β French speakers blasted by sextortion scams with no text or links β
π Read
via "Naked Security".
You'd spot this one a mile away... but what about your friends or family?π Read
via "Naked Security".
Naked Security
French speakers blasted by sextortion scams with no text or links
Youβd spot this one a mile awayβ¦ but what about your friends or family?
βΌ CVE-2022-0665 βΌ
π Read
via "National Vulnerability Database".
Path Traversal in GitHub repository pimcore/pimcore prior to 10.3.2.π Read
via "National Vulnerability Database".
π I2P 1.7.0 π
π Read
via "Packet Storm Security".
I2P is an anonymizing network, offering a simple layer that identity-sensitive applications can use to securely communicate. All data is wrapped with several layers of encryption, and the network is both distributed and dynamic, with no trusted parties. This is the source code release version.π Read
via "Packet Storm Security".
Packetstormsecurity
I2P 1.7.0 β Packet Storm
Information Security Services, News, Files, Tools, Exploits, Advisories and Whitepapers
β WordPress backup plugin maker Updraft says βYou should updateββ¦ β
π Read
via "Naked Security".
A straight-talking bug report written in plain English by an actual expert - there's a teachable moment in this cybersecurity story!π Read
via "Naked Security".
Naked Security
WordPress backup plugin maker Updraft says βYou should updateββ¦
A straight-talking bug report written in plain English by an actual expert β thereβs a teachable moment in this cybersecurity story!
βοΈ IRS: Selfies Now Optional, Biometric Data to Be Deleted βοΈ
π Read
via "Krebs on Security".
The U.S. Internal Revenue Service (IRS) said Monday that taxpayers are no longer required to provide facial scans to create an account online at irs.gov. In lieu of providing biometric data, taxpayers can now opt for a live video interview with ID.me, the privately-held Virginia company that runs the agency's identity proofing system. The IRS also said any biometric data already shared with ID.me would be permanently deleted over the next few weeks, and any biometric data provided for new signups will be destroyed after an account is created.π Read
via "Krebs on Security".
Krebsonsecurity
IRS: Selfies Now Optional, Biometric Data to Be Deleted
The U.S. Internal Revenue Service (IRS) said Monday that taxpayers are no longer required to provide facial scans to create an account online at irs.gov. In lieu of providing biometric data, taxpayers can now opt for a live video interviewβ¦
π1
β Xenomorph Malware Burrows into Google Play Users, No Facehugger Required β
π Read
via "Threat Post".
Researchers discovered a new, modular banking trojan with ties to Cerberus and Alien that has the capability to become a much larger threat than it is now.π Read
via "Threat Post".
Threat Post
Xenomorph Malware Burrows into Google Play Users, No Facehugger Required
Researchers discovered a new, modular banking trojan with ties to Cerberus and Alien that has the capability to become a much larger threat than it is now.
βΌ CVE-2021-46162 βΌ
π Read
via "National Vulnerability Database".
A vulnerability has been identified in Simcenter Femap (All versions < V2022.1.1). Affected application contains an out of bounds write past the end of an allocated structure while parsing specially crafted NEU files. This could allow an attacker to execute code in the context of the current process. (ZDI-CAN-15048)π Read
via "National Vulnerability Database".
βΌ CVE-2022-0712 βΌ
π Read
via "National Vulnerability Database".
NULL Pointer Dereference in GitHub repository radareorg/radare2 prior to 5.6.4.π Read
via "National Vulnerability Database".
βΌ CVE-2021-46699 βΌ
π Read
via "National Vulnerability Database".
A vulnerability has been identified in Simcenter Femap (All versions < V2022.1.1). Affected application contains a stack based buffer overflow vulnerability while parsing specially crafted BDF files. This could allow an attacker to execute code in the context of the current process. (ZDI-CAN-15061)π Read
via "National Vulnerability Database".
π DHS Privacy Office Wants More Ways to Protect Data π
π Read
via "".
The departmentβs Chief Privacy Officer is hoping to build systems designed to prioritize the protection and confidentiality of consumer information by design.π Read
via "".
Digital Guardian
DHS Privacy Office Wants More Ways to Protect Data
The departmentβs Chief Privacy Officer is hoping to build systems designed to prioritize the protection and confidentiality of consumer information by design.
π΄ Name That Toon: Out in the Cold π΄
π Read
via "Dark Reading".
Feeling creative? Submit your caption and our panel of experts will reward the winner with a $25 Amazon gift card.π Read
via "Dark Reading".
Dark Reading
Name That Toon: Out in the Cold
Feeling creative? Submit your caption and our panel of experts will reward the winner with a $25 Amazon gift card.
β Cyberattackers Cook Up Employee Personal Data Heist for Meyer β
π Read
via "Threat Post".
