βΌ CVE-2021-39252 βΌ
π Read
via "National Vulnerability Database".
A crafted NTFS image can cause an out-of-bounds read in ntfs_ie_lookup in NTFS-3G < 2021.8.22.π Read
via "National Vulnerability Database".
βΌ CVE-2021-33287 βΌ
π Read
via "National Vulnerability Database".
Tuxera NTFS-3G versions < 2021.8.22, when specially crafted NTFS attributes are read in the function ntfs_attr_pread_i, a heap buffer overflow can occur and allow for writing to arbitrary memory or denial of service of the application.π Read
via "National Vulnerability Database".
βΌ CVE-2021-33286 βΌ
π Read
via "National Vulnerability Database".
In Tuxera NTFS-3G versions < 2021.8.22, when a specially crafted unicode string is supplied in an NTFS image a heap buffer overflow can occur and allow for code execution.π Read
via "National Vulnerability Database".
βΌ CVE-2021-35266 βΌ
π Read
via "National Vulnerability Database".
In Tuxera NTFS-3G versions < 2021.8.22, when a specially crafted NTFS inode pathname is supplied in an NTFS image a heap buffer overflow can occur resulting in memory disclosure, denial of service and even code execution.π Read
via "National Vulnerability Database".
βΌ CVE-2020-19131 βΌ
π Read
via "National Vulnerability Database".
Buffer Overflow in LibTiff v4.0.10 allows attackers to cause a denial of service via the "invertImage()" function in the component "tiffcrop".π Read
via "National Vulnerability Database".
βΌ CVE-2021-39261 βΌ
π Read
via "National Vulnerability Database".
A crafted NTFS image can cause a heap-based buffer overflow in ntfs_compressed_pwrite in NTFS-3G < 2021.8.22.π Read
via "National Vulnerability Database".
βΌ CVE-2020-7832 βΌ
π Read
via "National Vulnerability Database".
A vulnerability (improper input validation) in the DEXT5 Upload solution allows an unauthenticated attacker to download and execute an arbitrary file via AddUploadFile, SetSelectItem, DoOpenFile function.(CVE-2020-7832)π Read
via "National Vulnerability Database".
βΌ CVE-2021-35268 βΌ
π Read
via "National Vulnerability Database".
Tuxera NTFS-3G versions < 2021.8.22, when a specially crafted NTFS inode is loaded in the function ntfs_inode_real_open, a heap buffer overflow can occur allowing for code execution and escalation of privileges.π Read
via "National Vulnerability Database".
βΌ CVE-2021-39255 βΌ
π Read
via "National Vulnerability Database".
A crafted NTFS image can trigger an out-of-bounds read, caused by an invalid attribute in ntfs_attr_find_in_attrdef, in NTFS-3G < 2021.8.22.π Read
via "National Vulnerability Database".
β ProtonMail Forced to Log IP Address of French Activist β
π Read
via "Threat Post".
The privacy-touting, end-to-end encrypted email provider erased its site's βwe donβt log your IPβ boast after France sicced Swiss cops on it.π Read
via "Threat Post".
Threat Post
ProtonMail Forced to Log IP Address of French Activist
The privacy-touting, end-to-end encrypted email provider erased its site's βwe donβt log your IPβ boast after France sicced Swiss cops on it.
β Jenkins Hit as Atlassian Confluence Cyberattacks Widen β
π Read
via "Threat Post".
Patch now: The popular biz-collaboration platform is seeing mass scanning and exploitation just two weeks after a critical RCE bug was disclosed.π Read
via "Threat Post".
Threat Post
Jenkins Hit as Atlassian Confluence Cyberattacks Widen
Patch now: The popular biz-collaboration platform is seeing mass scanning and exploitation just two weeks after a critical RCE bug was disclosed.
π¦Ώ How to control activity tracking by apps on your iPhone or iPad π¦Ώ
π Read
via "Tech Republic".
You can tell iOS and iPadOS apps not to track your activity. Here's how.π Read
via "Tech Republic".
