🦿 Tips for providing digital security benefits to employees 🦿
📖 Read
via "Tech Republic".
Many employers are now offering digital security benefits to help protect their employees. Learn about such arrangements and see how you can get started implementing them.📖 Read
via "Tech Republic".
TechRepublic
Tips for providing digital security benefits to employees
Many employers are now offering digital security benefits to help protect their employees. Learn about such arrangements and see how you can get started implementing them.
🦿 The 10 worst tech stories of 2021 🦿
📖 Read
via "Tech Republic".
Have fond memories of 2021? They probably don't include these 10 stories or the products and services surrounding them.📖 Read
via "Tech Republic".
🦿 The dangers of dark data: How to manage it and mitigate the risks 🦿
📖 Read
via "Tech Republic".
Dark data is a major challenge in enterprises, and it's not going away soon. Fortunately, there are ways to reduce dark data and the risks that come with it.📖 Read
via "Tech Republic".
❌ The 5 Most-Wanted Threatpost Stories of 2021 ❌
📖 Read
via "Threat Post".
A look back at what was hot with readers in this second year of the pandemic.📖 Read
via "Threat Post".
Threat Post
The 5 Most-Wanted Threatpost Stories of 2021
A look back at what was hot with readers in this second year of the pandemic.
‼ CVE-2021-38961 ‼
📖 Read
via "National Vulnerability Database".
IBM OPENBMC OP910 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 212049.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-43855 ‼
📖 Read
via "National Vulnerability Database".
Wiki.js is a wiki app built on node.js. Wiki.js 2.5.263 and earlier is vulnerable to stored cross-site scripting through a SVG file upload made via a custom request with a fake MIME type. By creating a crafted SVG file, a malicious Wiki.js user may stage a stored cross-site scripting attack. This allows the attacker to execute malicious JavaScript when the SVG is viewed directly by other users. Scripts do not execute when loaded inside a page via normal `<img>` tags. The malicious SVG can only be uploaded by crafting a custom request to the server with a fake MIME type. A patch in version 2.5.264 fixes this vulnerability by adding an additional file extension verification check to the optional (enabled by default) SVG sanitization step to all file uploads that match the SVG mime type. As a workaround, disable file upload for all non-trusted users.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-43856 ‼
📖 Read
via "National Vulnerability Database".
Wiki.js is a wiki app built on Node.js. Wiki.js 2.5.263 and earlier is vulnerable to stored cross-site scripting through non-image file uploads for file types that can be viewed directly inline in the browser. By creating a malicious file which can execute inline JS when viewed in the browser (e.g. XML files), a malicious Wiki.js user may stage a stored cross-site scripting attack. This allows the attacker to execute malicious JavaScript when the file is viewed directly by other users. The file must be opened directly by the user and will not trigger directly in a normal Wiki.js page. A patch in version 2.5.264 fixes this vulnerability by adding an optional (enabled by default) force download flag to all non-image file types, preventing the file from being viewed inline in the browser. As a workaround, disable file upload for all non-trusted users. --- Thanks to @Haxatron for reporting this vulnerability. Initially reported via https://huntr.dev/bounties/266bff09-00d9-43ca-a4bb-bb540642811f/📖 Read
via "National Vulnerability Database".
‼ CVE-2021-43845 ‼
📖 Read
via "National Vulnerability Database".
PJSIP is a free and open source multimedia communication library. In version 2.11.1 and prior, if incoming RTCP XR message contain block, the data field is not checked against the received packet size, potentially resulting in an out-of-bound read access. This affects all users that use PJMEDIA and RTCP XR. A malicious actor can send a RTCP XR message with an invalid packet size.📖 Read
via "National Vulnerability Database".
❌ Global Cyberattacks from Nation-State Actors Posing Greater Threats ❌
📖 Read
via "Threat Post".
Casey Ellis, CTO at Bugcrowd, outlines how international relations have deteriorated into a new sort of Cold War, with espionage playing out in the cyber-domain. 📖 Read
via "Threat Post".
Threat Post
Global Cyberattacks from Nation-State Actors Posing Greater Threats
Casey Ellis, CTO at Bugcrowd, outlines how international relations have deteriorated into a new sort of Cold War, with espionage playing out in the cyber-domain.
‼ CVE-2021-21751 ‼
📖 Read
via "National Vulnerability Database".
ZTE BigVideo analysis product has an input verification vulnerability. Due to the inconsistency between the front and back verifications when configuring the large screen page, an attacker with high privileges could exploit this vulnerability to tamper with the URL and cause service exception.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-43857 ‼
📖 Read
via "National Vulnerability Database".
Gerapy is a distributed crawler management framework. Gerapy prior to version 0.9.8 is vulnerable to remote code execution, and this issue is patched in version 0.9.8.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-21750 ‼
📖 Read
via "National Vulnerability Database".
ZTE BigVideo Analysis product has a privilege escalation vulnerability. Due to improper management of the timed task modification privilege, an attacker with ordinary user permissions could exploit this vulnerability to gain unauthorized access.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-45890 ‼
📖 Read
via "National Vulnerability Database".
basic/BasicAuthProvider.java in AuthGuard before 0.9.0 allows authentication via an inactive identifier.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-32993 ‼
📖 Read
via "National Vulnerability Database".
IntelliBridge EC 40 and 60 Hub (C.00.04 and prior) contains hard-coded credentials, such as a password or a cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-33017 ‼
📖 Read
via "National Vulnerability Database".
The standard access path of the IntelliBridge EC 40 and 60 Hub (C.00.04 and prior) requires authentication, but the product has an alternate path or channel that does not require authentication.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-43548 ‼
📖 Read
via "National Vulnerability Database".
Patient Information Center iX (PIC iX) Versions C.02 and C.03 receives input or data, but does not validate or incorrectly validates that the input has the properties required to process the data safely and correctly.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-43552 ‼
📖 Read
via "National Vulnerability Database".
The use of a hard-coded cryptographic key significantly increases the possibility encrypted data may be recovered from the Patient Information Center iX (PIC iX) Versions B.02, C.02, and C.03.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-4161 ‼
📖 Read
via "National Vulnerability Database".
The affected products contain vulnerable firmware, which could allow an attacker to sniff the traffic and decrypt login credential details. This could give an attacker admin rights through the HTTP web server.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-43550 ‼
📖 Read
via "National Vulnerability Database".
The use of a broken or risky cryptographic algorithm is an unnecessary risk that may result in the exposure of sensitive information, which affects the communications between Patient Information Center iX (PIC iX) Versions C.02 and C.03 and Efficia CM Series Revisions A.01 to C.0x and 4.0.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-23244 ‼
📖 Read
via "National Vulnerability Database".
ColorOS pregrant dangerous permissions to apps which are listed in a whitelist xml named default-grant-permissions.But some apps in whitelist is not installed, attacker can disguise app with the same package name to obtain dangerous permission.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-35232 ‼
📖 Read
via "National Vulnerability Database".
Hard coded credentials discovered in SolarWinds Web Help Desk product. Through these credentials, the attacker with local access to the Web Help Desk host machine allows to execute arbitrary HQL queries against the database and leverage the vulnerability to steal the password hashes of the users or insert arbitrary data into the database.📖 Read
via "National Vulnerability Database".