IEC104 v1.0 contains a stack-buffer overflow in the parameter Iec10x_Sta_Addr.
A heap buffer-overflow in the client_example1.c component of libiec_iccp_mod v1.5 leads to a denial of service (DOS).
VMware Workspace ONE Access and Identity Manager, unintentionally provide a login interface on port 7443. A malicious actor with network access to port 7443 may attempt user enumeration or brute force the login endpoint, which may or may not be practic…
VMware Workspace ONE Access and Identity Manager, allow the /cfg web app and diagnostic endpoints, on port 8443, to be accessed via port 443 using a custom host header. A malicious actor with network access to port 443 could tamper with host headers to…
VMware Workspace ONE UEM REST API contains a denial of service vulnerability. A malicious actor with access to /API/system/admins/session could cause an API denial of service due to improper rate limiting.
August 2021 Security Intelligence Roundup: Pipeline Changes, Social Engineering and Software Supply Chain Attacks
by Megan Crouse •
Ransomware catches people’s attention in part because it feeds on emotion. People click on links without looking at them first, and this remains one of the most common vectors for attack. While it may seem like the internet is filled with the same advice over and over again, even the most attentive person can slip […]
by Tara Seals •
A pair of unpatched security vulnerabilities can allow unauthenticated cyberattackers to turn off window, door and motion-sensor monitoring.
by Lynn Greiner •
It’s official: Microsoft has announced that it will begin pushing the free Windows 11 upgrade to compatible PCs on October 5. The rollout will be phased, the company said in a blog post announcing the release date, beginning with new PCs, then moving on to other eligible devices based on, it said, ” intelligence models […]
The post Windows 11 release date announced; no Android app support at launch first appeared on IT World Canada.
by Graham Cluley •
The notorious Ragnarok ransomware gang appears to have abruptly closed its operations and entered retirement, releasing a universal decryption key for its past victims.
Read more in my article on the Hot for Security blog.
Soft skills are just as important, if not more so, than technical skills in cybersecurity professionals. People with soft skills can be trained in tech skills, expert says.
by David Braue •
Australian CISOs and system administrators could face jail time unless they help authorities surreptitiously hack the accounts of their network users — a possibility that has suddenly emerged with the rapid passage of what the Law Council of Australia’…
ESET’s cybersecurity expert Marc-Étienne Léveillé analyses in-depth the Quebec’s vaccine proof apps VaxiCode and VaxiCode Verif.
The post Flaw in the Quebec vaccine passport: analysis appeared first on WeLiveSecurity
Les chercheurs d’ESET expliquent les détails d’une faille découverte dans VaxiCode Vérif, l’application mobile permettant la vérification des preuves vaccinales québécoise
The post Faille dans la preuve vaccinale Québécoise : analyse appeared first on …
by Paul Ducklin •
Recursion [noun]: see recursion.
Identity and access management is pushing application security past single-factor authentication (a password) and even multi-factor authentication to a risk management model says Ping Identity CEO.
Andre Durand, Founder and CEO of Ping Identity, talks about out how identity and access management is changing software development and application security in this Dynamic Developer episode.
by Roger Grimes •
One of the most common mantras in security awareness training is “Examine the URL to determine if it points to the legitimate vendor or not!”
A stored cross-site scripting (XSS) vulnerability exists in FileBrowser < v2.16.0 that allows an authenticated user authorized to upload a malicious .svg file which acts as a stored XSS payload. If this stored XSS payload is triggered by an administ…
Improper Authorization in multiple functions in MIK.starlight 126.96.36.19963 allows an authenticated attacker to escalate privileges.
The function AdminGetFirstFileContentByFilePath in MIK.starlight 188.8.131.5263 allows (by design) an authenticated attacker to read arbitrary files from the filesystem by specifying the file path.
An issue was discovered in OpenStack Neutron before 16.4.1, 17.x before 17.2.1, and 18.x before 18.1.1. Authenticated attackers can reconfigure dnsmasq via a crafted extra_dhcp_opts value.
detect-character-encoding is a package for detecting character encoding using ICU. In detect-character-encoding v0.3.0 and earlier, allocated memory is not released. The problem has been patched in detect-character-encoding v0.3.1.
Use of a hard-coded cryptographic key in MIK.starlight 184.108.40.20663 allows local users to decrypt credentials via unspecified vectors.
OpenOLAT is a web-based learning management system (LMS). A path traversal vulnerability exists in versions prior to 15.3.18, 15.5.3, and 16.0.0. Using a specially prepared ZIP file, it is possible to overwrite any file that is writable by the applicat…
Deserialization of untrusted data in multiple functions in MIK.starlight 220.127.116.1163 allows authenticated remote attackers to execute operating system commands by crafting serialized objects.
HashiCorp Vault Enterprise 0.9.2 through 1.6.2 allowed the read of license metadata from DR secondaries without authentication. Fixed in 1.6.3.
Tom Merritt tells us the things that are getting in the way of autonomous car adoption.
Tom Merritt tells us about the things that are getting in the way of autonomous car adoption.
Authentication sans password is already possible and solutions are on the market from companies like Ping Identity. With passwords passé, it’s time to make the leap to better security.
by Amer Owaida •
The federal agency urges organizations to ditch the bad practice and instead use multi-factor authentication methods
The post Don’t use single‑factor authentication, warns CISA appeared first on WeLiveSecurity
`@npmcli/arborist`, the library that calculates dependency trees and manages the node_modules folder hierarchy for the npm command line interface, aims to guarantee that package dependency contracts will be met, and the extraction of package contents w…
Matrix is an ecosystem for open federated Instant Messaging and Voice over IP. In versions 1.41.0 and prior, unauthorised users can access the membership (list of members, with their display names) of a room if they know the ID of the room. The vulnera…
The npm package "tar" (aka node-tar) before versions 4.4.18, 5.0.10, and 6.1.9 has an arbitrary file creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file whose location would be outside of th…
The npm package "tar" (aka node-tar) before versions 4.4.18, 5.0.10, and 6.1.9 has an arbitrary file creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file whose location would be modified by a…
`@npmcli/arborist`, the library that calculates dependency trees and manages the `node_modules` folder hierarchy for the npm command line interface, aims to guarantee that package dependency contracts will be met, and the extraction of package contents…
A flaw has been found in libssh in versions prior to 0.9.6. The SSH protocol keeps track of two shared secrets during the lifetime of the session. One of them is called secret_hash and the other session_id. Initially, both of them are the same, but aft…
A vulnerability found in UniFi Protect application V1.18.1 and earlier allows a malicious actor with a view-only role and network access to gain the same privileges as the owner of the UniFi Protect application. This vulnerability is fixed in UniFi Pro…
The npm package "tar" (aka node-tar) before versions 4.4.16, 5.0.8, and 6.1.7 has an arbitrary file creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file whose location would be modified by a …
Tizen RT RTOS version 3.0.GBB is vulnerable to integer wrap-around in functions_calloc and mm_zalloc. This improper memory assignment can lead to arbitrary memory allocation, resulting in unexpected behavior such as a crash
A memory corruption vulnerability exists in the XML-parsing CreateLabelOrAttrib functionality of AT&T Labsâ€™ Xmill 0.7. A specially crafted XML file can lead to a heap buffer overflow. An attacker can provide a malicious file to t…