The Conti gang breached the cookware giant's network, prepping thousands of employeesβ personal data for consumption by cybercrooks.π Read
via "Threat Post".
Threat Post
Cyberattackers Cook Up Employee Personal Data Heist for Meyer
The Conti gang breached the cookware giant's network, prepping thousands of employeesβ personal data for consumption by cybercrooks.
βΌ CVE-2022-0714 βΌ
π Read
via "National Vulnerability Database".
Heap-based Buffer Overflow in GitHub repository vim/vim prior to 8.2.π Read
via "National Vulnerability Database".
βΌ CVE-2022-23608 βΌ
π Read
via "National Vulnerability Database".
PJSIP is a free and open source multimedia communication library written in C language implementing standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. In versions up to and including 2.11.1 when in a dialog set (or forking) scenario, a hash key shared by multiple UAC dialogs can potentially be prematurely freed when one of the dialogs is destroyed . The issue may cause a dialog set to be registered in the hash table multiple times (with different hash keys) leading to undefined behavior such as dialog list collision which eventually leading to endless loop. A patch is available in commit db3235953baa56d2fb0e276ca510fefca751643f which will be included in the next release. There are no known workarounds for this issue.π Read
via "National Vulnerability Database".
βΌ CVE-2022-0713 βΌ
π Read
via "National Vulnerability Database".
Heap-based Buffer Overflow in GitHub repository radareorg/radare2 prior to 5.6.4.π Read
via "National Vulnerability Database".
βΌ CVE-2022-23654 βΌ
π Read
via "National Vulnerability Database".
Wiki.js is a wiki app built on Node.js. In affected versions an authenticated user with write access on a restricted set of paths can update a page outside the allowed paths by specifying a different target page ID while keeping the path intact. The access control incorrectly check the path access against the user-provided values instead of the actual path associated to the page ID. Commit https://github.com/Requarks/wiki/commit/411802ec2f654bb5ed1126c307575b81e2361c6b fixes this vulnerability by checking access control on the path associated with the page ID instead of the user-provided value. When the path is different than the current value, a second access control check is then performed on the user-provided path before the move operation.π Read
via "National Vulnerability Database".
βΌ CVE-2022-23652 βΌ
π Read
via "National Vulnerability Database".
capsule-proxy is a reverse proxy for Capsule Operator which provides multi-tenancy in Kubernetes. In versions prior to 0.2.1 an attacker with a proper authentication mechanism may use a malicious `Connection` header to start a privilege escalation attack towards the Kubernetes API Server. This vulnerability allows for an exploit of the `cluster-admin` Role bound to `capsule-proxy`. There are no known workarounds for this issue.π Read
via "National Vulnerability Database".
β Gaming, Banking Trojans Dominate Mobile Malware Scene β
π Read
via "Threat Post".
The overall number of attacks on mobile users is down, but they're getting slicker, both in terms of malware functionality and vectors, researchers say.π Read
via "Threat Post".
Threat Post
Gaming, Banking Trojans Dominate Mobile Malware Scene
The overall number of attacks on mobile users is down, but they're getting slicker, both in terms of malware functionality and vectors, researchers say.
π΄ More Orgs Suffered Successful Phishing Attacks in 2021 Than in 2020 π΄
π Read
via "Dark Reading".
Threat actors maintained their relentless attacks on enterprise end users for yet another year, new study shows.π Read
via "Dark Reading".
Dark Reading
More Orgs Suffered Successful Phishing Attacks in 2021 Than in 2020
Threat actors maintained their relentless attacks on enterprise end users for yet another year, new study shows.
π΄ GitHub Opens Security Database to Community Contributions π΄
π Read
via "Dark Reading".
The Microsoft company will allow community members to add information and code samples to security advisories using the standard pull request to change the document.π Read
via "Dark Reading".
Dark Reading
GitHub Opens Security Database to Community Contributions
The Microsoft company will allow community members to add information and code samples to security advisories using the standard pull request to change the document.
βΌ CVE-2022-23635 βΌ
π Read
via "National Vulnerability Database".
Istio is an open platform to connect, manage, and secure microservices. In affected versions the Istio control plane, `istiod`, is vulnerable to a request processing error, allowing a malicious attacker that sends a specially crafted message which results in the control plane crashing. This endpoint is served over TLS port 15012, but does not require any authentication from the attacker. For simple installations, Istiod is typically only reachable from within the cluster, limiting the blast radius. However, for some deployments, especially [multicluster](https://istio.io/latest/docs/setup/install/multicluster/primary-remote/) topologies, this port is exposed over the public internet. There are no effective workarounds, beyond upgrading. Limiting network access to Istiod to the minimal set of clients can help lessen the scope of the vulnerability to some extent.π Read
via "National Vulnerability Database".