β Pwn2Own hacking schedule released β Windows and Linux are top targets β
π Read
via "Naked Security".
What's better? Disclose early, patch fast? Or dig deep, disclose in full, patch more slowly?π Read
via "Naked Security".
Naked Security
Pwn2Own hacking schedule released β Windows and Linux are top targets
Whatβs better? Disclose early, patch fast? Or dig deep, disclose in full, patch more slowly?
β S3 Ep83: Cracking passwords, patching Firefox, and Apple vulns [Podcast] β
π Read
via "Naked Security".
Latest episode - listen now!π Read
via "Naked Security".
Naked Security
S3 Ep83: Cracking passwords, patching Firefox, and Apple vulns [Podcast]
Latest episode β listen now!
π΄ 6 Scary Tactics Used in Mobile App Attacks π΄
π Read
via "Dark Reading".
Mobile attacks have been going on for many years, but the threat is rapidly evolving as more sophisticated malware families with novel features enter the scene.π Read
via "Dark Reading".
ποΈ Encrypted email service CTemplar announces closure ποΈ
π Read
via "The Daily Swig".
Privacy-focused service to shut down by the end of the monthπ Read
via "The Daily Swig".
The Daily Swig | Cybersecurity news and views
Encrypted email service CTemplar announces closure
Privacy-focused service to shut down by the end of the month
βΌ CVE-2022-1785 βΌ
π Read
via "National Vulnerability Database".
Out-of-bounds Write in GitHub repository vim/vim prior to 8.2.π Read
via "National Vulnerability Database".
ποΈ Active attacks against VMware flaws prompts emergency update directive ποΈ
π Read
via "The Daily Swig".
CISA orders US federal agencies to implement patches ASAPπ Read
via "The Daily Swig".
The Daily Swig | Cybersecurity news and views
Active attacks against VMware flaws prompts emergency update directive
CISA orders US federal agencies to implement patches ASAP
βΌ CVE-2021-41938 βΌ
π Read
via "National Vulnerability Database".
An issue was discovered in ShopXO CMS 2.2.0. After entering the management page, there is an arbitrary file upload vulnerability in three locations.π Read
via "National Vulnerability Database".
βΌ CVE-2022-22976 βΌ
π Read
via "National Vulnerability Database".
Spring Security versions 5.5.x prior to 5.5.7, 5.6.x prior to 5.6.4, and earlier unsupported versions contain an integer overflow vulnerability. When using the BCrypt class with the maximum work factor (31), the encoder does not perform any salt rounds, due to an integer overflow error. The default settings are not affected by this CVE.π Read
via "National Vulnerability Database".
βΌ CVE-2021-37413 βΌ
π Read
via "National Vulnerability Database".
GRANDCOM DynWEB before 4.2 contains a SQL Injection vulnerability in the admin login interface. A remote unauthenticated attacker can exploit this vulnerability to obtain administrative access to the webpage, access the user database, modify web content and upload custom files. The backend login script does not verify and sanitize user-provided strings.π Read
via "National Vulnerability Database".
βΌ CVE-2021-26631 βΌ
π Read
via "National Vulnerability Database".
Improper input validation vulnerability in Mangboard commerce package could lead to occur for abnormal request. A remote attacker can exploit this vulnerability to manipulate the total order amount into a negative number and then pay for the order.π Read
via "National Vulnerability Database".
βΌ CVE-2022-22978 βΌ
π Read
via "National Vulnerability Database".
In Spring Security versions 5.5.6 and 5.5.7 and older unsupported versions, RegexRequestMatcher can easily be misconfigured to be bypassed on some servlet containers. Applications using RegexRequestMatcher with `.` in the regular expression are possibly vulnerable to an authorization bypass.π Read
via "National Vulnerability Database".
βΌ CVE-2021-26630 βΌ
π Read
via "National Vulnerability Database".
Improper input validation vulnerability in HANDY GroupwareΓ’β¬β’s ActiveX moudle allows attackers to download or execute arbitrary files. This vulnerability can be exploited by using the file download or execution path as the parameter value of the vulnerable function.π Read
via "National Vulnerability Database".
βΌ CVE-2022-30018 βΌ
π Read
via "National Vulnerability Database".
