βΌ CVE-2021-46143 βΌ
π Read
via "National Vulnerability Database".
In doProlog in xmlparse.c in Expat (aka libexpat) before 2.4.3, an integer overflow exists for m_groupSize.π Read
via "National Vulnerability Database".
βΌ CVE-2022-0122 βΌ
π Read
via "National Vulnerability Database".
forge is vulnerable to URL Redirection to Untrusted Siteπ Read
via "National Vulnerability Database".
βΌ CVE-2021-46142 βΌ
π Read
via "National Vulnerability Database".
An issue was discovered in uriparser before 0.9.6. It performs invalid free operations in uriNormalizeSyntax.π Read
via "National Vulnerability Database".
ποΈ Insecure Amazon S3 bucket exposed personal data on 500,000 Ghanaian graduates ποΈ
π Read
via "The Daily Swig".
Cloud storage misconfiguration left sensitive data openly accessibleπ Read
via "The Daily Swig".
The Daily Swig | Cybersecurity news and views
Insecure Amazon S3 bucket exposed personal data on 500,000 Ghanaian graduates
Cloud storage misconfiguration left sensitive data openly accessible
βΌ CVE-2022-22707 βΌ
π Read
via "National Vulnerability Database".
In lighttpd 1.4.46 through 1.4.63, the mod_extforward_Forwarded function of the mod_extforward plugin has a stack-based buffer overflow (4 bytes), as demonstrated by remote denial of service (daemon crash).π Read
via "National Vulnerability Database".
βΌ CVE-2021-36737 βΌ
π Read
via "National Vulnerability Database".
The input fields of the Apache Pluto UrlTestPortlet are vulnerable to Cross-Site Scripting (XSS) attacks. Users should migrate to version 3.1.1 of the v3-demo-portlet.war artifactπ Read
via "National Vulnerability Database".
βΌ CVE-2021-36738 βΌ
π Read
via "National Vulnerability Database".
The input fields in the JSP version of the Apache Pluto Applicant MVCBean CDI portlet are vulnerable to Cross-Site Scripting (XSS) attacks. Users should migrate to version 3.1.1 of the applicant-mvcbean-cdi-jsp-portlet.war artifactπ Read
via "National Vulnerability Database".
βΌ CVE-2021-46145 βΌ
π Read
via "National Vulnerability Database".
The keyfob subsystem in Honda Civic 2012 vehicles allows a replay attack for unlocking. This is related to a non-expiring rolling code and counter resynchronization.π Read
via "National Vulnerability Database".
βΌ CVE-2021-36739 βΌ
π Read
via "National Vulnerability Database".
The "first name" and "last name" fields of the Apache Pluto 3.1.0 MVCBean JSP portlet maven archetype are vulnerable to Cross-Site Scripting (XSS) attacks.π Read
via "National Vulnerability Database".
ποΈ Kazakhstan government shuts down internet following country-wide protests ποΈ
π Read
via "The Daily Swig".
This isnβt the first time the landlocked nation has restricted web access for citizensπ Read
via "The Daily Swig".
The Daily Swig | Cybersecurity news and views
Kazakhstan government shuts down internet following country-wide protests
This isnβt the first time the landlocked nation has restricted web access for citizens
β FTC threatens βlegal actionβ over unpatched Log4j and other vulns β
π Read
via "Naked Security".
Remember the Equifax breach? Remember the $700m penalty? In case you'd forgotten, here's the FTC to refresh your memory!π Read
via "Naked Security".
Naked Security
FTC threatens βlegal actionβ over unpatched Log4j and other vulns
Remember the Equifax breach? Remember the $700m penalty? In case youβd forgotten, hereβs the FTC to refresh your memory!
βΌ CVE-2021-44564 βΌ
π Read
via "National Vulnerability Database".
A security vulnerability originally reported in the SYNC2101 product, and applicable to specific sub-families of SYNC devices, allows an attacker to download the configuration file used in the device and apply a modified configuration file back to the device. The attack requires network access to the SYNC device and knowledge of its IP address. The attack exploits the unsecured communication channel used between the administration tool Easyconnect and the SYNC device (in the affected family of SYNC products).π Read
via "National Vulnerability Database".
