ
π Read
via "National Vulnerability Database".
A cross-site request forgery (CSRF) in OPMS v1.3 and below allows attackers to arbitrarily add a user account via /user/add.π Read
via "National Vulnerability Database".
βΌ CVE-2020-20597 βΌ
π Read
via "National Vulnerability Database".
A cross-site scripting (XSS) vulnerability in the potrtalItemName parameter in \web\PortalController.java of lemon V1.10.0 allows attackers to execute arbitrary web scripts or HTML.π Read
via "National Vulnerability Database".
βΌ CVE-2021-44548 βΌ
π Read
via "National Vulnerability Database".
An Improper Input Validation vulnerability in DataImportHandler of Apache Solr allows an attacker to provide a Windows UNC path resulting in an SMB network call being made from the Solr host to another host on the network. If the attacker has wider access to the network, this may lead to SMB attacks, which may result in: * The exfiltration of sensitive data such as OS user hashes (NTLM/LM hashes), * In case of misconfigured systems, SMB Relay Attacks which can lead to user impersonation on SMB Shares or, in a worse-case scenario, Remote Code Execution This issue affects all Apache Solr versions prior to 8.11.1. This issue only affects Windows.π Read
via "National Vulnerability Database".
βΌ CVE-2021-45463 βΌ
π Read
via "National Vulnerability Database".
GEGL before 0.4.34 allows shell expansion when a pathname in a constructed command line is not escaped or filtered. This is caused by use of the system library function for execution of the ImageMagick convert fallback in magick-load.π Read
via "National Vulnerability Database".
βΌ CVE-2021-4144 βΌ
π Read
via "National Vulnerability Database".
TP-Link wifi router TL-WR802N V4(JP), with firmware version prior to 211202, is vulnerable to OS command injection.π Read
via "National Vulnerability Database".
π1
ποΈ US clothing supplier Pro Wrestling Tees hit by data breach ποΈ
π Read
via "The Daily Swig".
Law enforcement alerted company to compromise of payment card infoπ Read
via "The Daily Swig".
The Daily Swig | Cybersecurity news and views
US clothing supplier Pro Wrestling Tees hit by data breach
Law enforcement alerted company to compromise of payment card info
β Plundered bitcoins recovered by FBI β all 3,879-and-one-sixth of them! β
π Read
via "Naked Security".
Phew! An audacious crime... that didn't work out.π Read
via "Naked Security".
Naked Security
Plundered bitcoins recovered by FBI β all 3,879-and-one-sixth of them!
Phew! An audacious crimeβ¦ that didnβt work out.
β βSpider-Man: No Way Homeβ Download Installs Cryptominer β
π Read
via "Threat Post".
The origin of the Monero cryptominer file has been traced to a Russian torrent website, researchers report.π Read
via "Threat Post".
Threat Post
βSpider-Man: No Way Homeβ Download Installs Cryptominer
The origin of the Monero cryptominer file has been traced to a Russian torrent website, researchers report.
βΌ CVE-2021-44600 βΌ
π Read
via "National Vulnerability Database".
The password parameter on Simple Online Mens Salon Management System (MSMS) 1.0 appears to be vulnerable to SQL injection attacks through the password parameter. The predictive tests of this application interacted with that domain, indicating that the injected SQL query was executed. The attacker can retrieve all authentication and information about the users of this system.π Read
via "National Vulnerability Database".
βΌ CVE-2021-44599 βΌ
π Read
via "National Vulnerability Database".
The id parameter from Online Enrollment Management System 1.0 system appears to be vulnerable to SQL injection attacks. A crafted payload injects a SQL sub-query that calls MySQL's load_file function with a UNC file path that references a URL on an external domain. The application interacted with that domain, indicating that the injected SQL query was executed. The attacker can retrieve sensitive information for all users of this system.π Read
via "National Vulnerability Database".
ποΈ Wireless coexistence β New attack technique exploits Bluetooth, WiFi performance features for βinter-chip privilege escalationβ ποΈ
π Read
via "The Daily Swig".
Attackers can use connections between wireless chips to steal data or credentials, researchers findπ Read
via "The Daily Swig".
