📢 IT Pro News in Review: Nvidia walks away from Arm, Belarusian train hack, and IBM to sell Watson Health 📢
📖 Read
via "ITPro".
Catch up on the biggest headlines of the week in just two minutes📖 Read
via "ITPro".
‼ CVE-2022-24300 ‼
📖 Read
via "National Vulnerability Database".
Minetest before 5.4.0 allows attackers to add or modify arbitrary meta fields of the same item stack as saved user input, aka ItemStack meta injection.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-24301 ‼
📖 Read
via "National Vulnerability Database".
In Minetest before 5.4.0, players can add or subtract items from a different player's inventory.📖 Read
via "National Vulnerability Database".
🗓️ British Council data breach leaks 10,000 student records 🗓️
📖 Read
via "The Daily Swig".
Researchers say 144,000 files were exposed📖 Read
via "The Daily Swig".
The Daily Swig | Cybersecurity news and views
British Council data breach leaks 10,000 student records
Researchers say 144,000 files were exposed
‼ CVE-2022-0366 ‼
📖 Read
via "National Vulnerability Database".
An authenticated and authorized agent user could potentially gain administrative access via an SQLi vulnerability to Capsule8 Console between versions 4.6.0 and 4.9.1.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-41016 ‼
📖 Read
via "National Vulnerability Database".
A improper neutralization of special elements used in a command ('command injection') in Fortinet FortiExtender version 7.0.1 and below, 4.2.3 and below, 4.1.7 and below allows an authenticated attacker to execute privileged shell commands via CLI commands including special characters📖 Read
via "National Vulnerability Database".
‼ CVE-2021-39066 ‼
📖 Read
via "National Vulnerability Database".
IBM Financial Transaction Manager 3.2.4 does not invalidate session any existing session identifier gives an attacker the opportunity to steal authenticated sessions. IBM X-Force ID: 215040.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-43062 ‼
📖 Read
via "National Vulnerability Database".
A improper neutralization of input during web page generation ('cross-site scripting') in Fortinet FortiMail version 7.0.1 and 7.0.0, version 6.4.5 and below, version 6.3.7 and below, version 6.0.11 and below allows attacker to execute unauthorized code or commands via crafted HTTP GET requests to the FortiGuard URI protection service.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-36193 ‼
📖 Read
via "National Vulnerability Database".
Multiple stack-based buffer overflows in the command line interpreter of FortiWeb before 6.4.2 may allow an authenticated attacker to achieve arbitrary code execution via specially crafted commands.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-41018 ‼
📖 Read
via "National Vulnerability Database".
A improper neutralization of special elements used in an os command ('os command injection') in Fortinet FortiWeb version 6.4.1 and below, 6.3.15 and below allows attacker to execute unauthorized code or commands via crafted HTTP requests.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-21724 ‼
📖 Read
via "National Vulnerability Database".
pgjdbc is the offical PostgreSQL JDBC Driver. A security hole was found in the jdbc driver for postgresql database while doing security research. The system using the postgresql library will be attacked when attacker control the jdbc url or properties. pgjdbc instantiates plugin instances based on class names provided via `authenticationPluginClassName`, `sslhostnameverifier`, `socketFactory`, `sslfactory`, `sslpasswordcallback` connection properties. However, the driver did not verify if the class implements the expected interface before instantiating the class. This can lead to remote code execution loaded via arbitrary classes. Users using plugins are advised to upgrade. There are no known workarounds for this issue.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-36177 ‼
📖 Read
via "National Vulnerability Database".
An improper access control vulnerability [CWE-284] in FortiAuthenticator HA service 6.3.2 and below, 6.2.x, 6.1.x, 6.0.x may allow an attacker on the same vlan as the HA management interface to make an unauthenticated direct connection to the FAC's database.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-24043 ‼
📖 Read
via "National Vulnerability Database".
A missing bound check in RTCP flag parsing code prior to WhatsApp for Android v2.21.23.2, WhatsApp Business for Android v2.21.23.2, WhatsApp for iOS v2.21.230.6, WhatsApp Business for iOS 2.21.230.7, and WhatsApp Desktop v2.2145.0 could have allowed an out-of-bounds heap read if a user sent a malformed RTCP packet during an established call.📖 Read
via "National Vulnerability Database".
‼ CVE-2020-26208 ‼
📖 Read
via "National Vulnerability Database".
JHEAD is a simple command line tool for displaying and some manipulation of EXIF header data embedded in Jpeg images from digital cameras. In affected versions there is a heap-buffer-overflow on jhead-3.04/jpgfile.c:285 ReadJpegSections. Crafted jpeg images can be provided to the user resulting in a program crash or potentially incorrect exif information retrieval. Users are advised to upgrade. There is no known workaround for this issue.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-39044 ‼
📖 Read
via "National Vulnerability Database".
IBM Financial Transaction Manager 3.2.4 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 214210.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-42753 ‼
📖 Read
via "National Vulnerability Database".
An improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability [CWE-22] in FortiWeb management interface 6.4.1 and below, 6.3.15 and below, 6.2.x, 6.1.x, 6.0.x, 5.9.x and 5.8.x may allow an authenticated attacker to perform an arbitrary file and directory deletion in the device filesystem.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-43073 ‼
📖 Read
via "National Vulnerability Database".
A improper neutralization of special elements used in an os command ('os command injection') in Fortinet FortiWeb version 6.4.1 and 6.4.0, version 6.3.15 and below, version 6.2.6 and below allows attacker to execute unauthorized code or commands via crafted HTTP requests.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-39070 ‼
📖 Read
via "National Vulnerability Database".
IBM Security Verify Access 10.0.0.0, 10.0.1.0 and 10.0.2.0 with the advanced access control authentication service enabled could allow an attacker to authenticate as any user on the system. IBM X-Force ID: 215353.📖 Read
via "National Vulnerability Database".
🕴 Tens of Thousands of Websites Vulnerable to RCE Flaw in WordPress Plug-in 🕴
📖 Read
via "Dark Reading".
Now-patched issue in Essential Addons for Elementor gives attackers a way to carry out local file inclusion attacks, researchers say.📖 Read
via "Dark Reading".
Dark Reading
Tens of Thousands of Websites Vulnerable to RCE Flaw in WordPress Plug-in
Now-patched issue in Essential Addons for Elementor gives attackers a way to carry out local file inclusion attacks, researchers say.
🕴 TikTok's Roland Cloutier: How CISOs Can Foster a Culture of Security & Transparency 🕴
📖 Read
via "Dark Reading".
The social media platform's global security chief boils it down to being consistent, keeping it fun, and demonstrating the impact of choices.📖 Read
via "Dark Reading".
Dark Reading
TikTok's Roland Cloutier: How CISOs Can Foster a Culture of Security & Transparency
The social media platform's global security chief boils it down to being consistent, keeping it fun, and demonstrating the impact of choices.
❌ Thousands of Malicious npm Packages Threaten Web Apps ❌
📖 Read
via "Threat Post".
Attackers increasingly are using malicious JavaScript packages to steal data, engage in cryptojacking and unleash botnets, offering a wide supply-chain attack surface for threat actors.📖 Read
via "Threat Post".
Threat Post
Thousands of Malicious npm Packages Threaten Web Apps
Attackers increasingly are using malicious JavaScript packages to steal data, engage in cryptojacking and unleash botnets, offering a wide supply-chain attack surface for threat actors.