βΌ CVE-2021-36737 βΌ
π Read
via "National Vulnerability Database".
The input fields of the Apache Pluto UrlTestPortlet are vulnerable to Cross-Site Scripting (XSS) attacks. Users should migrate to version 3.1.1 of the v3-demo-portlet.war artifactπ Read
via "National Vulnerability Database".
βΌ CVE-2021-36738 βΌ
π Read
via "National Vulnerability Database".
The input fields in the JSP version of the Apache Pluto Applicant MVCBean CDI portlet are vulnerable to Cross-Site Scripting (XSS) attacks. Users should migrate to version 3.1.1 of the applicant-mvcbean-cdi-jsp-portlet.war artifactπ Read
via "National Vulnerability Database".
βΌ CVE-2021-46145 βΌ
π Read
via "National Vulnerability Database".
The keyfob subsystem in Honda Civic 2012 vehicles allows a replay attack for unlocking. This is related to a non-expiring rolling code and counter resynchronization.π Read
via "National Vulnerability Database".
βΌ CVE-2021-36739 βΌ
π Read
via "National Vulnerability Database".
The "first name" and "last name" fields of the Apache Pluto 3.1.0 MVCBean JSP portlet maven archetype are vulnerable to Cross-Site Scripting (XSS) attacks.π Read
via "National Vulnerability Database".
ποΈ Kazakhstan government shuts down internet following country-wide protests ποΈ
π Read
via "The Daily Swig".
This isnβt the first time the landlocked nation has restricted web access for citizensπ Read
via "The Daily Swig".
The Daily Swig | Cybersecurity news and views
Kazakhstan government shuts down internet following country-wide protests
This isnβt the first time the landlocked nation has restricted web access for citizens
β FTC threatens βlegal actionβ over unpatched Log4j and other vulns β
π Read
via "Naked Security".
Remember the Equifax breach? Remember the $700m penalty? In case you'd forgotten, here's the FTC to refresh your memory!π Read
via "Naked Security".
Naked Security
FTC threatens βlegal actionβ over unpatched Log4j and other vulns
Remember the Equifax breach? Remember the $700m penalty? In case youβd forgotten, hereβs the FTC to refresh your memory!
βΌ CVE-2021-44564 βΌ
π Read
via "National Vulnerability Database".
A security vulnerability originally reported in the SYNC2101 product, and applicable to specific sub-families of SYNC devices, allows an attacker to download the configuration file used in the device and apply a modified configuration file back to the device. The attack requires network access to the SYNC device and knowledge of its IP address. The attack exploits the unsecured communication channel used between the administration tool Easyconnect and the SYNC device (in the affected family of SYNC products).π Read
via "National Vulnerability Database".
βΌ CVE-2021-44351 βΌ
π Read
via "National Vulnerability Database".
An arbitrary file read vulnerability exists in NavigateCMS 2.9 via /navigate/navigate_download.php id parameter.π Read
via "National Vulnerability Database".
β S3 Ep64: Log4Shell again, scammers keeping busy, and Apple Home bug [Podcast + Transcript] β
π Read
via "Naked Security".
We're back for 2022 - listen now!π Read
via "Naked Security".
Naked Security
S3 Ep64: Log4Shell again, scammers keeping busy, and Apple Home bug [Podcast + Transcript]
Weβre back for 2022 β listen now!
β Attackers Exploit Flaw in Google Docsβ Comments Feature β
π Read
via "Threat Post".
A wave of phishing attacks identified in December targeting mainly Outlook users are difficult for both email scanners and victims to flag, researchers said.π Read
via "Threat Post".
Threat Post
Attackers Exploit Flaw in Google Docsβ Comments Feature
A wave of phishing attacks identified in December targeting mainly Outlook users are difficult for both email scanners and victims to flag, researchers said.
ποΈ New York Attorney General flags 1.1 million online accounts compromised by credential stuffing attacks ποΈ
π Read
via "The Daily Swig".
Bureau of Internet and Technology helped affected organizations secure accounts and bolster defensesπ Read
via "The Daily Swig".
The Daily Swig | Cybersecurity news and views
New York Attorney General flags 1.1 million online accounts compromised by credential stuffing attacks
Bureau of Internet and Technology helped affected organizations secure accounts and bolster defenses
π΄ Hybrid Multicloud Strategies Are Keeping the Public Sector at the Forefront of Threat Mitigation π΄
π Read
via "Dark Reading".