The Daily Swig | Cybersecurity news and views
Wireless coexistence β New attack technique exploits Bluetooth, WiFi performance features for βinter-chip privilege escalationβ
Attackers can use connections between wireless chips to steal data or credentials, researchers find
β Telegram Abused to Steal Crypto-Wallet Credentials β
π Read
via "Threat Post".
Attackers use the Telegram handle βSmokes Nightβ to spread the malicious Echelon infostealer, which steals credentials for cryptocurrency and other user accounts, researchers said.π Read
via "Threat Post".
Threat Post
Telegram Abused to Steal Crypto-Wallet Credentials
Attackers use the Telegram handle βSmokes Nightβ to spread the malicious Echelon infostealer, which steals credentials for cryptocurrency and other user accounts, researchers said.
π¦Ώ How to deploy a Bitwarden server with Docker π¦Ώ
π Read
via "Tech Republic".
Are you looking to deploy an in-house password manager server? Jack Wallen shows you how with Bitwarden and Docker.π Read
via "Tech Republic".
TechRepublic
How to deploy a Bitwarden server with Docker
Are you looking to deploy an in-house password manager server? Jack Wallen shows you how with Bitwarden and Docker.
ποΈ Popular WordPress platform Flywheel vulnerable to subdomain takeover ποΈ
π Read
via "The Daily Swig".
Malicious actors could wreak havoc by impersonating legitimate websitesπ Read
via "The Daily Swig".
βΌ CVE-2021-44526 βΌ
π Read
via "National Vulnerability Database".
Zoho ManageEngine ServiceDesk Plus before 12003 allows authentication bypass in certain admin configurations.π Read
via "National Vulnerability Database".
βΌ CVE-2021-23175 βΌ
π Read
via "National Vulnerability Database".
NVIDIA GeForce Experience contains a vulnerability in user authorization, where GameStream does not correctly apply individual user access controls for users on the same device, which, with user intervention, may lead to escalation of privileges, information disclosure, data tampering, and denial of service, affecting other resources beyond the intended security authority of GameStream.π Read
via "National Vulnerability Database".
βΌ CVE-2021-3892 βΌ
π Read
via "National Vulnerability Database".
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2019-18198. Reason: This candidate is a reservation duplicate of CVE-2019-18198. Notes: All CVE users should reference CVE-2019-18198 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.π Read
via "National Vulnerability Database".
β The cool retro phone with a REAL DIALβ¦ plus plenty of IoT problems β
π Read
via "Naked Security".
You know you want one, because this retro phone is NOT A TOY... except when it comes to cybersecurity.π Read
via "Naked Security".
Naked Security
The cool retro phone with a REAL DIAL⦠plus plenty of IoT problems
You know you want one, because this retro phone is NOT A TOY⦠except when it comes to cybersecurity.
β 4-Year-Old Microsoft Azure Zero-Day Exposes Web App Source Code β
π Read
via "Threat Post".
The security vulnerability could expose passwords and access tokens, along with blueprints for internal infrastructure and finding software vulnerabilities.π Read
via "Threat Post".
Threat Post
4-Year-Old Microsoft Azure Zero-Day Exposes Web App Source Code
The security vulnerability could expose passwords and access tokens, along with blueprints for internal infrastructure and finding software vulnerabilities.
βΌ CVE-2021-43854 βΌ
π Read
via "National Vulnerability Database".
NLTK (Natural Language Toolkit) is a suite of open source Python modules, data sets, and tutorials supporting research and development in Natural Language Processing. Versions prior to 3.6.5 are vulnerable to regular expression denial of service (ReDoS) attacks. The vulnerability is present in PunktSentenceTokenizer, sent_tokenize and word_tokenize. Any users of this class, or these two functions, are vulnerable to the ReDoS attack. In short, a specifically crafted long input to any of these vulnerable functions will cause them to take a significant amount of execution time. If your program relies on any of the vulnerable functions for tokenizing unpredictable user input, then we would strongly recommend upgrading to a version of NLTK without the vulnerability. For users unable to upgrade the execution time can be bounded by limiting the maximum length of an input to any of the vulnerable functions. Our recommendation is to implement such a limit.π Read
via "National Vulnerability Database".