βΌ CVE-2021-41979 βΌ
π Read
via "National Vulnerability Database".
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2021. Notes: none.π Read
via "National Vulnerability Database".
βΌ CVE-2021-41977 βΌ
π Read
via "National Vulnerability Database".
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2021. Notes: none.π Read
via "National Vulnerability Database".
βΌ CVE-2021-41984 βΌ
π Read
via "National Vulnerability Database".
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2021. Notes: none.π Read
via "National Vulnerability Database".
βΌ CVE-2021-41986 βΌ
π Read
via "National Vulnerability Database".
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2021. Notes: none.π Read
via "National Vulnerability Database".
βΌ CVE-2021-41978 βΌ
π Read
via "National Vulnerability Database".
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2021. Notes: none.π Read
via "National Vulnerability Database".
βΌ CVE-2021-41981 βΌ
π Read
via "National Vulnerability Database".
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2021. Notes: none.π Read
via "National Vulnerability Database".
π΄ Understanding Infrastructure-as-Code Risks in the Cloud π΄
π Read
via "Dark Reading".
Improve overall IT administration and establish a framework to identify misconfigurations and automate the process of checking IaC before it makes it into the production environment.π Read
via "Dark Reading".
Dark Reading
Understanding Infrastructure-as-Code Risks in the Cloud
Improve overall IT administration and establish a framework to identify misconfigurations and automate the process of checking IaC before it makes it into the production environment.
ποΈ Tell us what you think: The Daily Swig reader survey 2023 ποΈ
π Read
via "The Daily Swig".
Have your say to be in with the chance to win Burp Suite swagβ¦π Read
via "The Daily Swig".
The Daily Swig | Cybersecurity news and views
Tell us what you think: The Daily Swig reader survey 2023
Have your say to be in with the chance to win Burp Suite swagβ¦
π΄ BitRat Malware Gnaws at Victims With Bank Heist Data π΄
π Read
via "Dark Reading".
Attackers have compromised a Colombian financial institution and are using a bevy of leaked customer details in further malicious activity to spread an info-gathering remote access Trojan (RAT).π Read
via "Dark Reading".
Dark Reading
BitRat Malware Gnaws at Victims With Bank Heist Data
Attackers have compromised a Colombian financial institution and are using a bevy of leaked customer details in further malicious activity to spread an info-gathering remote access Trojan (RAT).
π΄ CORL Technologies Introduces Proactive Third-Party Incident Response Solution for Healthcare π΄
π Read
via "Dark Reading".
π Read
via "Dark Reading".
Dark Reading
CORL Technologies Introduces Proactive Third-Party Incident Response Solution for Healthcare
ATLANTA, Jan. 4, 2023 /PRNewswire/ -- CORL Technologies, the leading provider of risk management solutions for healthcare, today introduced Third-Party Incident Response (TPIR). This managed incident response solution allows healthcare providers to addressβ¦
π1
βΌ CVE-2022-48216 βΌ
π Read
via "National Vulnerability Database".
Uniswap Universal Router before 1.1.0 mishandles reentrancy. This would have allowed theft of funds.π Read
via "National Vulnerability Database".
βΌ CVE-2023-22464 βΌ
π Read
via "National Vulnerability Database".
ViewVC is a browser interface for CVS and Subversion version control repositories. Versions prior to 1.2.3 and 1.1.30 are vulnerable to cross-site scripting. The impact of this vulnerability is mitigated by the need for an attacker to have commit privileges to a Subversion repository exposed by an otherwise trusted ViewVC instance. The attack vector involves files with unsafe names (names that, when embedded into an HTML stream, would cause the browser to run unwanted code), which themselves can be challenging to create. Users should update to at least version 1.2.3 (if they are using a 1.2.x version of ViewVC) or 1.1.30 (if they are using a 1.1.x version). ViewVC 1.0.x is no longer supported, so users of that release lineage should implement one of the following workarounds. Users can edit their ViewVC EZT view templates to manually HTML-escape changed path "copyfrom paths" during rendering. Locate in your template set's `revision.ezt` file references to those changed paths, and wrap them with `[format "html"]` and `[end]`. For most users, that means that references to `[changes.copy_path]` will become `[format "html"][changes.copy_path][end]`. (This workaround should be reverted after upgrading to a patched version of ViewVC, else "copyfrom path" names will be doubly escaped.)π Read
via "National Vulnerability Database".
βΌ CVE-2023-22457 βΌ
π Read
via "National Vulnerability Database".
