Riasztások

ECHO Network · 2021. április 17.

Tutorial for secure programming in React that would cover major vulnerabilities

Cybersecurity experts mention that this means that if the content of the links is installed according to user input, an attacker may add malicious code to the compromised systems. Then, if the user follows the wrong link, the attacker’s script will start in the browser.
ECHO Network · 2021. április 17.

Pandemic Drives Greater Need for Endpoint Security

So far, it is an uphill battle, according to the Dark Reading 2021 State of Endpoint Security survey. More than half (57%) of security professionals believe changes to the endpoint environment wrought by the coronavirus pandemic have significantly increased the risk of a major data breach.
ECHO Network · 2021. április 17.

NA - CVE-2021-26830 - SQL Injection in Tribalsystems Zenario CMS...

This vulnerability is currently undergoing analysis and not all information is available. Please check back soon to view the completed vulnerability summary SQL Injection in Tribalsystems Zenario CMS 8.8.52729 allows remote attackers to access the database or delete the plugin. This is accomplished via the `ID` input field of ajax.
ECHO Network · 2021. április 17.

NA - CVE-2021-31348 - An issue was discovered in libezxml.a in ezXML...

This vulnerability is currently undergoing analysis and not all information is available. Please check back soon to view the completed vulnerability summary An issue was discovered in libezxml.a in ezXML 0.8.6. The function ezxml_parse_str() performs incorrect memory handling while parsing crafted....
ECHO Network · 2021. április 17.

CVE-2021-27600 (manufacturing_execution)

Current Description. SAP Manufacturing Execution (System Rules), versions - 15.1, 15.2, 15.3, 15.4, allows an authorized attacker to embed malicious code into HTTP parameter and send it to the server because SAP Manufacturing Execution (System Rules) tab does not sufficiently encode some parameters,....
ECHO Network · 2021. április 17.

CVE-2021-27394

Description. A vulnerability has been identified in Mendix Applications using Mendix 7 (All versions < V7.23.19), Mendix Applications using Mendix 8 (All versions < V8.17.0), Mendix Applications using Mendix 8 (V8.12) (All versions < V8.12.5), Mendix Applications using Mendix 8 (V8.6) (All versions < V8.
NVD: all CVE · 2021. április 17.

CVE-2021-29445

jose-node-esm-runtime is an npm package which provides a number of cryptographic functions. In versions prior to 3.11.4 the AES_CBC_HMAC_SHA2 Algorithm (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) decryption would always execute both HMAC tag verification and CBC decryption, if either failed `JWEDecryptionFailed` would be thrown. But a possibly observable difference in timing when padding error would occur while decrypting the ciphertext makes a padding oracle and an adversary might be able to make use of that oracle to decrypt data without knowing the decryption key by issuing on average 128*b calls to the padding oracle (where b is the number of bytes in the ciphertext block). A patch was released which ensures the HMAC tag is verified before performing CBC decryption. The fixed versions are `>=3.11.4`. Users should upgrade to `^3.11.4`.
NVD: all CVE · 2021. április 17.

CVE-2021-29446

jose-node-cjs-runtime is an npm package which provides a number of cryptographic functions. In versions prior to 3.11.4 the AES_CBC_HMAC_SHA2 Algorithm (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) decryption would always execute both HMAC tag verification and CBC decryption, if either failed `JWEDecryptionFailed` would be thrown. But a possibly observable difference in timing when padding error would occur while decrypting the ciphertext makes a padding oracle and an adversary might be able to make use of that oracle to decrypt data without knowing the decryption key by issuing on average 128*b calls to the padding oracle (where b is the number of bytes in the ciphertext block). A patch was released which ensures the HMAC tag is verified before performing CBC decryption. The fixed versions are `>=3.11.4`. Users should upgrade to `^3.11.4`.
NVD: all CVE · 2021. április 17.

CVE-2021-29451

Portofino is an open source web development framework. Portofino before version 5.2.1 did not properly verify the signature of JSON Web Tokens. This allows forging a valid JWT. The issue will be patched in the upcoming 5.2.1 release.
NVD: all CVE · 2021. április 17.

