βΌ CVE-2022-21402 βΌ
π Read
via "National Vulnerability Database".
Vulnerability in the Oracle Communications Operations Monitor product of Oracle Communications (component: Mediation Engine). Supported versions that are affected are 3.4, 4.2, 4.3, 4.4 and 5.0. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle Communications Operations Monitor. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Communications Operations Monitor, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Communications Operations Monitor accessible data as well as unauthorized read access to a subset of Oracle Communications Operations Monitor accessible data. CVSS 3.1 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N).π Read
via "National Vulnerability Database".
βΌ CVE-2022-21269 βΌ
π Read
via "National Vulnerability Database".
Vulnerability in the Primavera Portfolio Management product of Oracle Construction and Engineering (component: Web Access). Supported versions that are affected are 18.0.0.0-18.0.3.0, 19.0.0.0-19.0.1.2, 20.0.0.0 and 20.0.0.1. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Primavera Portfolio Management. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Primavera Portfolio Management, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Primavera Portfolio Management accessible data as well as unauthorized read access to a subset of Primavera Portfolio Management accessible data. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N).π Read
via "National Vulnerability Database".
βΌ CVE-2022-21323 βΌ
π Read
via "National Vulnerability Database".
Vulnerability in the MySQL Cluster product of Oracle MySQL (component: Cluster: General). Supported versions that are affected are 7.5.24 and prior, 7.6.20 and prior and 8.0.27 and prior. Difficult to exploit vulnerability allows high privileged attacker with access to the physical communication segment attached to the hardware where the MySQL Cluster executes to compromise MySQL Cluster. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized read access to a subset of MySQL Cluster accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Cluster. CVSS 3.1 Base Score 2.9 (Confidentiality and Availability impacts). CVSS Vector: (CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:L).π Read
via "National Vulnerability Database".
β Beijing Olympics App Flaws Allow Man-in-the-Middle Attacks β
π Read
via "Threat Post".
Attackers can access audio and files uploaded to the MY2022 mobile app required for use by all winter games attendees β including personal health details.π Read
via "Threat Post".
Threat Post
Beijing Olympics App Flaws Allow Man-in-the-Middle Attacks
Attackers can access audio and files uploaded to the MY2022 mobile app required for use by all winter games attendees β including personal health details.
ποΈ Security vulnerabilities in Umbraco CMS could lead to account takeover ποΈ
π Read
via "The Daily Swig".
Partial fix applied for two separate bugs in the open source softwareπ Read
via "The Daily Swig".
The Daily Swig | Cybersecurity news and views
Security vulnerabilities in Umbraco CMS could lead to account takeover
Partial fix applied for two separate bugs in the open source software
π΄ Preparing For the Next Cybersecurity Epidemic: Deepfakes π΄
π Read
via "Dark Reading".
Using blockchain, multifactor authentication, or signatures can help boost authentication security and reduce fraud.π Read
via "Dark Reading".
Dark Reading
Preparing for the Next Cybersecurity Epidemic: Deepfakes
Using blockchain, multifactor authentication, or signatures can help boost authentication security and reduce fraud.
π¦Ώ Phishing attack spoofs US Department of Labor to steal account credentials π¦Ώ
π Read
via "Tech Republic".
A phishing campaign seen by email security provider Inky tries to trick its victims by inviting them to submit bids for alleged government projects.π Read
via "Tech Republic".
TechRepublic
Phishing attack spoofs US Department of Labor to steal account credentials
A phishing campaign seen by email security provider Inky tries to trick its victims by inviting them to submit bids for alleged government projects.
βΌ CVE-2021-46104 βΌ
π Read
via "National Vulnerability Database".
An issue was discovered in webp_server_go 0.4.0. There is a directory traversal vulnerability that can read arbitrary file information on the server.π Read
via "National Vulnerability Database".
βΌ CVE-2021-38787 βΌ
π Read
via "National Vulnerability Database".
There is an integer overflow in the ION driver "/dev/ion" of Allwinner R818 SoC Android Q SDK V1.0 that could use the ioctl cmd "COMPAT_ION_IOC_SUNXI_FLUSH_RANGE" to cause a system crash (denial of service).π Read
via "National Vulnerability Database".
βΌ CVE-2021-45808 βΌ
π Read
via "National Vulnerability Database".
jpress v4.2.0 allows users to register an account by default. With the account, user can upload arbitrary files to the server.π Read
via "National Vulnerability Database".
βΌ CVE-2021-44837 βΌ
π Read
via "National Vulnerability Database".
An issue was discovered in Delta RM 1.2. It is possible for an unprivileged user to access the same information as an admin user regarding the risk creation information in the /risque/administration/referentiel/json/create/categorie endpoint, using the id_cat1 query parameter to indicate the risk.π Read
via "National Vulnerability Database".
