βΌ CVE-2021-36193 βΌ
π Read
via "National Vulnerability Database".
Multiple stack-based buffer overflows in the command line interpreter of FortiWeb before 6.4.2 may allow an authenticated attacker to achieve arbitrary code execution via specially crafted commands.π Read
via "National Vulnerability Database".
βΌ CVE-2021-41018 βΌ
π Read
via "National Vulnerability Database".
A improper neutralization of special elements used in an os command ('os command injection') in Fortinet FortiWeb version 6.4.1 and below, 6.3.15 and below allows attacker to execute unauthorized code or commands via crafted HTTP requests.π Read
via "National Vulnerability Database".
βΌ CVE-2022-21724 βΌ
π Read
via "National Vulnerability Database".
pgjdbc is the offical PostgreSQL JDBC Driver. A security hole was found in the jdbc driver for postgresql database while doing security research. The system using the postgresql library will be attacked when attacker control the jdbc url or properties. pgjdbc instantiates plugin instances based on class names provided via `authenticationPluginClassName`, `sslhostnameverifier`, `socketFactory`, `sslfactory`, `sslpasswordcallback` connection properties. However, the driver did not verify if the class implements the expected interface before instantiating the class. This can lead to remote code execution loaded via arbitrary classes. Users using plugins are advised to upgrade. There are no known workarounds for this issue.π Read
via "National Vulnerability Database".
βΌ CVE-2021-36177 βΌ
π Read
via "National Vulnerability Database".
An improper access control vulnerability [CWE-284] in FortiAuthenticator HA service 6.3.2 and below, 6.2.x, 6.1.x, 6.0.x may allow an attacker on the same vlan as the HA management interface to make an unauthenticated direct connection to the FAC's database.π Read
via "National Vulnerability Database".
βΌ CVE-2021-24043 βΌ
π Read
via "National Vulnerability Database".
A missing bound check in RTCP flag parsing code prior to WhatsApp for Android v2.21.23.2, WhatsApp Business for Android v2.21.23.2, WhatsApp for iOS v2.21.230.6, WhatsApp Business for iOS 2.21.230.7, and WhatsApp Desktop v2.2145.0 could have allowed an out-of-bounds heap read if a user sent a malformed RTCP packet during an established call.π Read
via "National Vulnerability Database".
βΌ CVE-2020-26208 βΌ
π Read
via "National Vulnerability Database".
JHEAD is a simple command line tool for displaying and some manipulation of EXIF header data embedded in Jpeg images from digital cameras. In affected versions there is a heap-buffer-overflow on jhead-3.04/jpgfile.c:285 ReadJpegSections. Crafted jpeg images can be provided to the user resulting in a program crash or potentially incorrect exif information retrieval. Users are advised to upgrade. There is no known workaround for this issue.π Read
via "National Vulnerability Database".
βΌ CVE-2021-39044 βΌ
π Read
via "National Vulnerability Database".
IBM Financial Transaction Manager 3.2.4 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 214210.π Read
via "National Vulnerability Database".
βΌ CVE-2021-42753 βΌ
π Read
via "National Vulnerability Database".
An improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability [CWE-22] in FortiWeb management interface 6.4.1 and below, 6.3.15 and below, 6.2.x, 6.1.x, 6.0.x, 5.9.x and 5.8.x may allow an authenticated attacker to perform an arbitrary file and directory deletion in the device filesystem.π Read
via "National Vulnerability Database".
βΌ CVE-2021-43073 βΌ
π Read
via "National Vulnerability Database".
A improper neutralization of special elements used in an os command ('os command injection') in Fortinet FortiWeb version 6.4.1 and 6.4.0, version 6.3.15 and below, version 6.2.6 and below allows attacker to execute unauthorized code or commands via crafted HTTP requests.π Read
via "National Vulnerability Database".
βΌ CVE-2021-39070 βΌ
π Read
via "National Vulnerability Database".
IBM Security Verify Access 10.0.0.0, 10.0.1.0 and 10.0.2.0 with the advanced access control authentication service enabled could allow an attacker to authenticate as any user on the system. IBM X-Force ID: 215353.π Read
via "National Vulnerability Database".
π΄ Tens of Thousands of Websites Vulnerable to RCE Flaw in WordPress Plug-in π΄
π Read
via "Dark Reading".
