❌ Attackers Exploit Flaw in Google Docs’ Comments Feature ❌
📖 Read
via "Threat Post".
A wave of phishing attacks identified in December targeting mainly Outlook users are difficult for both email scanners and victims to flag, researchers said.📖 Read
via "Threat Post".
Threat Post
Attackers Exploit Flaw in Google Docs’ Comments Feature
A wave of phishing attacks identified in December targeting mainly Outlook users are difficult for both email scanners and victims to flag, researchers said.
🗓️ New York Attorney General flags 1.1 million online accounts compromised by credential stuffing attacks 🗓️
📖 Read
via "The Daily Swig".
Bureau of Internet and Technology helped affected organizations secure accounts and bolster defenses📖 Read
via "The Daily Swig".
The Daily Swig | Cybersecurity news and views
New York Attorney General flags 1.1 million online accounts compromised by credential stuffing attacks
Bureau of Internet and Technology helped affected organizations secure accounts and bolster defenses
🕴 Hybrid Multicloud Strategies Are Keeping the Public Sector at the Forefront of Threat Mitigation 🕴
📖 Read
via "Dark Reading".
Zero trust, DevSecOps, and agile methodologies are critical in bridging the power of commercial multicloud environments and the security of private data centers.📖 Read
via "Dark Reading".
Dark Reading
Hybrid Multicloud Strategies Are Keeping the Public Sector at the Forefront of Threat Mitigation
Zero trust, DevSecOps, and agile methodologies are critical in bridging the power of commercial multicloud environments and the security of private data centers.
‼ CVE-2021-44590 ‼
📖 Read
via "National Vulnerability Database".
In libming 0.4.8, a memory exhaustion vulnerability exist in the function cws2fws in util/main.c. Remote attackers could launch denial of service attacks by submitting a crafted SWF file that exploits this vulnerability.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-27738 ‼
📖 Read
via "National Vulnerability Database".
All request mappings in `StreamingCoordinatorController.java` handling `/kylin/api/streaming_coordinator/*` REST API endpoints did not include any security checks, which allowed an unauthenticated user to issue arbitrary requests, such as assigning/unassigning of streaming cubes, creation/modification and deletion of replica sets, to the Kylin Coordinator. For endpoints accepting node details in HTTP message body, unauthenticated (but limited) server-side request forgery (SSRF) can be achieved. This issue affects Apache Kylin Apache Kylin 3 versions prior to 3.1.2.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-45457 ‼
📖 Read
via "National Vulnerability Database".
In Apache Kylin, Cross-origin requests with credentials are allowed to be sent from any origin. This issue affects Apache Kylin 2 version 2.6.6 and prior versions; Apache Kylin 3 version 3.1.2 and prior versions; Apache Kylin 4 version 4.0.0 and prior versions.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-45456 ‼
📖 Read
via "National Vulnerability Database".
Apache kylin checks the legitimacy of the project before executing some commands with the project name passed in by the user. There is a mismatch between what is being checked and what is being used as the shell command argument in DiagnosisService. This may cause an illegal project name to pass the check and perform the following steps, resulting in a command injection vulnerability. This issue affects Apache Kylin 4.0.0.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-31522 ‼
📖 Read
via "National Vulnerability Database".
Kylin can receive user input and load any class through Class.forName(...). This issue affects Apache Kylin 2 version 2.6.6 and prior versions; Apache Kylin 3 version 3.1.2 and prior versions; Apache Kylin 4 version 4.0.0 and prior versions.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-45458 ‼
📖 Read
via "National Vulnerability Database".
Apache Kylin provides encryption classes PasswordPlaceholderConfigurer to help users encrypt their passwords. In the encryption algorithm used by this encryption class, the cipher is initialized with a hardcoded key and IV. If users use class PasswordPlaceholderConfigurer to encrypt their password and configure it into kylin's configuration file, there is a risk that the password may be decrypted. This issue affects Apache Kylin 2 version 2.6.6 and prior versions; Apache Kylin 3 version 3.1.2 and prior versions; Apache Kylin 4 version 4.0.0 and prior versions.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-44878 ‼
📖 Read
via "National Vulnerability Database".