CVE-2021-29452

a12n-server is an npm package which aims to provide a simple authentication system. A new HAL-Form was added to allow editing users in version 0.18.0. This feature should only have been accessible to admins. Unfortunately, privileges were incorrectly checked allowing any logged in user to make this change. Patched in v0.18.2.
NVD: all CVE · 2021. április 17.

CVE-2021-29444

jose-browser-runtime is an npm package which provides a number of cryptographic functions. In versions prior to 3.11.4 the AES_CBC_HMAC_SHA2 Algorithm (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) decryption would always execute both HMAC tag verification and CBC decryption, if either failed `JWEDecryptionFailed` would be thrown. But a possibly observable difference in timing when padding error would occur while decrypting the ciphertext makes a padding oracle and an adversary might be able to make use of that oracle to decrypt data without knowing the decryption key by issuing on average 128*b calls to the padding oracle (where b is the number of bytes in the ciphertext block). A patch was released which ensures the HMAC tag is verified before performing CBC decryption. The fixed versions are `>=3.11.4`. Users should upgrade to `^3.11.4`.
ECHO Network · 2021. április 16.

CVE-2020-9668

Adobe Genuine Service version 6.6 (and earlier) is affected by an Improper Access control vulnerability when handling symbolic links. An unauthenticated attacker could exploit this to elevate privileges in the context of the current user.
ECHO Network · 2021. április 16.

CVE-2020-9667

Adobe Genuine Service version 6.6 (and earlier) is affected by an Uncontrolled Search Path element vulnerability. An authenticated attacker could exploit this to to plant custom binaries and execute them with System permissions. Exploitation of this issue requires user interaction.
ECHO Network · 2021. április 16.

High-Level Admin of FIN7 Cybercrime Group Sentenced to 10 Years in Prison

A high-level manager of cybercrime group FIN7, also known as the Carbanak Group and the Navigator Group, has been sentenced to ten years in prison, the Department of Justice reports. FIN7 has operated since at least 2015 and had more than 70 people organized into business units and teams..
ECHO Network · 2021. április 16.

Microsoft Edge's update server is down - shows 0x800421F7 error

Microsoft Edge's update server is suffering a worldwide outage preventing users from updating to the newly released version 90 of the web browser. Yesterday, Microsoft released Edge 90 with new features, such as a Kids Mode, the new download flyout, better font rendering, and improved PDF printing.
ECHO Network · 2021. április 16.

Top CVE List for Q1 2021: CloudPassage Vulnerability Report

The Threat Intelligence team at CloudPassage is in a continuous ARR (Anticipate, Research, Respond) loop. Our Real-Time Vulnerability Alerting Engine harnesses public data and applies proprietary data analytics to cut through the noise and get real-time alerts for highly seismic cloud vulnerability....
Linux security Advisories · 2021. április 16.

openSUSE: 2021:0565-1 moderate: opensc>

An update that fixes 8 vulnerabilities is now available.
Linux security Advisories · 2021. április 16.

openSUSE: 2021:0563-1 moderate: wpa_supplicant>

An update that fixes one vulnerability is now available.
NVD: all CVE · 2021. április 16.

CVE-2021-27394

A vulnerability has been identified in Mendix Applications using Mendix 7 (All versions < V7.23.19), Mendix Applications using Mendix 8 (All versions < V8.17.0), Mendix Applications using Mendix 8 (V8.12) (All versions < V8.12.5), Mendix Applications using Mendix 8 (V8.6) (All versions < V8.6.9), Mendix Applications using Mendix 9 (All versions < V9.0.5). Authenticated, non-administrative users could modify their privileges by manipulating the user role under certain circumstances, allowing them to gain administrative privileges.
ECHO Network · 2021. április 16.

Fedora 32: gnuchess 2021-a58cb9bc7a>

Patch for CVE-2021-30184. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2021-a58cb9bc7a 2021-04-16 14:42:40.037684 -------------------------------------------------------------------------------- Name : gnuchess Product : Fedora 32 Version : 6.