βΌ CVE-2021-36722 βΌ
π Read
via "National Vulnerability Database".
Emuse - eServices / eNvoice SQL injection can be used in various ways ranging from bypassing login authentication or dumping the whole database to full RCE on the affected endpoints. The SQLi caused by CWE-209: Generation of Error Message Containig Sensetive Information, showing parts of the aspx code and the webroot location , information an attacker can leverage to further compromise the host.π Read
via "National Vulnerability Database".
βΌ CVE-2021-4175 βΌ
π Read
via "National Vulnerability Database".
livehelperchat is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')π Read
via "National Vulnerability Database".
β Threat Advisory: E-commerce Bots Use Domain Registration Services for Mass (Fake) Account Creation β
π Read
via "Threat Post".
Jason Kent is Hacker-in-Residence at Cequence Security.π Read
via "Threat Post".
Threat Post
Threat Advisory: E-commerce Bots Use Domain Registration Services for Mass Account Fraud
Jason Kent, hacker-in-residence at Cequence Security, discusses sneaky shopping bot tactics (i.e., domain parking) seen in a mass campaign, and what retail security teams can do about them.
βΌ CVE-2021-45885 βΌ
π Read
via "National Vulnerability Database".
An issue was discovered in Stormshield Network Security (SNS) 4.2.2 through 4.2.7 (fixed in 4.2.8). Under a specific update-migration scenario, the first SSH password change does not properly clear the old password.π Read
via "National Vulnerability Database".
βΌ CVE-2021-25993 βΌ
π Read
via "National Vulnerability Database".
In Requarks wiki.js, versions 2.0.0-beta.147 to 2.5.255 are affected by Stored XSS vulnerability, where a low privileged (editor) user can upload a SVG file that contains malicious JavaScript while uploading assets in the page. That will send the JWT tokens to the attackerΓ’β¬β’s server and will lead to account takeover when accessed by the victim.π Read
via "National Vulnerability Database".
βΌ CVE-2021-23727 βΌ
π Read
via "National Vulnerability Database".
This affects the package celery before 5.2.2. It by default trusts the messages and metadata stored in backends (result stores). When reading task metadata from the backend, the data is deserialized. Given that an attacker can gain access to, or somehow manipulate the metadata within a celery backend, they could trigger a stored command injection vulnerability and potentially gain further access to the system.π Read
via "National Vulnerability Database".
βΌ CVE-2021-4187 βΌ
π Read
via "National Vulnerability Database".
vim is vulnerable to Use After Freeπ Read
via "National Vulnerability Database".
βΌ CVE-2021-36724 βΌ
π Read
via "National Vulnerability Database".
ForeScout - SecureConnector Local Service DoS - A low privilaged user which doesn't have permissions to shutdown the secure connector service writes a large amount of characters in the installationPath. This will cause the buffer to overflow and override the stack cookie causing the service to crash.π Read
via "National Vulnerability Database".
βΌ CVE-2021-43876 βΌ
π Read
via "National Vulnerability Database".
Microsoft SharePoint Elevation of Privilege Vulnerability.π Read
via "National Vulnerability Database".
βΌ CVE-2021-4188 βΌ
π Read
via "National Vulnerability Database".
mruby is vulnerable to NULL Pointer Dereferenceπ Read
via "National Vulnerability Database".
π¦Ώ Learn highly marketable ethical hacking skills for less than $45 π¦Ώ
π Read
via "Tech Republic".
Even if you have no tech experience, you can develop valuable skills with the online training offered by The Super-Sized Ethical Hacking Bundle.π Read
via "Tech Republic".
TechRepublic
Learn highly marketable ethical hacking skills for less than $45
Even if you have no tech experience, you can develop valuable skills with the online training offered by The Super-Sized Ethical Hacking Bundle.
βΌ CVE-2021-45427 βΌ
π Read
via "National Vulnerability Database".
Emerson XWEB 300D EVO 3.0.7--3ee403 is affected by: unauthenticated arbitrary file deletion due to path traversal. An attacker can browse and delete files without any authentication due to incorrect access control and directory traversal.π Read
via "National Vulnerability Database".
π΄ In the Fight Against Cybercrime, Takedowns Are Only Temporary π΄
π Read
via "Dark Reading".
Disrupting access to servers and infrastructure continues to interfere with cybercrime activity, but it's far from a perfect strategy.π Read
via "Dark Reading".
Dark Reading
In the Fight Against Cybercrime, Takedowns Are Only Temporary
Disrupting access to servers and infrastructure continues to interfere with cybercrime activity, but it's far from a perfect strategy.
β Instagram copyright infringment scams β donβt get sucked in! β
π Read
via "Naked Security".
We deconstructed a copyright phish so you don't have to. Be warned: the crooks are getting better at these scams...π Read
via "Naked Security".
Naked Security
Instagram copyright infringment scams β donβt get sucked in!
We deconstructed a copyright phish so you donβt have to. Be warned: the crooks are getting better at these scamsβ¦
π΄ Zero Trust and Access: Protecting the Keys to the Kingdom π΄
π Read
via "Dark Reading".
Zero trust moves the control pane closer to the defended asset and attempts to tightly direct access and privileges.π Read
via "Dark Reading".
Dark Reading
Zero Trust and Access: Protecting the Keys to the Kingdom
Zero trust moves the control pane closer to the defended asset and attempts to tightly direct access and privileges.
βΌ CVE-2021-45818 βΌ
π Read
via "National Vulnerability Database".
SAFARI Montage 8.7.32 is affected by a CRLF injection vulnerability which can lead to can lead to HTTP response splitting.π Read
via "National Vulnerability Database".
βΌ CVE-2021-43861 βΌ
π Read
via "National Vulnerability Database".
Mermaid is a Javascript based diagramming and charting tool that uses Markdown-inspired text definitions and a renderer to create and modify complex diagrams. Prior to version 8.13.8, malicious diagrams can run javascript code at diagram readers' machines. Users should upgrade to version 8.13.8 to receive a patch. There are no known workarounds aside from upgrading.π Read
via "National Vulnerability Database".
βΌ CVE-2021-45815 βΌ
π Read
via "National Vulnerability Database".
Quectel UC20 UMTS/HSPA+ UC20 6.3.14 is affected by a Cross Site Scripting (XSS) vulnerability.π Read
via "National Vulnerability Database".
ποΈ Swig Security Review 2021 β Part II ποΈ
π Read
via "The Daily Swig".
Key thinkers on the biggest security stories and trends in 2021π Read
via "The Daily Swig".
The Daily Swig | Cybersecurity news and views
Swig Security Review 2021 β Part II
Key thinkers on the biggest security stories and trends in 2021
β APT βAquatic Pandaβ Targets Universities with Log4Shell Exploit Tools β
π Read
via "Threat Post".
Researchers from CrowdStrike disrupted an attempt by the threat group to steal industrial intelligence and military secrets from an academic institution.π Read
via "Threat Post".
Threat Post
APT βAquatic Pandaβ Targets Universities with Log4Shell Exploit Tools
Researchers from CrowdStrike disrupted an attempt by the threat group to steal industrial intelligence and military secrets from an academic institution.
ποΈ HCL DX vendor βcould not reproduceβ allegedly critical vulnerabilities ποΈ
π Read
via "The Daily Swig".
Disclosure process for bugs in HCL DX β formerly WebSphere Portal β seemingly went awryπ Read
via "The Daily Swig".
The Daily Swig | Cybersecurity news and views
HCL DX vendor βcould not reproduceβ allegedly critical vulnerabilities
Disclosure process for bugs in HCL DX β formerly WebSphere Portal β seemingly went awry