βΌ CVE-2022-0174 βΌ
π Read
via "National Vulnerability Database".
dolibarr is vulnerable to Business Logic Errorsπ Read
via "National Vulnerability Database".
π NCSC Outlines Tips to MItigate Commercial Surveillance π
π Read
via "".
The National Counterintelligence and Security Center (NCSC) on Friday warned about the risks posed by commercial spyware to smartphones.π Read
via "".
Digital Guardian
NCSC Outlines Tips to MItigate Commercial Surveillance
The National Counterintelligence and Security Center (NCSC) on Friday warned about the risks posed by commercial spyware to smartphones.
π΄ FBI Warns FIN7 Campaign Delivers Ransomware via BadUSB π΄
π Read
via "Dark Reading".
An FBI warning says the FIN7 cybercrime group has sent packages containing malicious USB drives to US companies in an effort to spread ransomware.π Read
via "Dark Reading".
Dark Reading
FBI Warns FIN7 Campaign Delivers Ransomware via BadUSB
An FBI warning says the FIN7 cybercrime group has sent packages containing malicious USB drives to US companies in an effort to spread ransomware.
βΌ CVE-2022-21666 βΌ
π Read
via "National Vulnerability Database".
Useful Simple Open-Source CMS (USOC) is a content management system (CMS) for programmers. Versions prior to Pb2.4Bfx3 allowed Sql injection in usersearch.php only for users with administrative privileges. Users should replace the file `admin/pages/useredit.php` with a newer version. USOC version Pb2.4Bfx3 contains a fixed version of `admin/pages/useredit.php`.π Read
via "National Vulnerability Database".
βΌ CVE-2021-29454 βΌ
π Read
via "National Vulnerability Database".
Smarty is a template engine for PHP, facilitating the separation of presentation (HTML/CSS) from application logic. Prior to versions 3.1.42 and 4.0.2, template authors could run arbitrary PHP code by crafting a malicious math string. If a math string was passed through as user provided data to the math function, external users could run arbitrary PHP code by crafting a malicious math string. Users should upgrade to version 3.1.42 or 4.0.2 to receive a patch.π Read
via "National Vulnerability Database".
βΌ CVE-2021-21408 βΌ
π Read
via "National Vulnerability Database".
Smarty is a template engine for PHP, facilitating the separation of presentation (HTML/CSS) from application logic. Prior to versions 3.1.43 and 4.0.3, template authors could run restricted static php methods. Users should upgrade to version 3.1.43 or 4.0.3 to receive a patch.π Read
via "National Vulnerability Database".
βΌ CVE-2022-0155 βΌ
π Read
via "National Vulnerability Database".
follow-redirects is vulnerable to Exposure of Private Personal Information to an Unauthorized Actorπ Read
via "National Vulnerability Database".
βΌ CVE-2020-25427 βΌ
π Read
via "National Vulnerability Database".
A Null pointer dereference vulnerability exits in MP4Box - GPAC version 0.8.0-rev177-g51a8ef874-master via the gf_isom_get_track_id function, which causes a denial of service.π Read
via "National Vulnerability Database".
βΌ CVE-2022-21668 βΌ
π Read
via "National Vulnerability Database".
pipenv is a Python development workflow tool. Starting with version 2018.10.9 and prior to version 2022.1.8, a flaw in pipenv's parsing of requirements files allows an attacker to insert a specially crafted string inside a comment anywhere within a requirements.txt file, which will cause victims who use pipenv to install the requirements file to download dependencies from a package index server controlled by the attacker. By embedding malicious code in packages served from their malicious index server, the attacker can trigger arbitrary remote code execution (RCE) on the victims' systems. If an attacker is able to hide a malicious `--index-url` option in a requirements file that a victim installs with pipenv, the attacker can embed arbitrary malicious code in packages served from their malicious index server that will be executed on the victim's host during installation (remote code execution/RCE). When pip installs from a source distribution, any code in the setup.py is executed by the install process. This issue is patched in version 2022.1.8. The GitHub Security Advisory contains more information about this vulnerability.π Read
via "National Vulnerability Database".
βΌ CVE-2021-35452 βΌ
π Read
via "National Vulnerability Database".
An Incorrect Access Control vulnerability exists in libde265 v1.0.8 due to a SEGV in slice.cc.π Read
via "National Vulnerability Database".
