βΌ CVE-2021-21408 βΌ
π Read
via "National Vulnerability Database".
Smarty is a template engine for PHP, facilitating the separation of presentation (HTML/CSS) from application logic. Prior to versions 3.1.43 and 4.0.3, template authors could run restricted static php methods. Users should upgrade to version 3.1.43 or 4.0.3 to receive a patch.π Read
via "National Vulnerability Database".
βΌ CVE-2022-0155 βΌ
π Read
via "National Vulnerability Database".
follow-redirects is vulnerable to Exposure of Private Personal Information to an Unauthorized Actorπ Read
via "National Vulnerability Database".
βΌ CVE-2020-25427 βΌ
π Read
via "National Vulnerability Database".
A Null pointer dereference vulnerability exits in MP4Box - GPAC version 0.8.0-rev177-g51a8ef874-master via the gf_isom_get_track_id function, which causes a denial of service.π Read
via "National Vulnerability Database".
βΌ CVE-2022-21668 βΌ
π Read
via "National Vulnerability Database".
pipenv is a Python development workflow tool. Starting with version 2018.10.9 and prior to version 2022.1.8, a flaw in pipenv's parsing of requirements files allows an attacker to insert a specially crafted string inside a comment anywhere within a requirements.txt file, which will cause victims who use pipenv to install the requirements file to download dependencies from a package index server controlled by the attacker. By embedding malicious code in packages served from their malicious index server, the attacker can trigger arbitrary remote code execution (RCE) on the victims' systems. If an attacker is able to hide a malicious `--index-url` option in a requirements file that a victim installs with pipenv, the attacker can embed arbitrary malicious code in packages served from their malicious index server that will be executed on the victim's host during installation (remote code execution/RCE). When pip installs from a source distribution, any code in the setup.py is executed by the install process. This issue is patched in version 2022.1.8. The GitHub Security Advisory contains more information about this vulnerability.π Read
via "National Vulnerability Database".
βΌ CVE-2021-35452 βΌ
π Read
via "National Vulnerability Database".
An Incorrect Access Control vulnerability exists in libde265 v1.0.8 due to a SEGV in slice.cc.π Read
via "National Vulnerability Database".
βΌ CVE-2022-21670 βΌ
π Read
via "National Vulnerability Database".
markdown-it is a Markdown parser. Prior to version 1.3.2, special patterns with length greater than 50 thousand characterss could slow down the parser significantly. Users should upgrade to version 12.3.2 to receive a patch. There are no known workarounds aside from upgrading.π Read
via "National Vulnerability Database".
βΌ CVE-2022-21672 βΌ
π Read
via "National Vulnerability Database".
make-ca is a utility to deliver and manage a complete PKI configuration for workstations and servers. Starting with version 0.9 and prior to version 1.10, make-ca misinterprets Mozilla certdata.txt and treats explicitly untrusted certificates like trusted ones, causing those explicitly untrusted certificates trusted by the system. The explicitly untrusted certificates were used by some CAs already hacked. Hostile attackers may perform a MIM attack exploiting them. Everyone using the affected versions of make-ca should upgrade to make-ca-1.10, and run `make-ca -f -g` as the `root` user to regenerate the trusted store immediately. As a workaround, users may delete the untrusted certificates from /etc/pki/tls and /etc/ssl/certs manually (or by a script), but this is not recommended because the manual changes will be overwritten next time running make-ca to update the trusted anchor.π Read
via "National Vulnerability Database".
π΄ What Editing Crosswords Can Teach Us About Security Leadership π΄
π Read
via "Dark Reading".
When security leaders look for mistakes, they often find them before customers do.π Read
via "Dark Reading".
Dark Reading
What Editing Crosswords Can Teach Us About Security Leadership
When security leaders look for mistakes, they often find them before customers do.
βΌ CVE-2021-36408 βΌ
π Read
via "National Vulnerability Database".
An issue was discovered in libde265 v1.0.8.There is a Heap-use-after-free in intrapred.h when decoding file using dec265.π Read
via "National Vulnerability Database".
βΌ CVE-2021-36410 βΌ
π Read
via "National Vulnerability Database".
