β Data Skimmer Hits 100+ Sothebyβs Real-Estate Websites β
π Read
via "Threat Post".
The campaign was an opportunistic supply-chain attack abusing a weaponized cloud video player.π Read
via "Threat Post".
Threat Post
Data Skimmer Hits 100+ Sothebyβs Real-Estate Websites
The campaign was an opportunistic supply-chain attack abusing a weaponized Brightcove cloud video player.
β SEGAβs Sloppy Security Confession: Exposed AWS S3 Bucket Offers Up Steam API Access & More β
π Read
via "Threat Post".
SEGA's disclosure underscores a common, potentially catastrophic, flub β misconfigured Amazon Web Services (AWS) S3 buckets.π Read
via "Threat Post".
Threat Post
SEGAβs Sloppy Security Confession: Exposed AWS S3 Bucket Offers Up Steam API Access & More
SEGA's disclosure underscores a common, potentially catastrophic, flub β misconfigured Amazon Web Services (AWS) S3 buckets.
π΄ Google Buys Siemplify to Get Ahead in Cloud Security π΄
π Read
via "Dark Reading".
Google says the deal will bring security orchestration, automation, and response to its Google Cloud security portfolio and expand its Chronicle platform.π Read
via "Dark Reading".
Dark Reading
Google Buys Siemplify to Get Ahead in Cloud Security
Google says the deal will bring security orchestration, automation, and response to its Google Cloud security portfolio and expand its Chronicle platform.
βΌ CVE-2021-41236 βΌ
π Read
via "National Vulnerability Database".
OroPlatform is a PHP Business Application Platform. In affected versions the email template preview is vulnerable to XSS payload added to email template content. An attacker must have permission to create or edit an email template. For successful payload, execution the attacked user must preview a vulnerable email template. There are no workarounds that address this vulnerability. Users are advised to upgrade as soon as is possible.π Read
via "National Vulnerability Database".
βΌ CVE-2021-43832 βΌ
π Read
via "National Vulnerability Database".
Spinnaker is an open source, multi-cloud continuous delivery platform. Spinnaker has improper permissions allowing pipeline creation & execution. This lets an arbitrary user with access to the gate endpoint to create a pipeline and execute it without authentication. If users haven't setup Role-based access control (RBAC) with-in spinnaker, this enables remote execution and access to deploy almost any resources on any account. Patches are available on the latest releases of the supported branches and users are advised to upgrade as soon as possible. Users unable to upgrade should enable RBAC on ALL accounts and applications. This mitigates the ability of a pipeline to affect any accounts. Block application access unless permission are enabled. Users should make sure ALL application creation is restricted via appropriate wildcards.π Read
via "National Vulnerability Database".
βΌ CVE-2021-43850 βΌ
π Read
via "National Vulnerability Database".
Discourse is an open source platform for community discussion. In affected versions admins users can trigger a Denial of Service attack via the `/message-bus/_diagnostics` path. The impact of this vulnerability is greater on multisite Discourse instances (where multiple forums are served from a single application server) where any admin user on any of the forums are able to visit the `/message-bus/_diagnostics` path. The problem has been patched. Please upgrade to 2.8.0.beta10 or 2.7.12. No workarounds for this issue exist.π Read
via "National Vulnerability Database".
βΌ CVE-2021-43677 βΌ
π Read
via "National Vulnerability Database".
Fluxbb v1.4.12 is affected by a Cross Site Scripting (XSS) vulnerability.π Read
via "National Vulnerability Database".
βΌ CVE-2022-21648 βΌ
π Read
via "National Vulnerability Database".
Latte is an open source template engine for PHP. Versions since 2.8.0 Latte has included a template sandbox and in affected versions it has been found that a sandbox escape exists allowing for injection into web pages generated from Latte. This may lead to XSS attacks. The issue is fixed in the versions 2.8.8, 2.9.6 and 2.10.8. Users unable to upgrade should not accept template input from untrusted sources.π Read
via "National Vulnerability Database".
βΌ CVE-2022-21647 βΌ
π Read
via "National Vulnerability Database".
CodeIgniter is an open source PHP full-stack web framework. Deserialization of Untrusted Data was found in the `old()` function in CodeIgniter4. Remote attackers may inject auto-loadable arbitrary objects with this vulnerability, and possibly execute existing PHP code on the server. We are aware of a working exploit, which can lead to SQL injection. Users are advised to upgrade to v4.1.6 or later. Users unable to upgrade as advised to not use the `old()` function and form_helper nor `RedirectResponse::withInput()` and `redirect()->withInput()`.π Read
via "National Vulnerability Database".
βΌ CVE-2021-43852 βΌ
π Read
via "National Vulnerability Database".
OroPlatform is a PHP Business Application Platform. In affected versions by sending a specially crafted request, an attacker could inject properties into existing JavaScript language construct prototypes, such as objects. Later this injection may lead to JS code execution by libraries that are vulnerable to Prototype Pollution. This issue has been patched in version 4.2.8. Users unable to upgrade may configure a firewall to drop requests containing next strings: `__proto__` , `constructor[prototype]`, and `constructor.prototype` to mitigate this issue.π Read
via "National Vulnerability Database".
