βΌ CVE-2021-23792 βΌ
π Read
via "National Vulnerability Database".
The package com.twelvemonkeys.imageio:imageio-metadata before 3.7.1 are vulnerable to XML External Entity (XXE) Injection due to an insecurely initialized XML parser for reading XMP Metadata. An attacker can exploit this vulnerability if they are able to supply a file (e.g. when an online profile picture is processed) with a malicious XMP segment. If the XMP metadata of the uploaded image is parsed, then the XXE vulnerability is triggered.π Read
via "National Vulnerability Database".
βΌ CVE-2022-30334 βΌ
π Read
via "National Vulnerability Database".
Brave before 1.34, when a Private Window with Tor Connectivity is used, leaks .onion URLs in Referer and Origin headers. NOTE: although this was fixed by Brave, the Brave documentation still advises "Note that Private Windows with Tor Connectivity in Brave are just regular private windows that use Tor as a proxy. Brave does NOT implement most of the privacy protections from Tor Browser."π Read
via "National Vulnerability Database".
π2
βοΈ Your Phone May Soon Replace Many of Your Passwords βοΈ
π Read
via "Krebs on Security".
Apple, Google and Microsoft announced this week they will soon support an approach to authentication that avoids passwords altogether, and instead requires users to merely unlock their smartphones to sign in to websites or online services. Experts say the changes should help defeat many types of phishing attacks and ease the overall password burden on Internet users, but caution that a true passwordless future may still be years away for most websites.π Read
via "Krebs on Security".
Krebs on Security
Your Phone May Soon Replace Many of Your Passwords
Apple, Google and Microsoft announced this week they will soon support an approach to authentication that avoids passwords altogether, and instead requires users to merely unlock their smartphones to sign in to websites or online services. Experts say theβ¦
π2
βΌ CVE-2022-1616 βΌ
π Read
via "National Vulnerability Database".
Use after free in append_command in GitHub repository vim/vim prior to 8.2. This vulnerability is capable of crashing software, Bypass Protection Mechanism, Modify Memory, and possible remote executionπ Read
via "National Vulnerability Database".
π Friday Five 5/6 π
π Read
via "".
Read up on how passwords may soon be a thing of the past, how your mental health data may be at risk, how business email compromise cost organizations billions in the past five years, and much moreβall in this weekβs Friday Five!
π Read
via "".
π€―1
βΌ CVE-2022-30333 βΌ
π Read
via "National Vulnerability Database".
RARLAB UnRAR before 6.12 on Linux and UNIX allows directory traversal to write to files during an extract (aka unpack) operation, as demonstrated by creating a ~/.ssh/authorized_keys file. NOTE: WinRAR and Android RAR are unaffected.π Read
via "National Vulnerability Database".
βΌ CVE-2022-23066 βΌ
π Read
via "National Vulnerability Database".
In Solana rBPF versions 0.2.26 and 0.2.27 are affected by Incorrect Calculation which is caused by improper implementation of sdiv instruction. This can lead to the wrong execution path, resulting in huge loss in specific cases. For example, the result of a sdiv instruction may decide whether to transfer tokens or not. The vulnerability affects both integrity and may cause serious availability problems.π Read
via "National Vulnerability Database".
β Podcast: The State of the Secret Sprawl β
π Read
via "Threat Post".
In this podcast with Mackenzie Jackson, developer advocate at GitGuardian, we dive into the report and also the issues that corporations face with public leaks from groups like Lapsus and more, as well as ways that developers can keep their code safe.π Read
via "Threat Post".
Threat Post
The State of Secrets Sprawl β Podcast
In this podcast with Mackenzie Jackson, developer advocate at GitGuardian, we dive into the report and also the issues that corporations face with public leaks from groups like Lapsus and more, as well as ways that developers can keep their code safe.
ποΈ BIG-IP: Proof-of-concept released for RCE vulnerability in F5 network management tool ποΈ
π Read
via "The Daily Swig".
Users should patch immediatelyπ Read
via "The Daily Swig".
The Daily Swig | Cybersecurity news and views
BIG-IP: Proof-of-concept released for RCE vulnerability in F5 network management tool
Users should patch immediately
π€―1
ποΈ Quantum leap: Biden administration commits to ensuring US leadership in emerging tech ποΈ
π Read
via "The Daily Swig".
Government sets out plan for post-quantum encryptionπ Read
via "The Daily Swig".
The Daily Swig | Cybersecurity news and views
Quantum leap: Biden administration commits to ensuring US leadership in emerging tech
Government sets out plan for post-quantum encryption
π΄ Security Stuff Happens: Where Do You Go From Here? π΄
π Read
via "Dark Reading".
Despite what it may feel like when you're in the trenches after a security incident, the world doesn't stop moving. (Part 3 of a series.)π Read
via "Dark Reading".