ποΈ GitHub Actions flaw that allowed code to be approved without review is addressed ποΈ
π Read
via "The Daily Swig".
Uncheck risky setting option offeredπ Read
via "The Daily Swig".
The Daily Swig | Cybersecurity news and views
GitHub Actions flaw that allowed code to be approved without review is addressed with new feature rollout
Uncheck risky setting option offered
β Serious Security: Apple Safari leaks private data via database API β what you need to know β
π Read
via "Naked Security".
There's a tiny data leakage bug in the WebKit browser engine... but it could act as a "supercookie" identifier for your browsingπ Read
via "Naked Security".
Naked Security
Serious Security: Apple Safari leaks private data via database API β what you need to know
Thereβs a tiny data leakage bug in the WebKit browser engineβ¦ but it could act as a βsupercookieβ identifier for your browsing
π΄ (ISC)Β² Launches Entry-Level Cybersecurity Course π΄
π Read
via "Dark Reading".
Prospective entrants to the sector will receive instruction on fundamental cybersecurity concepts on which they will be evaluated during the new (ISC)Β² entry-level cybersecurity certification pilot exam.π Read
via "Dark Reading".
Dark Reading
(ISC)Β² Launches Entry-Level Cybersecurity Course
Prospective entrants to the sector will receive instruction on fundamental cybersecurity concepts on which they will be evaluated during the new (ISC)Β² entry-level cybersecurity certification pilot exam.
π΄ LogPoint Releases LogPoint 7, Adding SOAR Capabilities Within SIEM π΄
π Read
via "Dark Reading".
LogPoint 7 includes ready-made integrations to connect with existing security technologies, including endpoint protection, network detection, and threat management.π Read
via "Dark Reading".
Dark Reading
LogPoint Releases LogPoint 7, Adding SOAR Capabilities Within SIEM
LogPoint 7 includes ready-made integrations to connect with existing security technologies, including endpoint protection, network detection, and threat management.
βΌ CVE-2021-46030 βΌ
π Read
via "National Vulnerability Database".
There is a Cross Site Scripting attack (XSS) vulnerability in JavaQuarkBBS <= v2. By entering specific statements into the background tag management module, the attack statement will be stored in the database, and the next victim will be attacked when he accesses the tag module.π Read
via "National Vulnerability Database".
βΌ CVE-2021-38788 βΌ
π Read
via "National Vulnerability Database".
The Background service in Allwinner R818 SoC Android Q SDK V1.0 is used to manage background applications. Malicious apps can use the interface provided by the service to set the number of applications allowed to run in the background to 0 and add themselves to the whitelist, so that once other applications enter the background, they will be forcibly stopped by the system, causing a denial of service.π Read
via "National Vulnerability Database".
βοΈ IRS Will Soon Require Selfies for Online Access βοΈ
π Read
via "Krebs on Security".
If you created an online account to manage your tax records with the U.S. Internal Revenue Service (IRS), those login credentials will cease to work later this year. The agency says that by the summer of 2022, the only way to log in to irs.gov will be through ID.me, an online identity verification service that requires applicants to submit copies of bills and identity documents, as well as a live video feed of their faces via a mobile device.π Read
via "Krebs on Security".
Krebs on Security
IRS Will Soon Require Selfies for Online Access
If you created an online account to manage your tax records with the U.S. Internal Revenue Service (IRS), those login credentials will cease to work later this year. The agency says that by the summer of 2022, the only wayβ¦
π΄ Cloud Adoption Widens the Cybersecurity Skills Gap π΄
π Read
via "Dark Reading".
No matter what cloud services you employ, you are still responsible for protecting the security of your data.π Read
via "Dark Reading".
Dark Reading
Cloud Adoption Widens the Cybersecurity Skills Gap
No matter what cloud services you employ, you are still responsible for protecting the security of your data.
β Box 2FA Bypass Opens User Accounts to Attack β
π Read
via "Threat Post".
A security bug in the file-sharing cloud app could have allowed attackers using stolen credentials to skate by one-time SMS code verification requirements.π Read
via "Threat Post".
Threat Post
Box 2FA Bypass Opens User Accounts to Attack
A security bug in the file-sharing cloud app could have allowed attackers using stolen credentials to skate by one-time SMS code verification requirements.
βΌ CVE-2021-44299 βΌ
π Read
via "National Vulnerability Database".
A reflected cross-site scripting (XSS) vulnerability in \lib\packages\themes\themes.php of Navigate CMS v2.9.4 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload.π Read
via "National Vulnerability Database".