ATENTIONβΌ New - CVE-2018-12303
π Read
via "National Vulnerability Database".
Cross-site scripting in filebrowser in Seagate NAS OS version 4.3.15.1 allows attackers to execute JavaScript via directory names.π Read
via "National Vulnerability Database".
ATENTIONβΌ New - CVE-2018-12302
π Read
via "National Vulnerability Database".
Missing HTTPOnly flag on session cookies in the Seagate NAS OS version 4.3.15.1 web application allows attackers to steal session tokens via cross-site scripting.π Read
via "National Vulnerability Database".
ATENTIONβΌ New - CVE-2018-12301
π Read
via "National Vulnerability Database".
Unvalidated URL in Download Manager in Seagate NAS OS version 4.3.15.1 allows attackers to access the loopback interface via a Download URL of 127.0.0.1 or localhost.π Read
via "National Vulnerability Database".
ATENTIONβΌ New - CVE-2018-12300
π Read
via "National Vulnerability Database".
Arbitrary Redirect in echo-server.html in Seagate NAS OS version 4.3.15.1 allows attackers to disclose information in the Referer header via the 'state' URL parameter.π Read
via "National Vulnerability Database".
ATENTIONβΌ New - CVE-2018-12299
π Read
via "National Vulnerability Database".
Cross-site scripting in filebrowser in Seagate NAS OS version 4.3.15.1 allows attackers to execute JavaScript via uploaded file names.π Read
via "National Vulnerability Database".
ATENTIONβΌ New - CVE-2018-12298
π Read
via "National Vulnerability Database".
Directory Traversal in filebrowser in Seagate NAS OS 4.3.15.1 allows attackers to read files within the application's container via a URL path.π Read
via "National Vulnerability Database".
ATENTIONβΌ New - CVE-2018-12297
π Read
via "National Vulnerability Database".
Cross-site scripting in API error pages in Seagate NAS OS version 4.3.15.1 allows attackers to execute JavaScript via URL path names.π Read
via "National Vulnerability Database".
ATENTIONβΌ New - CVE-2018-12296
π Read
via "National Vulnerability Database".
Insufficient access control in /api/external/7.0/system.System.get_infos in Seagate NAS OS version 4.3.15.1 allows attackers to obtain information about the NAS without authentication via empty POST requests.π Read
via "National Vulnerability Database".
ATENTIONβΌ New - CVE-2018-12295
π Read
via "National Vulnerability Database".
SQL injection in folderViewSpecific.psp in Seagate NAS OS version 4.3.15.1 allows attackers to execute arbitrary SQL commands via the dirId URL parameter.π Read
via "National Vulnerability Database".
π΄ How Open Testing Standards Can Improve Security π΄
π Read
via "Dark Reading: ".
When creating security metrics, it's critical that test methodologies cover multiple scenarios to ensure that devices perform as expected in all environments.π Read
via "Dark Reading: ".
Dark Reading
How Open Testing Standards Can Improve Security
When creating security metrics, it's critical that test methodologies cover multiple scenarios to ensure that devices perform as expected in all environments.
π How to use SFTP with a chroot jail π
π Read
via "Security on TechRepublic".
Lock down all SFTP users on your data center Linux servers with a chroot jail.π Read
via "Security on TechRepublic".
TechRepublic
How to use SFTP with a chroot jail
Lock down all SFTP users on your data center Linux servers with a chroot jail.
ATENTIONβΌ New - CVE-2012-6652
π Read
via "National Vulnerability Database".
Directory traversal vulnerability in pageflipbook.php script from index.php in Page Flip Book plugin for WordPress (wppageflip) allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the pageflipbook_language parameter.π Read
via "National Vulnerability Database".
β ThreatList: Top 5 Most Dangerous Attachment Types β
π Read
via "Threatpost".
From ZIP attachments spreading Gandcrab, to DOC files distributing Trickbot, researchers tracked five widescale spam campaigns in 2019 that have made use of malicious attachments.π Read
via "Threatpost".