Darkreading
Security Stuff Happens: Where Do You Go From Here?
Despite what it may feel like when you're in the trenches after a security incident, the world doesn't stop moving. (Part 3 of a series.)
βΌ CVE-2022-30286 βΌ
π Read
via "National Vulnerability Database".
pyscriptjs (aka PyScript Demonstrator) in PyScript through 2022-05-04 allows a remote user to read Python source code.π Read
via "National Vulnerability Database".
β RubyGems supply chain rip-and-replace bug fixed β check your logs! β
π Read
via "Naked Security".
Imagine if you could assume the identity of, say, Franklin Delano Roosevelt simply by showing up and calling yourself "Frank".π Read
via "Naked Security".
Naked Security
RubyGems supply chain rip-and-replace bug fixed β check your logs!
Imagine if you could assume the identity of, say, Franklin Delano Roosevelt simply by showing up and calling yourself βFrankβ.
β You didnβt leave enough space between ROSE and AND, and AND and CROWN β
π Read
via "Naked Security".
What weird Google Docs bug connects the words THEREFORE, AND, SECONDLY, WHY, BUT and BESIDES?π Read
via "Naked Security".
Naked Security
You didnβt leave enough space between ROSE and AND, and AND and CROWN
What weird Google Docs bug connects the words THEREFORE, AND, SECONDLY, WHY, BUT and BESIDES?
βΌ CVE-2022-23332 βΌ
π Read
via "National Vulnerability Database".
Command injection vulnerability in Manual Ping Form (Web UI) in Shenzhen Ejoin Information Technology Co., Ltd. ACOM508/ACOM516/ACOM532 609-915-041-100-020 allows a remote attacker to inject arbitrary code via the field.π Read
via "National Vulnerability Database".
βΌ CVE-2022-27224 βΌ
π Read
via "National Vulnerability Database".
An issue was discovered in Galleon NTS-6002-GPS 4.14.103-Galleon-NTS-6002.V12 4. An authenticated attacker can perform command injection as root via shell metacharacters within the Network Tools section of the web-management interface. All three networking tools are affected (Ping, Traceroute, and DNS Lookup) and their respective input fields (ping_address, trace_address, nslookup_address).π Read
via "National Vulnerability Database".
βΌ CVE-2022-1631 βΌ
π Read
via "National Vulnerability Database".
Users Account Pre-Takeover or Users Account Takeover. in GitHub repository microweber/microweber prior to 1.2.15. Victim Account Take Over. Since, there is no email confirmation, an attacker can easily create an account in the application using the VictimΓ’β¬β’s Email. This allows an attacker to gain pre-authentication to the victimΓ’β¬β’s account. Further, due to the lack of proper validation of email coming from Social Login and failing to check if an account already exists, the victim will not identify if an account is already existing. Hence, the attackerΓ’β¬β’s persistence will remain. An attacker would be able to see all the activities performed by the victim user impacting the confidentiality and attempt to modify/corrupt the data impacting the integrity and availability factor. This attack becomes more interesting when an attacker can register an account from an employeeΓ’β¬β’s email address. Assuming the organization uses G-Suite, it is much more impactful to hijack into an employeeΓ’β¬β’s account.π Read
via "National Vulnerability Database".
β FBI: Rise in Business Email-based Attacks is a $43B Headache β
π Read
via "Threat Post".
A huge spike in fraudulent activities related to attacks leveraging business email accounts is a billion-dollar-problem.π Read
via "Threat Post".
Threat Post
FBI: Rise in Business Email-based Attacks is a $43B Headache
A huge spike in fraudulent activities related to attacks leveraging business email accounts is a billion-dollar-problem.
π΄ Deloitte Launches Expanded Cloud Security Management Platform π΄
π Read
via "Dark Reading".
The CSM by Deloitte platform includes cloud security policy orchestration, cyber predictive analytics, attack surface management, and cyber cloud managed services.π Read
via "Dark Reading".
Darkreading
Deloitte Launches Expanded Cloud Security Management Platform
The CSM by Deloitte platform includes cloud security policy orchestration, cyber predictive analytics, attack surface management, and cyber cloud managed services.
βΌ CVE-2022-0814 βΌ
π Read
via "National Vulnerability Database".
The Ubigeo de PerΓΖΓΒΊ para Woocommerce WordPress plugin before 3.6.4 does not properly sanitise and escape some parameters before using them in SQL statements via various AJAX actions, some of which are available to unauthenticated users, leading to SQL Injectionsπ Read
via "National Vulnerability Database".
βΌ CVE-2022-1104 βΌ
π Read
via "National Vulnerability Database".
The Popup Maker WordPress plugin before 1.16.5 does not sanitise and escape some of its Popup settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowedπ Read
via "National Vulnerability Database".