βΌ CVE-2022-21643 βΌ
π Read
via "National Vulnerability Database".
USOC is an open source CMS with a focus on simplicity. In affected versions USOC allows for SQL injection via register.php. In particular usernames, email addresses, and passwords provided by the user were not sanitized and were used directly to construct a sql statement. Users are advised to upgrade as soon as possible. There are not workarounds for this issue.π Read
via "National Vulnerability Database".
βΌ CVE-2021-24042 βΌ
π Read
via "National Vulnerability Database".
The calling logic for WhatsApp for Android prior to v2.21.23, WhatsApp Business for Android prior to v2.21.23, WhatsApp for iOS prior to v2.21.230, WhatsApp Business for iOS prior to v2.21.230, WhatsApp for KaiOS prior to v2.2143, WhatsApp Desktop prior to v2.2146 could have allowed an out-of-bounds write if a user makes a 1:1 call to a malicious actor.π Read
via "National Vulnerability Database".
βΌ CVE-2022-21644 βΌ
π Read
via "National Vulnerability Database".
USOC is an open source CMS with a focus on simplicity. In affected versions USOC allows for SQL injection via usersearch.php. In search terms provided by the user were not sanitized and were used directly to construct a sql statement. The only users permitted to search are site admins. Users are advised to upgrade as soon as possible. There are not workarounds for this issue.π Read
via "National Vulnerability Database".
βΌ CVE-2021-41141 βΌ
π Read
via "National Vulnerability Database".
PJSIP is a free and open source multimedia communication library written in the C language implementing standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. In various parts of PJSIP, when error/failure occurs, it is found that the function returns without releasing the currently held locks. This could result in a system deadlock, which cause a denial of service for the users. No release has yet been made which contains the linked fix commit. All versions up to an including 2.11.1 are affected. Users may need to manually apply the patch.π Read
via "National Vulnerability Database".
βΌ CVE-2021-41610 βΌ
π Read
via "National Vulnerability Database".
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2020-27339. Reason: This candidate is a reservation duplicate of CVE-2020-27339. Notes: All CVE users should reference CVE-2020-27339 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.π Read
via "National Vulnerability Database".
π΄ McMenamins Breach Affected 23 Years of Employee Data π΄
π Read
via "Dark Reading".
The Oregon-based hospitality and dining business reports the data was compromised in a Dec. 12 ransomware attack.π Read
via "Dark Reading".
Dark Reading
McMenamins Breach Affected 23 Years of Employee Data
The Oregon-based hospitality and dining business reports the data was compromised in a Dec. 12 ransomware attack.
π΄ Attackers Exploit Log4j Flaws in Hands-on-Keyboard Attacks to Drop Reverse Shells π΄
π Read
via "Dark Reading".
Microsoft says vulnerabilities present a "real and present" danger, citing high volume of scanning and attack activity targeting the widely used Apache logging framework.π Read
via "Dark Reading".
Dark Reading
Attackers Exploit Log4j Flaws in Hands-on-Keyboard Attacks to Drop Reverse Shells
Microsoft says vulnerabilities present a "real and present" danger, citing high volume of scanning and attack activity targeting the widely used Apache logging framework.
π¦Ώ Google makes the perfect case for why you shouldn't use Chrome π¦Ώ
π Read
via "Tech Republic".
Google says Manifest V3 is focused on security, privacy and performance, but it could also break Chrome browser extensions used by millions of people.π Read
via "Tech Republic".
TechRepublic
Google makes the perfect case for why you shouldn't use Chrome
Google says Manifest V3 is focused on security, privacy and performance, but it could also break Chrome browser extensions used by millions of people.
β Microsoft Sees Rampant Log4j Exploit Attempts, Testing β
π Read
via "Threat Post".
Microsoft says it's only going to get worse: It's seen state-sponsored and cyber-criminal attackers probing systems for the Log4Shell flaw through the end of December.π Read
via "Threat Post".
Threat Post
Microsoft Sees Rampant Log4j Exploit Attempts, Testing
Microsoft says it's only going to get worse: It's seen state-sponsored and cyber-criminal attackers probing systems for the Log4Shell flaw through the end of December.
βΌ CVE-2022-21649 βΌ
π Read
via "National Vulnerability Database".
Convos is an open source multi-user chat that runs in a web browser. Characters starting with "https://" in the chat window create an <a> tag. Stored XSS vulnerability using onfocus and autofocus occurs because escaping exists for "<" or ">" but escaping for double quotes does not exist. Through this vulnerability, an attacker is capable to execute malicious scripts. Users are advised to update as soon as possible.π Read
via "National Vulnerability Database".
βΌ CVE-2021-41388 βΌ
π Read
via "National Vulnerability Database".
Netskope client prior to 89.x on macOS is impacted by a local privilege escalation vulnerability. The XPC implementation of nsAuxiliarySvc process does not perform validation on new connections before accepting the connection. Thus any low privileged user can connect and call external methods defined in XPC service as root, elevating their privilege to the highest level.π Read
via "National Vulnerability Database".