βΌ CVE-2021-44351 βΌ
π Read
via "National Vulnerability Database".
An arbitrary file read vulnerability exists in NavigateCMS 2.9 via /navigate/navigate_download.php id parameter.π Read
via "National Vulnerability Database".
β S3 Ep64: Log4Shell again, scammers keeping busy, and Apple Home bug [Podcast + Transcript] β
π Read
via "Naked Security".
We're back for 2022 - listen now!π Read
via "Naked Security".
Naked Security
S3 Ep64: Log4Shell again, scammers keeping busy, and Apple Home bug [Podcast + Transcript]
Weβre back for 2022 β listen now!
β Attackers Exploit Flaw in Google Docsβ Comments Feature β
π Read
via "Threat Post".
A wave of phishing attacks identified in December targeting mainly Outlook users are difficult for both email scanners and victims to flag, researchers said.π Read
via "Threat Post".
Threat Post
Attackers Exploit Flaw in Google Docsβ Comments Feature
A wave of phishing attacks identified in December targeting mainly Outlook users are difficult for both email scanners and victims to flag, researchers said.
ποΈ New York Attorney General flags 1.1 million online accounts compromised by credential stuffing attacks ποΈ
π Read
via "The Daily Swig".
Bureau of Internet and Technology helped affected organizations secure accounts and bolster defensesπ Read
via "The Daily Swig".
The Daily Swig | Cybersecurity news and views
New York Attorney General flags 1.1 million online accounts compromised by credential stuffing attacks
Bureau of Internet and Technology helped affected organizations secure accounts and bolster defenses
π΄ Hybrid Multicloud Strategies Are Keeping the Public Sector at the Forefront of Threat Mitigation π΄
π Read
via "Dark Reading".
Zero trust, DevSecOps, and agile methodologies are critical in bridging the power of commercial multicloud environments and the security of private data centers.π Read
via "Dark Reading".
Dark Reading
Hybrid Multicloud Strategies Are Keeping the Public Sector at the Forefront of Threat Mitigation
Zero trust, DevSecOps, and agile methodologies are critical in bridging the power of commercial multicloud environments and the security of private data centers.
βΌ CVE-2021-44590 βΌ
π Read
via "National Vulnerability Database".
In libming 0.4.8, a memory exhaustion vulnerability exist in the function cws2fws in util/main.c. Remote attackers could launch denial of service attacks by submitting a crafted SWF file that exploits this vulnerability.π Read
via "National Vulnerability Database".
βΌ CVE-2021-27738 βΌ
π Read
via "National Vulnerability Database".
All request mappings in `StreamingCoordinatorController.java` handling `/kylin/api/streaming_coordinator/*` REST API endpoints did not include any security checks, which allowed an unauthenticated user to issue arbitrary requests, such as assigning/unassigning of streaming cubes, creation/modification and deletion of replica sets, to the Kylin Coordinator. For endpoints accepting node details in HTTP message body, unauthenticated (but limited) server-side request forgery (SSRF) can be achieved. This issue affects Apache Kylin Apache Kylin 3 versions prior to 3.1.2.π Read
via "National Vulnerability Database".
βΌ CVE-2021-45457 βΌ
π Read
via "National Vulnerability Database".
In Apache Kylin, Cross-origin requests with credentials are allowed to be sent from any origin. This issue affects Apache Kylin 2 version 2.6.6 and prior versions; Apache Kylin 3 version 3.1.2 and prior versions; Apache Kylin 4 version 4.0.0 and prior versions.π Read
via "National Vulnerability Database".
βΌ CVE-2021-45456 βΌ
π Read
via "National Vulnerability Database".
Apache kylin checks the legitimacy of the project before executing some commands with the project name passed in by the user. There is a mismatch between what is being checked and what is being used as the shell command argument in DiagnosisService. This may cause an illegal project name to pass the check and perform the following steps, resulting in a command injection vulnerability. This issue affects Apache Kylin 4.0.0.π Read
via "National Vulnerability Database".