Zero trust, DevSecOps, and agile methodologies are critical in bridging the power of commercial multicloud environments and the security of private data centers.π Read
via "Dark Reading".
Dark Reading
Hybrid Multicloud Strategies Are Keeping the Public Sector at the Forefront of Threat Mitigation
Zero trust, DevSecOps, and agile methodologies are critical in bridging the power of commercial multicloud environments and the security of private data centers.
βΌ CVE-2021-44590 βΌ
π Read
via "National Vulnerability Database".
In libming 0.4.8, a memory exhaustion vulnerability exist in the function cws2fws in util/main.c. Remote attackers could launch denial of service attacks by submitting a crafted SWF file that exploits this vulnerability.π Read
via "National Vulnerability Database".
βΌ CVE-2021-27738 βΌ
π Read
via "National Vulnerability Database".
All request mappings in `StreamingCoordinatorController.java` handling `/kylin/api/streaming_coordinator/*` REST API endpoints did not include any security checks, which allowed an unauthenticated user to issue arbitrary requests, such as assigning/unassigning of streaming cubes, creation/modification and deletion of replica sets, to the Kylin Coordinator. For endpoints accepting node details in HTTP message body, unauthenticated (but limited) server-side request forgery (SSRF) can be achieved. This issue affects Apache Kylin Apache Kylin 3 versions prior to 3.1.2.π Read
via "National Vulnerability Database".
βΌ CVE-2021-45457 βΌ
π Read
via "National Vulnerability Database".
In Apache Kylin, Cross-origin requests with credentials are allowed to be sent from any origin. This issue affects Apache Kylin 2 version 2.6.6 and prior versions; Apache Kylin 3 version 3.1.2 and prior versions; Apache Kylin 4 version 4.0.0 and prior versions.π Read
via "National Vulnerability Database".
βΌ CVE-2021-45456 βΌ
π Read
via "National Vulnerability Database".
Apache kylin checks the legitimacy of the project before executing some commands with the project name passed in by the user. There is a mismatch between what is being checked and what is being used as the shell command argument in DiagnosisService. This may cause an illegal project name to pass the check and perform the following steps, resulting in a command injection vulnerability. This issue affects Apache Kylin 4.0.0.π Read
via "National Vulnerability Database".
βΌ CVE-2021-31522 βΌ
π Read
via "National Vulnerability Database".
Kylin can receive user input and load any class through Class.forName(...). This issue affects Apache Kylin 2 version 2.6.6 and prior versions; Apache Kylin 3 version 3.1.2 and prior versions; Apache Kylin 4 version 4.0.0 and prior versions.π Read
via "National Vulnerability Database".
βΌ CVE-2021-45458 βΌ
π Read
via "National Vulnerability Database".
Apache Kylin provides encryption classes PasswordPlaceholderConfigurer to help users encrypt their passwords. In the encryption algorithm used by this encryption class, the cipher is initialized with a hardcoded key and IV. If users use class PasswordPlaceholderConfigurer to encrypt their password and configure it into kylin's configuration file, there is a risk that the password may be decrypted. This issue affects Apache Kylin 2 version 2.6.6 and prior versions; Apache Kylin 3 version 3.1.2 and prior versions; Apache Kylin 4 version 4.0.0 and prior versions.π Read
via "National Vulnerability Database".
βΌ CVE-2021-44878 βΌ
π Read
via "National Vulnerability Database".
Pac4j v5.1 and earlier allows (by default) clients to accept and successfully validate ID Tokens with "none" algorithm (i.e., tokens with no signature) which is not secure and violates the OpenID Core Specification. The "none" algorithm does not require any signature verification when validating the ID tokens, which allows the attacker to bypass the token validation by injecting a malformed ID token using "none" as the value of "alg" key in the header with an empty signature value.π Read
via "National Vulnerability Database".
βΌ CVE-2021-44584 βΌ
π Read
via "National Vulnerability Database".
Cross-site scripting (XSS) vulnerability in index.php in emlog version <= pro-1.0.7 allows remote attackers to inject arbitrary web script or HTML via the s parameter.π Read
via "National Vulnerability Database".
βΌ CVE-2021-44591 βΌ
π Read
via "National Vulnerability Database".
In libming 0.4.8, the parseSWF_DEFINELOSSLESS2 function in util/parser.c lacks a boundary check that would lead to denial-of-service attacks via a crafted SWF file.π Read
via "National Vulnerability Database".