A stack-buffer-overflow exists in libde265 v1.0.8 via fallback-motion.cc in function put_epel_hv_fallback when running program dec265.π Read
via "National Vulnerability Database".
βΌ CVE-2021-36412 βΌ
π Read
via "National Vulnerability Database".
A heap-based buffer overflow vulnerability exists in MP4Box in GPAC 1.0.1 via the gp_rtp_builder_do_mpeg12_video function, which allows attackers to possibly have unspecified other impact via a crafted file in the MP4Box command,π Read
via "National Vulnerability Database".
βΌ CVE-2021-36414 βΌ
π Read
via "National Vulnerability Database".
A heab-based buffer overflow vulnerability exists in MP4Box in GPAC 1.0.1 via media.c, which allows attackers to cause a denial of service or execute arbitrary code via a crafted file.π Read
via "National Vulnerability Database".
βΌ CVE-2021-36409 βΌ
π Read
via "National Vulnerability Database".
There is an Assertion `scaling_list_pred_matrix_id_delta==1' failed at sps.cc:925 in libde265 v1.0.8 when decoding file, which allows attackers to cause a Denial of Service (DoS) by running the application with a crafted file or possibly have unspecified other impact.π Read
via "National Vulnerability Database".
βΌ CVE-2021-36411 βΌ
π Read
via "National Vulnerability Database".
An issue has been found in libde265 v1.0.8 due to incorrect access control. A SEGV caused by a READ memory access in function derive_boundaryStrength of deblock.cc has occurred. The vulnerability causes a segmentation fault and application crash, which leads to remote denial of service.π Read
via "National Vulnerability Database".
π¦Ώ The rise of the CISO: The escalation in cyberattacks makes this role increasingly important π¦Ώ
π Read
via "Tech Republic".
As the digital landscape has grown, the organizational need for cybersecurity and data protection has risen. A new study takes a look at where CISOs stand in businesses.π Read
via "Tech Republic".
TechRepublic
The rise of the CISO: The escalation in cyberattacks makes this role increasingly important
As the digital landscape has grown, the organizational need for cybersecurity and data protection has risen. A new study takes a look at where CISOs stand in businesses.
β JavaScript developer destroys own projects in supply chain βlessonβ β
π Read
via "Naked Security".
Two popular open source JavaScript packages recently got "hacked" in a smbolic gesture by the original project creator.π Read
via "Naked Security".
Sophos News
Naked Security β Sophos News
β Honda cars in flashback to 2002 β βCanβt Get You Out Of My Headβ β
π Read
via "Naked Security".
Where were YOU on the night of 17 May 2002? And what about the day after that?π Read
via "Naked Security".
Naked Security
Honda cars in flashback to 2002 β βCanβt Get You Out Of My Headβ
Where were YOU on the night of 17 May 2002? And what about the day after that?
βΌ CVE-2022-0144 βΌ
π Read
via "National Vulnerability Database".
shelljs is vulnerable to Improper Privilege Managementπ Read
via "National Vulnerability Database".
β Millions of Routers Exposed to RCE by USB Kernel Bug β
π Read
via "Threat Post".
The high-severity RCE flaw is in the KCodes NetUSB kernel module, used by popular routers from Netgear, TP-Link, DLink, Western Digital, et al.π Read
via "Threat Post".
Threat Post
Millions of Routers Exposed to RCE by USB Kernel Bug
The high-severity RCE flaw is in the KCodes NetUSB kernel module, used by popular routers from Netgear, TP-Link, DLink, Western Digital, et al.
ποΈ IP spoofing bug leaves Django REST applications open to DDoS, password-cracking attacks ποΈ
π Read
via "The Daily Swig".
Security researcher discovers how to send unlimited HTTP requests with the same clientπ Read
via "The Daily Swig".
βΌ CVE-2021-37195 βΌ
π Read
via "National Vulnerability Database".
A vulnerability has been identified in COMOS (All versions < V10.4.1). The COMOS Web component of COMOS accepts arbitrary code as attachment to tasks. This could allow an attacker to inject malicious code that is executed when loading the attachment.π Read
via "National Vulnerability Database".