βΌ CVE-2022-21670 βΌ
π Read
via "National Vulnerability Database".
markdown-it is a Markdown parser. Prior to version 1.3.2, special patterns with length greater than 50 thousand characterss could slow down the parser significantly. Users should upgrade to version 12.3.2 to receive a patch. There are no known workarounds aside from upgrading.π Read
via "National Vulnerability Database".
βΌ CVE-2022-21672 βΌ
π Read
via "National Vulnerability Database".
make-ca is a utility to deliver and manage a complete PKI configuration for workstations and servers. Starting with version 0.9 and prior to version 1.10, make-ca misinterprets Mozilla certdata.txt and treats explicitly untrusted certificates like trusted ones, causing those explicitly untrusted certificates trusted by the system. The explicitly untrusted certificates were used by some CAs already hacked. Hostile attackers may perform a MIM attack exploiting them. Everyone using the affected versions of make-ca should upgrade to make-ca-1.10, and run `make-ca -f -g` as the `root` user to regenerate the trusted store immediately. As a workaround, users may delete the untrusted certificates from /etc/pki/tls and /etc/ssl/certs manually (or by a script), but this is not recommended because the manual changes will be overwritten next time running make-ca to update the trusted anchor.π Read
via "National Vulnerability Database".
π΄ What Editing Crosswords Can Teach Us About Security Leadership π΄
π Read
via "Dark Reading".
When security leaders look for mistakes, they often find them before customers do.π Read
via "Dark Reading".
Dark Reading
What Editing Crosswords Can Teach Us About Security Leadership
When security leaders look for mistakes, they often find them before customers do.
βΌ CVE-2021-36408 βΌ
π Read
via "National Vulnerability Database".
An issue was discovered in libde265 v1.0.8.There is a Heap-use-after-free in intrapred.h when decoding file using dec265.π Read
via "National Vulnerability Database".
βΌ CVE-2021-36410 βΌ
π Read
via "National Vulnerability Database".
A stack-buffer-overflow exists in libde265 v1.0.8 via fallback-motion.cc in function put_epel_hv_fallback when running program dec265.π Read
via "National Vulnerability Database".
βΌ CVE-2021-36412 βΌ
π Read
via "National Vulnerability Database".
A heap-based buffer overflow vulnerability exists in MP4Box in GPAC 1.0.1 via the gp_rtp_builder_do_mpeg12_video function, which allows attackers to possibly have unspecified other impact via a crafted file in the MP4Box command,π Read
via "National Vulnerability Database".
βΌ CVE-2021-36414 βΌ
π Read
via "National Vulnerability Database".
A heab-based buffer overflow vulnerability exists in MP4Box in GPAC 1.0.1 via media.c, which allows attackers to cause a denial of service or execute arbitrary code via a crafted file.π Read
via "National Vulnerability Database".
βΌ CVE-2021-36409 βΌ
π Read
via "National Vulnerability Database".
There is an Assertion `scaling_list_pred_matrix_id_delta==1' failed at sps.cc:925 in libde265 v1.0.8 when decoding file, which allows attackers to cause a Denial of Service (DoS) by running the application with a crafted file or possibly have unspecified other impact.π Read
via "National Vulnerability Database".
βΌ CVE-2021-36411 βΌ
π Read
via "National Vulnerability Database".
An issue has been found in libde265 v1.0.8 due to incorrect access control. A SEGV caused by a READ memory access in function derive_boundaryStrength of deblock.cc has occurred. The vulnerability causes a segmentation fault and application crash, which leads to remote denial of service.π Read
via "National Vulnerability Database".
π¦Ώ The rise of the CISO: The escalation in cyberattacks makes this role increasingly important π¦Ώ
π Read
via "Tech Republic".
As the digital landscape has grown, the organizational need for cybersecurity and data protection has risen. A new study takes a look at where CISOs stand in businesses.π Read
via "Tech Republic".
TechRepublic
The rise of the CISO: The escalation in cyberattacks makes this role increasingly important
As the digital landscape has grown, the organizational need for cybersecurity and data protection has risen. A new study takes a look at where CISOs stand in businesses.
β JavaScript developer destroys own projects in supply chain βlessonβ β
π Read
via "Naked Security".
Two popular open source JavaScript packages recently got "hacked" in a smbolic gesture by the original project creator.π Read
via "Naked Security".
Sophos News
Naked Security β Sophos News