ποΈ Security vulnerabilities in Umbraco CMS could lead to account takeover ποΈ
π Read
via "The Daily Swig".
Partial fix applied for two separate bugs in the open source softwareπ Read
via "The Daily Swig".
The Daily Swig | Cybersecurity news and views
Security vulnerabilities in Umbraco CMS could lead to account takeover
Partial fix applied for two separate bugs in the open source software
π΄ Preparing For the Next Cybersecurity Epidemic: Deepfakes π΄
π Read
via "Dark Reading".
Using blockchain, multifactor authentication, or signatures can help boost authentication security and reduce fraud.π Read
via "Dark Reading".
Dark Reading
Preparing for the Next Cybersecurity Epidemic: Deepfakes
Using blockchain, multifactor authentication, or signatures can help boost authentication security and reduce fraud.
π¦Ώ Phishing attack spoofs US Department of Labor to steal account credentials π¦Ώ
π Read
via "Tech Republic".
A phishing campaign seen by email security provider Inky tries to trick its victims by inviting them to submit bids for alleged government projects.π Read
via "Tech Republic".
TechRepublic
Phishing attack spoofs US Department of Labor to steal account credentials
A phishing campaign seen by email security provider Inky tries to trick its victims by inviting them to submit bids for alleged government projects.
βΌ CVE-2021-46104 βΌ
π Read
via "National Vulnerability Database".
An issue was discovered in webp_server_go 0.4.0. There is a directory traversal vulnerability that can read arbitrary file information on the server.π Read
via "National Vulnerability Database".
βΌ CVE-2021-38787 βΌ
π Read
via "National Vulnerability Database".
There is an integer overflow in the ION driver "/dev/ion" of Allwinner R818 SoC Android Q SDK V1.0 that could use the ioctl cmd "COMPAT_ION_IOC_SUNXI_FLUSH_RANGE" to cause a system crash (denial of service).π Read
via "National Vulnerability Database".
βΌ CVE-2021-45808 βΌ
π Read
via "National Vulnerability Database".
jpress v4.2.0 allows users to register an account by default. With the account, user can upload arbitrary files to the server.π Read
via "National Vulnerability Database".
βΌ CVE-2021-44837 βΌ
π Read
via "National Vulnerability Database".
An issue was discovered in Delta RM 1.2. It is possible for an unprivileged user to access the same information as an admin user regarding the risk creation information in the /risque/administration/referentiel/json/create/categorie endpoint, using the id_cat1 query parameter to indicate the risk.π Read
via "National Vulnerability Database".
ποΈ GitHub Actions flaw that allowed code to be approved without review is addressed ποΈ
π Read
via "The Daily Swig".
Uncheck risky setting option offeredπ Read
via "The Daily Swig".
The Daily Swig | Cybersecurity news and views
GitHub Actions flaw that allowed code to be approved without review is addressed with new feature rollout
Uncheck risky setting option offered
β Serious Security: Apple Safari leaks private data via database API β what you need to know β
π Read
via "Naked Security".
There's a tiny data leakage bug in the WebKit browser engine... but it could act as a "supercookie" identifier for your browsingπ Read
via "Naked Security".
Naked Security
Serious Security: Apple Safari leaks private data via database API β what you need to know
Thereβs a tiny data leakage bug in the WebKit browser engineβ¦ but it could act as a βsupercookieβ identifier for your browsing
π΄ (ISC)Β² Launches Entry-Level Cybersecurity Course π΄
π Read
via "Dark Reading".
Prospective entrants to the sector will receive instruction on fundamental cybersecurity concepts on which they will be evaluated during the new (ISC)Β² entry-level cybersecurity certification pilot exam.π Read
via "Dark Reading".
Dark Reading
(ISC)Β² Launches Entry-Level Cybersecurity Course
Prospective entrants to the sector will receive instruction on fundamental cybersecurity concepts on which they will be evaluated during the new (ISC)Β² entry-level cybersecurity certification pilot exam.
π΄ LogPoint Releases LogPoint 7, Adding SOAR Capabilities Within SIEM π΄
π Read
via "Dark Reading".
LogPoint 7 includes ready-made integrations to connect with existing security technologies, including endpoint protection, network detection, and threat management.π Read
via "Dark Reading".
Dark Reading
LogPoint Releases LogPoint 7, Adding SOAR Capabilities Within SIEM
LogPoint 7 includes ready-made integrations to connect with existing security technologies, including endpoint protection, network detection, and threat management.
βΌ CVE-2021-46030 βΌ
π Read
via "National Vulnerability Database".