CKEditor Integration UI adds support for editing wiki pages using CKEditor. Prior to versions 1.64.3,t he `CKEditor.HTMLConverter` document lacked a protection against Cross-Site Request Forgery (CSRF), allowing to execute macros with the rights of the current user. If a privileged user with programming rights was tricked into executing a GET request to this document with certain parameters (e.g., via an image with a corresponding URL embedded in a comment or via a redirect), this would allow arbitrary remote code execution and the attacker could gain rights, access private information or impact the availability of the wiki. The issue has been patched in the CKEditor Integration version 1.64.3. This has also been patched in the version of the CKEditor integration that is bundled starting with XWiki 14.6 RC1. There are no known workarounds for this other than upgrading the CKEditor integration to a fixed version.π Read
via "National Vulnerability Database".
βΌ CVE-2023-22461 βΌ
π Read
via "National Vulnerability Database".
The `sanitize-svg` package, a small SVG sanitizer to prevent cross-site scripting attacks, uses a deny-list-pattern to sanitize SVGs to prevent XSS. In doing so, literal `<script>`-tags and on-event handlers were detected in versions prior to 0.4.0. As a result, downstream software that relies on `sanitize-svg` and expects resulting SVGs to be safe, may be vulnerable to cross-site scripting. This vulnerability was addressed in v0.4.0. There are no known workaroundsπ Read
via "National Vulnerability Database".
βΌ CVE-2023-0049 βΌ
π Read
via "National Vulnerability Database".
Out-of-bounds Read in GitHub repository vim/vim prior to 9.0.1143.π Read
via "National Vulnerability Database".
βΌ CVE-2023-22465 βΌ
π Read
via "National Vulnerability Database".
Http4s is a Scala interface for HTTP services. Starting with version 0.1.0 and prior to versions 0.21.34, 0.22.15, 0.23.17, and 1.0.0-M38, the `User-Agent` and `Server` header parsers are susceptible to a fatal error on certain inputs. In http4s, modeled headers are lazily parsed, so this only applies to services that explicitly request these typed headers. Fixes are released in 0.21.34, 0.22.15, 0.23.17, and 1.0.0-M38. As a workaround, use the weakly typed header interface.π Read
via "National Vulnerability Database".
βΌ CVE-2022-45875 βΌ
π Read
via "National Vulnerability Database".
Improper validation of script alert plugin parameters in Apache DolphinScheduler to avoid remote command execution vulnerability. This issue affects Apache DolphinScheduler version 3.0.1 and prior versions; version 3.1.0 and prior versions.π Read
via "National Vulnerability Database".
βΌ CVE-2023-22463 βΌ
π Read
via "National Vulnerability Database".
KubePi is a k8s panel. The jwt authentication function of KubePi through version 1.6.2 uses hard-coded Jwtsigkeys, resulting in the same Jwtsigkeys for all online projects. This means that an attacker can forge any jwt token to take over the administrator account of any online project. Furthermore, they may use the administrator to take over the k8s cluster of the target enterprise. `session.go`, the use of hard-coded JwtSigKey, allows an attacker to use this value to forge jwt tokens arbitrarily. The JwtSigKey is confidential and should not be hard-coded in the code. The vulnerability has been fixed in 1.6.3. In the patch, JWT key is specified in app.yml. If the user leaves it blank, a random key will be used. There are no workarounds aside from upgrading.π Read
via "National Vulnerability Database".
βΌ CVE-2023-22460 βΌ
π Read
via "National Vulnerability Database".
go-ipld-prime is an implementation of the InterPlanetary Linked Data (IPLD) spec interfaces, a batteries-included codec implementations of IPLD for CBOR and JSON, and tooling for basic operations on IPLD objects. Encoding data which contains a Bytes kind Node will pass a Bytes token to the JSON encoder which will panic as it doesn't expect to receive Bytes tokens. Such an encode should be treated as an error, as plain JSON should not be able to encode Bytes. This only impacts uses of the `json` codec. `dag-json` is not impacted. Use of `json` as a decoder is not impacted. This issue is fixed in v0.19.0. As a workaround, one may prefer the `dag-json` codec, which has the ability to encode bytes.π Read
via "National Vulnerability Database".
β Inside a scammersβ lair: Ukraine busts 40 in fake bank call-centre raid β
π Read
via "Naked Security".
When someone calls you up to warn you that your bank account is under attack - it's true, because THAT VERY PERSON is the one attacking you!π Read
via "Naked Security".
Naked Security
Inside a scammersβ lair: Ukraine busts 40 in fake bank call-centre raid
When someone calls you up to warn you that your bank account is under attack β itβs true, because THAT VERY PERSON is the one attacking you!
ποΈ Car companies massively exposed to web vulnerabilities ποΈ
π Read
via "The Daily Swig".
Grand hack autoπ Read
via "The Daily Swig".
The Daily Swig | Cybersecurity news and views
Car companies massively exposed to web vulnerabilities
Grand hack auto