Now-patched issue in Essential Addons for Elementor gives attackers a way to carry out local file inclusion attacks, researchers say.π Read
via "Dark Reading".
Dark Reading
Tens of Thousands of Websites Vulnerable to RCE Flaw in WordPress Plug-in
Now-patched issue in Essential Addons for Elementor gives attackers a way to carry out local file inclusion attacks, researchers say.
π΄ TikTok's Roland Cloutier: How CISOs Can Foster a Culture of Security & Transparency π΄
π Read
via "Dark Reading".
The social media platform's global security chief boils it down to being consistent, keeping it fun, and demonstrating the impact of choices.π Read
via "Dark Reading".
Dark Reading
TikTok's Roland Cloutier: How CISOs Can Foster a Culture of Security & Transparency
The social media platform's global security chief boils it down to being consistent, keeping it fun, and demonstrating the impact of choices.
β Thousands of Malicious npm Packages Threaten Web Apps β
π Read
via "Threat Post".
Attackers increasingly are using malicious JavaScript packages to steal data, engage in cryptojacking and unleash botnets, offering a wide supply-chain attack surface for threat actors.π Read
via "Threat Post".
Threat Post
Thousands of Malicious npm Packages Threaten Web Apps
Attackers increasingly are using malicious JavaScript packages to steal data, engage in cryptojacking and unleash botnets, offering a wide supply-chain attack surface for threat actors.
βΌ CVE-2022-22509 βΌ
π Read
via "National Vulnerability Database".
In Phoenix Contact FL SWITCH Series 2xxx in version 3.00 an incorrect privilege assignment allows an low privileged user to enable full access to the device configuration.π Read
via "National Vulnerability Database".
βΌ CVE-2022-22510 βΌ
π Read
via "National Vulnerability Database".
Codesys Profinet in version V4.2.0.0 is prone to null pointer dereference that allows a denial of service (DoS) attack of an unauthenticated user via SNMP.π Read
via "National Vulnerability Database".
βΌ CVE-2022-21817 βΌ
π Read
via "National Vulnerability Database".
NVIDIA Omniverse Launcher contains a Cross-Origin Resource Sharing (CORS) vulnerability which can allow an unprivileged remote attacker, if they can get user to browse malicious site, to acquire access tokens allowing them to access resources in other security domains, which may lead to code execution, escalation of privileges, and impact to confidentiality and integrity.π Read
via "National Vulnerability Database".
β Linux kernel patches βperformance can be harmfulβ bug in video driver β
π Read
via "Naked Security".
This bug is fiendishly hard to exploit - but if you patch, it won't be there to exploit at all.π Read
via "Naked Security".
Naked Security
Linux kernel patches βperformance can be harmfulβ bug in video driver
This bug is fiendishly hard to exploit β but if you patch, it wonβt be there to exploit at all.
π΄ 8 Security Dinosaurs and What Filled Their Footprints π΄
π Read
via "Dark Reading".
Security technology has to evolve as new threats emerge and defenses improve. Here is a look back at the old breeds that are dying out.π Read
via "Dark Reading".
Dark Reading
8 Security Dinosaurs and What Filled Their Footprints
Security technology has to evolve as new threats emerge and defenses improve. Here is a look back at the old breeds that are dying out.
π΄ Olympic Athletes Advised by FBI to Bring 'Burner' Phones to Beijing π΄
π Read
via "Dark Reading".
No specific threats against the Olympics, according to the FBI, but instead it's about vigilance against potential ones.π Read
via "Dark Reading".
Dark Reading
Olympic Athletes Advised by FBI to Bring 'Burner' Phones to Beijing
No specific threats against the Olympics, according to the FBI, but instead it's about vigilance against potential ones.
ποΈ Critical vulnerability in WordPress plugin Essential Addons for Elementor ποΈ
π Read
via "The Daily Swig".
Local file inclusion, remote code execution attacks π Read
via "The Daily Swig".
The Daily Swig | Cybersecurity news and views
Critical vulnerability in WordPress plugin Essential Addons for Elementor
Local file inclusion, remote code execution attacks
β Elementor WordPress plugin has a gaping security hole β update now β
π Read
via "Naked Security".
We shouldn't need to say, "Check your inputs!" these days, but we're saying it anyway.π Read
via "Naked Security".
Naked Security
Elementor WordPress plugin has a gaping security hole β update now
We shouldnβt need to say, βCheck your inputs!β these days, but weβre saying it anyway.