There is a Cross Site Scripting attack (XSS) vulnerability in JavaQuarkBBS <= v2. By entering specific statements into the background tag management module, the attack statement will be stored in the database, and the next victim will be attacked when he accesses the tag module.π Read
via "National Vulnerability Database".
βΌ CVE-2021-38788 βΌ
π Read
via "National Vulnerability Database".
The Background service in Allwinner R818 SoC Android Q SDK V1.0 is used to manage background applications. Malicious apps can use the interface provided by the service to set the number of applications allowed to run in the background to 0 and add themselves to the whitelist, so that once other applications enter the background, they will be forcibly stopped by the system, causing a denial of service.π Read
via "National Vulnerability Database".
βοΈ IRS Will Soon Require Selfies for Online Access βοΈ
π Read
via "Krebs on Security".
If you created an online account to manage your tax records with the U.S. Internal Revenue Service (IRS), those login credentials will cease to work later this year. The agency says that by the summer of 2022, the only way to log in to irs.gov will be through ID.me, an online identity verification service that requires applicants to submit copies of bills and identity documents, as well as a live video feed of their faces via a mobile device.π Read
via "Krebs on Security".
Krebs on Security
IRS Will Soon Require Selfies for Online Access
If you created an online account to manage your tax records with the U.S. Internal Revenue Service (IRS), those login credentials will cease to work later this year. The agency says that by the summer of 2022, the only wayβ¦
π΄ Cloud Adoption Widens the Cybersecurity Skills Gap π΄
π Read
via "Dark Reading".
No matter what cloud services you employ, you are still responsible for protecting the security of your data.π Read
via "Dark Reading".
Dark Reading
Cloud Adoption Widens the Cybersecurity Skills Gap
No matter what cloud services you employ, you are still responsible for protecting the security of your data.
β Box 2FA Bypass Opens User Accounts to Attack β
π Read
via "Threat Post".
A security bug in the file-sharing cloud app could have allowed attackers using stolen credentials to skate by one-time SMS code verification requirements.π Read
via "Threat Post".
Threat Post
Box 2FA Bypass Opens User Accounts to Attack
A security bug in the file-sharing cloud app could have allowed attackers using stolen credentials to skate by one-time SMS code verification requirements.
βΌ CVE-2021-44299 βΌ
π Read
via "National Vulnerability Database".
A reflected cross-site scripting (XSS) vulnerability in \lib\packages\themes\themes.php of Navigate CMS v2.9.4 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload.π Read
via "National Vulnerability Database".
βΌ CVE-2021-33912 βΌ
π Read
via "National Vulnerability Database".
libspf2 before 1.2.11 has a four-byte heap-based buffer overflow that might allow remote attackers to execute arbitrary code (via an unauthenticated e-mail message from anywhere on the Internet) with a crafted SPF DNS record, because of incorrect sprintf usage in SPF_record_expand_data in spf_expand.c. The vulnerable code may be part of the supply chain of a site's e-mail infrastructure (e.g., with additional configuration, Exim can use libspf2; the Postfix web site links to unofficial patches for use of libspf2 with Postfix; older versions of spfquery relied on libspf2) but most often is not.π Read
via "National Vulnerability Database".
βΌ CVE-2022-22310 βΌ
π Read
via "National Vulnerability Database".
IBM WebSphere Application Server Liberty 21.0.0.10 through 21.0.0.12 could provide weaker than expected security. A remote attacker could exploit this weakness to obtain sensitive information and gain unauthorized access to JAX-WS applications. IBM X-Force ID: 217224.π Read
via "National Vulnerability Database".
βΌ CVE-2022-23221 βΌ
π Read
via "National Vulnerability Database".
H2 Console before 2.1.210 allows remote attackers to execute arbitrary code via a jdbc:h2:mem JDBC URL containing the IGNORE_UNKNOWN_SETTINGS=TRUE;FORBID_CREATION=FALSE;INIT=RUNSCRIPT substring, a different vulnerability than CVE-2021-42392.π Read
via "National Vulnerability Database".
βΌ CVE-2021-33913 βΌ
π Read
via "National Vulnerability Database".
libspf2 before 1.2.11 has a heap-based buffer overflow that might allow remote attackers to execute arbitrary code (via an unauthenticated e-mail message from anywhere on the Internet) with a crafted SPF DNS record, because of SPF_record_expand_data in spf_expand.c. The amount of overflowed data depends on the relationship between the length of an entire domain name and the length of its leftmost label. The vulnerable code may be part of the supply chain of a site's e-mail infrastructure (e.g., with additional configuration, Exim can use libspf2; the Postfix web site links to unofficial patches for use of libspf2 with Postfix; older versions of spfquery relied on libspf2) but most often is not.π Read
via "National Vulnerability Database".