Mobotix Control Center (MxCC) through 2.5.4.5 has Insufficiently Protected Credentials, Storing Passwords in a Recoverable Format via the MxCC.ini config file. The credential storage method in this software enables an attacker/user of the machine to gain admin access to the software and gain access to recordings/recording locations.π Read
via "National Vulnerability Database".
β€2
βΌ CVE-2021-45730 βΌ
π Read
via "National Vulnerability Database".
JFrog Artifactory prior to 7.31.10, is vulnerable to Broken Access Control where a Project Admin is able to create, edit and delete Repository Layouts while Repository Layouts configuration should only be available for Platform Administrators.π Read
via "National Vulnerability Database".
βΌ CVE-2022-1730 βΌ
π Read
via "National Vulnerability Database".
Cross-site Scripting (XSS) - Stored in GitHub repository jgraph/drawio prior to 18.0.4.π Read
via "National Vulnerability Database".
π΄ Dig Exits Stealth With $11M for Cloud Data Detection and Response Solution π΄
π Read
via "Dark Reading".
CrowdStrike and CyberArk invest in Dig's seed round, which was led by Team8, alongside Merlin Ventures and chairs of MongoDB and Exabeam.π Read
via "Dark Reading".
Dark Reading
Dig Exits Stealth With $11M for Cloud Data Detection and Response Solution
CrowdStrike and CyberArk invest in Dig's seed round, which was led by Team8, alongside Merlin Ventures and chairs of MongoDB and Exabeam.
π΄ Majority of Kubernetes API Servers Exposed to the Public Internet π΄
π Read
via "Dark Reading".
Shadowserver Foundation researchers find 380,000 open Kubernetes API servers.π Read
via "Dark Reading".
Dark Reading
Majority of Kubernetes API Servers Exposed to the Public Internet
Shadowserver Foundation researchers find 380,000 open Kubernetes API servers.
π New Bill Would Boost Cyber Sharing Between DHS and States π
π Read
via "".
If passed, the legislation would promote stronger cybersecurity collaboration between the Department of Homeland Security (DHS) and state and local governments.π Read
via "".
Digital Guardian
New Bill Would Boost Cyber Sharing Between DHS and States
If passed, the legislation would promote stronger cybersecurity collaboration between the Department of Homeland Security (DHS) and state and local governments.
π΄ DoJ Won't Charge 'Good Faith' Security Researchers π΄
π Read
via "Dark Reading".
Revised policy means security analysts won't be charged under the Computer Fraud and Abuse Act.π Read
via "Dark Reading".
Dark Reading
DoJ Won't Charge 'Good Faith' Security Researchers
Revised policy means security analysts won't be charged under the Computer Fraud and Abuse Act.
π΄ Pro-Russian Information Operations Escalate in Ukraine War π΄
π Read
via "Dark Reading".
In the three months since the war started, Russian operatives and those allied with the nation's interests have unleashed a deluge of disinformation and fake news to try and sow fear and confusion in Ukraine, security vendor says.π Read
via "Dark Reading".
Dark Reading
Pro-Russian Information Operations Escalate in Ukraine War
In the three months since the war started, Russian operatives and those allied with the nation's interests have unleashed a deluge of disinformation and fake news to try and sow fear and confusion in Ukraine, security vendor says.
βΌ CVE-2022-30617 βΌ
π Read
via "National Vulnerability Database".
An authenticated user with access to the Strapi admin panel can view private and sensitive data, such as email and password reset tokens, for other admin panel users that have a relationship (e.g., created by, updated by) with content accessible to the authenticated user. For example, a low-privileged Γ’β¬ΕauthorΓ’β¬οΏ½ role account can view these details in the JSON response for an Γ’β¬ΕeditorΓ’β¬οΏ½ or Γ’β¬Εsuper adminΓ’β¬οΏ½ that has updated one of the authorΓ’β¬β’s blog posts. There are also many other scenarios where such details from other users can leak in the JSON response, either through a direct or indirect relationship. Access to this information enables a user to compromise other usersΓ’β¬β’ accounts by successfully invoking the password reset workflow. In a worst-case scenario, a low-privileged user could get access to a Γ’β¬Εsuper adminΓ’β¬οΏ½ account with full control over the Strapi instance, and could read and modify any data as well as block access to both the admin panel and API by revoking privileges for all other users.π Read
via "National Vulnerability Database".