Threat Post
ThreatList: Top 5 Most Dangerous Attachment Types
From ZIP attachments spreading Gandcrab, to DOC files distributing Trickbot, researchers tracked five widescale spam campaigns in 2019 that have made use of malicious attachments.
β ScarCruft APT Adds Bluetooth Harvester to its Malware Bag of Tricks β
π Read
via "Threatpost".
In its latest observed campaign, there were also overlaps in victimology with the DarkHotel APT.π Read
via "Threatpost".
Threat Post
ScarCruft APT Adds Bluetooth Harvester to its Malware Bag of Tricks
In its latest observed campaign, there were also overlaps in victimology with the DarkHotel APT.
π΄ 78% of Consumers Say Online Companies Must Protect Their Info π΄
π Read
via "Dark Reading: ".
Yet 68% of US consumers agree they also must do more to protect their own information.π Read
via "Dark Reading: ".
Dark Reading
78% of Consumers Say Online Companies Must Protect Their Info
Yet 68% of US consumers agree they also must do more to protect their own information.
π΄ Poorly Configured Server Exposes Most Panama Citizens' Data π΄
π Read
via "Dark Reading: ".
Compromised information includes full names, birth dates, national ID numbers, medical insurance numbers, and other personal data.π Read
via "Dark Reading: ".
Dark Reading
Poorly Configured Server Exposes Most Panama Citizens' Data
Compromised information includes full names, birth dates, national ID numbers, medical insurance numbers, and other personal data.
ATENTIONβΌ New - CVE-2015-9287
π Read
via "National Vulnerability Database".
Directory Traversal was discovered in University of Cambridge mod_ucam_webauth before 2.0.2. The key identification field ("kid") of the IdP's HTTP response message ("WLS-Response") can be manipulated by an attacker. The "kid" field is not signed like the rest of the message, and manipulation is therefore trivial. The "kid" field should only ever represent an integer. However, it is possible to provide any string value. An attacker could use this to their advantage to force the application agent to load the RSA public key required for message integrity checking from an unintended location.π Read
via "National Vulnerability Database".
π FTC Backs Federal Privacy Law As Long As It Can Enforce It π
π Read
via "Subscriber Blog RSS Feed ".
The FTC told Congress last week that if a national privacy law gets passed, it wants more resources and greater authority to impose penalties under it.π Read
via "Subscriber Blog RSS Feed ".
Digital Guardian
FTC Backs Federal Privacy Law As Long As It Can Enforce It
The FTC told Congress last week that if a national privacy law gets passed, it wants more resources and greater authority to impose penalties under it.
π΄ Attacks on JavaScript Services Leak Info From Websites π΄
π Read
via "Dark Reading: ".
Three marketing tools, including the Best Of The Web security logomark, were compromised in supply chain attacks, allegedly leaving website customers leaking their users' sensitive information.π Read
via "Dark Reading: ".
Darkreading
Attacks on JavaScript Services Leak Info From Websites
Three marketing tools, including the Best Of The Web security logomark, were compromised in supply chain attacks, allegedly leaving website customers leaking their users' sensitive information.
β Twitter Leaks Apple iOS Usersβ Location Data to Ad Partner β
π Read
via "Threatpost".
A Twitter glitch "inadvertently" leaked iOS users' location data to an unnamed partner.π Read
via "Threatpost".
Threat Post
Twitter Leaks Apple iOS Usersβ Location Data to Ad Partner
A Twitter glitch "inadvertently" leaked iOS users' location data to an unnamed partner.
π΄ LockerGoga, MegaCortex Ransomware Share Unlikely Traits π΄
π Read
via "Dark Reading: ".
New form of ransomware MegaCortex shares commonalities with LockerGoga, enterprise malware recently seen in major cyberattacks.π Read
via "Dark Reading: ".
Darkreading
LockerGoga, MegaCortex Ransomware Share Unlikely Traits
New form of ransomware MegaCortex shares commonalities with LockerGoga, enterprise malware recently seen in major cyberattacks.