‼ CVE-2021-41556 ‼
📖 Read
via "National Vulnerability Database".
sqclass.cpp in Squirrel through 2.2.5 and 3.x through 3.1 allows an out-of-bounds read (in the core interpreter) that can lead to Code Execution. If a victim executes an attacker-controlled squirrel script, it is possible for the attacker to break out of the squirrel script sandbox even if all dangerous functionality such as File System functions has been disabled. An attacker might abuse this bug to target (for example) Cloud services that allow customization via SquirrelScripts, or distribute malware through video games that embed a Squirrel Engine.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-2564 ‼
📖 Read
via "National Vulnerability Database".
Prototype Pollution in GitHub repository automattic/mongoose prior to 6.4.6.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-34578 ‼
📖 Read
via "National Vulnerability Database".
Open Source Point of Sale v3.3.7 was discovered to contain an arbitrary file upload vulnerability via the Update Branding Settings page.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-29360 ‼
📖 Read
via "National Vulnerability Database".
The Email Viewer in RainLoop through 1.6.0 allows XSS via a crafted email message.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-1799 ‼
📖 Read
via "National Vulnerability Database".
Incorrect signature trust exists within Google Play services SDK play-services-basement. A debug version of Google Play services is trusted by the SDK for devices that are non-GMS. We recommend upgrading the SDK past the 2022-05-03 release.📖 Read
via "National Vulnerability Database".
‼ CVE-2021-3601 ‼
📖 Read
via "National Vulnerability Database".
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. OpenSSL does not class this issue as a security vulnerability. The trusted CA store should not contain anything that the user does not trust to issue other certificates. Notes: https://github.com/openssl/openssl/issues/5236#issuecomment-1196460611📖 Read
via "National Vulnerability Database".
‼ CVE-2022-24912 ‼
📖 Read
via "National Vulnerability Database".
The package github.com/runatlantis/atlantis/server/controllers/events before 0.19.7 are vulnerable to Timing Attack in the webhook event validator code, which does not use a constant-time comparison function to validate the webhook secret. It can allow an attacker to recover this secret as an attacker and then forge webhook events.📖 Read
via "National Vulnerability Database".
⚠ S3 Ep93: Office security, breach costs, and leisurely patches [Audio + Text] ⚠
📖 Read
via "Naked Security".
Latest episode - listen now!📖 Read
via "Naked Security".
Naked Security
S3 Ep93: Office security, breach costs, and leisurely patches [Audio + Text]
Latest episode – listen now!
‼ CVE-2022-1277 ‼
📖 Read
via "National Vulnerability Database".
Inavitas Solar Log product has an unauthenticated SQL Injection vulnerability.📖 Read
via "National Vulnerability Database".
🕴 3 Tips for Creating a Security Culture 🕴
📖 Read
via "Dark Reading".
Trying to get the whole organization on board with better cybersecurity is much tougher than it may sound.📖 Read
via "Dark Reading".
Dark Reading
3 Tips for Creating a Security Culture
Trying to get the whole organization on board with better cybersecurity is much tougher than it may sound.
🗓️ XSS vulnerabilities in Google Cloud, Google Play could lead to account hijacks 🗓️
📖 Read
via "The Daily Swig".
Reflected XSS and DOM-based XSS bugs net researchers $3,000 and $5,000 bug bounties📖 Read
via "The Daily Swig".
🛠 Faraday 4.0.4 🛠
📖 Read
via "Packet Storm Security".
Faraday is a tool that introduces a new concept called IPE, or Integrated Penetration-Test Environment. It is a multiuser penetration test IDE designed for distribution, indexation and analysis of the generated data during the process of a security audit. The main purpose of Faraday is to re-use the available tools in the community to take advantage of them in a multiuser way.📖 Read
via "Packet Storm Security".
Packetstormsecurity
Faraday 4.0.4 ≈ Packet Storm
Information Security Services, News, Files, Tools, Exploits, Advisories and Whitepapers
❌ Malicious Npm Packages Tapped Again to Target Discord Users ❌
📖 Read
via "Threat Post".
Recent LofyLife campaign steals tokens and infects client files to monitor various user actions, such as log-ins, password changes and payment methods.📖 Read
via "Threat Post".
Threat Post
Malicious Npm Packages Tapped Again to Target Discord Users
Recent LofyLife campaign steals tokens and infects client files to monitor various user actions, such as log-ins, password changes and payment methods.
🕴 Malicious npm Packages Scarf Up Discord Tokens, Credit Card Info 🕴
📖 Read
via "Dark Reading".
The campaign uses four malicious packages to spread "Volt Stealer" and "Lofy Stealer" malware in the open source npm software package repository.📖 Read
via "Dark Reading".
Dark Reading
Malicious npm Packages Scarf Up Discord Tokens, Credit Card Info
The campaign uses four malicious packages to spread "Volt Stealer" and "Lofy Stealer" malware in the open source npm software package repository.
⚠ How to celebrate SysAdmin Day! ⚠
📖 Read
via "Naked Security".
I've just popped in to wish you all/The best SysAdmin Day!📖 Read
via "Naked Security".
Sophos News
Naked Security – Sophos News
🗓️ GitHub Actions workflow flaws provided write access to projects including Logstash 🗓️
📖 Read
via "The Daily Swig".
Malicious builds and wider infrastructural compromise were worst-case scenarios📖 Read
via "The Daily Swig".
The Daily Swig | Cybersecurity news and views
GitHub Actions workflow flaws provided write access to projects including Logstash
Malicious builds and wider infrastructural compromise were worst-case scenarios
🔏 Friday Five 7/29 🔏
📖 Read
via "".
Read about new findings from IBM's most recent Cost of a Data Breach Report, a data breach that could affect over 5 million Twitter users, the latest cybersecurity legislation making its way through Congress, and more all in this week's Friday Five!
📖 Read
via "".
‼ CVE-2022-2576 ‼
📖 Read
via "National Vulnerability Database".
In Eclipse Californium version 2.0.0 to 2.7.2 and 3.0.0-3.5.0 a DTLS resumption handshake falls back to a DTLS full handshake on a parameter mismatch without using a HelloVerifyRequest. Especially, if used with certificate based cipher suites, that results in message amplification (DDoS other peers) and high CPU load (DoS own peer). The misbehavior occurs only with DTLS_VERIFY_PEERS_ON_RESUMPTION_THRESHOLD values larger than 0.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-35643 ‼
📖 Read
via "National Vulnerability Database".
IBM PowerVM VIOS 3.1 could allow a remote attacker to tamper with system configuration or cause a denial of service. IBM X-Force ID: 230956.📖 Read
via "National Vulnerability Database".
‼ CVE-2022-36123 ‼
📖 Read
via "National Vulnerability Database".
The Linux kernel before 5.18.13 lacks a certain clear operation for the block starting symbol (.bss). This allows Xen PV guest OS users to cause a denial of service or gain privileges.📖 Read
via "National Vulnerability Database".
🕴 Big Questions Remain Around Massive Shanghai Police Data Breach 🕴
📖 Read
via "Dark Reading".
Why was PII belonging to nearly 1 billion people housed in a single, open database? Why didn't anyone notice it was downloaded?📖 Read
via "Dark Reading".
Dark Reading
Big Questions Remain Around Massive Shanghai Police Data Breach
Why was PII belonging to nearly 1 billion people housed in a single, open database? Why didn't anyone notice it was downloaded?
👍2