TechRepublic
How to control activity tracking by apps on your iPhone or iPad
You can tell iOS and iPadOS apps not to track your activity. Here's how.
βΌ CVE-2021-40539 βΌ
π Read
via "National Vulnerability Database".
Zoho ManageEngine ADSelfService Plus version 6113 and prior is vulnerable to REST API authentication bypass with resultant remote code execution.π Read
via "National Vulnerability Database".
βΌ CVE-2021-38123 βΌ
π Read
via "National Vulnerability Database".
Open Redirect vulnerability in Micro Focus Network Automation, affecting Network Automation versions 10.4x, 10.5x, 2018.05, 2018.11, 2019.05, 2020.02, 2020.08, 2020.11, 2021.05. The vulnerability could allow redirect users to malicious websites after authentication.π Read
via "National Vulnerability Database".
βΌ CVE-2021-39197 βΌ
π Read
via "National Vulnerability Database".
better_errors is an open source replacement for the standard Rails error page with more information rich error pages. It is also usable outside of Rails in any Rack app as Rack middleware. better_errors prior to 2.8.0 did not implement CSRF protection for its internal requests. It also did not enforce the correct "Content-Type" header for these requests, which allowed a cross-origin "simple request" to be made without CORS protection. These together left an application with better_errors enabled open to cross-origin attacks. As a developer tool, better_errors documentation strongly recommends addition only to the `development` bundle group, so this vulnerability should only affect development environments. Please ensure that your project limits better_errors to the `development` group (or the non-Rails equivalent). Starting with release 2.8.x, CSRF protection is enforced. It is recommended that you upgrade to the latest release, or minimally to "~> 2.8.3". There are no known workarounds to mitigate the risk of using older releases of better_errors.π Read
via "National Vulnerability Database".
βΌ CVE-2021-38142 βΌ
π Read
via "National Vulnerability Database".
Barco MirrorOp Windows Sender before 2.5.3.65 uses cleartext HTTP and thus allows rogue software upgrades. An attacker on the local network can achieve remote code execution on any computer that tries to update Windows Sender due to the fact that the upgrade mechanism is not secured (is not protected with TLS).π Read
via "National Vulnerability Database".
βΌ CVE-2021-39195 βΌ
π Read
via "National Vulnerability Database".
Misskey is an open source, decentralized microblogging platform. In affected versions a Server-Side Request Forgery vulnerability exists in "Upload from URL" and remote attachment handling. This could result in the disclosure of non-public information within the internal network. This has been fixed in 12.90.0. However, if you are using a proxy, you will need to take additional measures. As a workaround this exploit may be avoided by appropriately restricting access to private networks from the host where the application is running.π Read
via "National Vulnerability Database".
βΌ CVE-2021-35947 βΌ
π Read
via "National Vulnerability Database".
The public share controller in the ownCloud server before version 10.8.0 allows a remote attacker to see the internal path and the username of a public share by including invalid characters in the URL.π Read
via "National Vulnerability Database".
βΌ CVE-2021-39196 βΌ
π Read
via "National Vulnerability Database".
pcapture is an open source dumpcap web service interface . In affected versions this vulnerability allows an authenticated but unprivileged user to use the REST API to capture and download packets with no capture filter and without adequate permissions. This is important because the capture filters can effectively limit the scope of information that a user can see in the data captures. If no filter is present, then all data on the local network segment where the program is running can be captured and downloaded. v3.12 fixes this problem. There is no workaround, you must upgrade to v3.12 or greater.π Read
via "National Vulnerability Database".
βΌ CVE-2021-39199 βΌ
π Read
via "National Vulnerability Database".
remark-html is an open source nodejs library which compiles Markdown to HTML. In affected versions the documentation of remark-html has mentioned that it was safe by default. In practice the default was never safe and had to be opted into. That is, user input was not sanitized. This means arbitrary HTML can be passed through leading to potential XSS attacks. The problem has been patched in 13.0.2 and 14.0.1: `remark-html` is now safe by default, and the implementation matches the documentation. On older affected versions, pass `sanitize: true` if you cannot update.π Read
via "National Vulnerability Database".