Pac4j v5.1 and earlier allows (by default) clients to accept and successfully validate ID Tokens with "none" algorithm (i.e., tokens with no signature) which is not secure and violates the OpenID Core Specification. The "none" algorithm does not require any signature verification when validating the ID tokens, which allows the attacker to bypass the token validation by injecting a malformed ID token using "none" as the value of "alg" key in the header with an empty signature value.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-44584 ‼
📖 Read
via "National Vulnerability Database".
Cross-site scripting (XSS) vulnerability in index.php in emlog version <= pro-1.0.7 allows remote attackers to inject arbitrary web script or HTML via the s parameter.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-44591 ‼
📖 Read
via "National Vulnerability Database".
In libming 0.4.8, the parseSWF_DEFINELOSSLESS2 function in util/parser.c lacks a boundary check that would lead to denial-of-service attacks via a crafted SWF file.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-36774 ‼
📖 Read
via "National Vulnerability Database".
Apache Kylin allows users to read data from other database systems using JDBC. The MySQL JDBC driver supports certain properties, which, if left unmitigated, can allow an attacker to execute arbitrary code from a hacker-controlled malicious MySQL server within Kylin server processes. This issue affects Apache Kylin 2 version 2.6.6 and prior versions; Apache Kylin 3 version 3.1.2 and prior versions.📖 Read
via "National Vulnerability Database".
❌ Apple iPhone Malware Tactic Causes Fake Shutdowns to Enable Spying ❌
📖 Read
via "Threat Post".
The 'NoReboot' technique is the ultimate in persistence for iPhone malware, preventing reboots and enabling remote attackers to do anything on the device while remaining completely unseen.📖 Read
via "Threat Post".
Threat Post
Apple iPhone Malware Tactic Causes Fake Shutdowns to Enable Spying
The 'NoReboot' technique is the ultimate in persistence for iPhone malware, preventing reboots and enabling remote attackers to do anything on the device while remaining completely unseen.
🗓️ Java RMI services often vulnerable to SSRF attacks 🗓️
📖 Read
via "The Daily Swig".
Trust boundaries breached by security shortcomings📖 Read
via "The Daily Swig".
The Daily Swig | Cybersecurity news and views
Java RMI services often vulnerable to SSRF attacks
Trust boundaries breached by security shortcomings
🦿 Hackers exploit Google Docs in new phishing campaign 🦿
📖 Read
via "Tech Republic".
Attackers are taking advantage of the comment feature in Google Docs to send people emails with malicious links, says Avanan.📖 Read
via "Tech Republic".
TechRepublic
Hackers exploit Google Docs in new phishing campaign | TechRepublic
Attackers are taking advantage of the comment feature in Google Docs to send people emails with malicious links, says Avanan.
❌ Partially Unpatched VMware Bug Opens Door to Hypervisor Takeover ❌
📖 Read
via "Threat Post".
ESXi version 7 users are still waiting for a full fix for a high-severity heap-overflow security vulnerability, but Cloud Foundation, Fusion and Workstation users can go ahead and patch.📖 Read
via "Threat Post".
Threat Post
Partially Unpatched VMware Bug Opens Door to Hypervisor Takeover
ESXi version 7 users are still waiting for a full fix for a high-severity heap-overflow security vulnerability, but Cloud Foundation, Fusion and Workstation users can go ahead and patch.
‼ CVE-2021-46076 ‼
📖 Read
via "National Vulnerability Database".
Sourcecodester Vehicle Service Management System 1.0 is vulnerable to File upload. An attacker can upload a malicious php file in multiple endpoints it leading to Code Execution.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-46070 ‼
📖 Read
via "National Vulnerability Database".
A Stored Cross Site Scripting (XSS) vulnerability exists in Vehicle Service Management System 1.0 via the Service Requests Section in login panel.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-45744 ‼
📖 Read
via "National Vulnerability Database".
A Stored Cross Site Scripting (XSS) vulnerability exists in bludit 3.13.1 via the TAGS section in login panel.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-46079 ‼
📖 Read
via "National Vulnerability Database".
An Unrestricted File Upload vulnerability exists in Sourcecodester Vehicle Service Management System 1.0. A remote attacker can upload malicious files leading to Html Injection.📖 Read
via "National Vulnerability Database".